I've upgraded all packages of my distribution, not only ipa packages.
There were a lot of packages.
*[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*
All other checks seem ok:
*[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
getseboolgetsebool: SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
"NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services"< 0> rsa 736... NSS Certificate DB:Server-Cert< 1> rsa
a4b... NSS Certificate DB:Signing-Cert< 2> rsa 0ff... NSS
*[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
egrep "Not Before|Not After" Not Before: Mon Sep 07 10:15:34
2015 Not After : Thu Sep 07 10:15:34 2017*
Could it be a good idea to export and re-import all certs from
2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Morgan Marodin wrote:
> > Hi Rob.
> > I've just tried to remove the group write to the *.db files, but it's
> > not the problem.
> I didn't expect it to be but you don't want Apache having write access
> to your certs and keys.
> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> > NSSNickname Server-Cert/
> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> > works, services went up.
> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> > /winbind.service/, /kadmin.service/, /memcached.service/ and
> > /pki-tomcatd.target/.
> Good, so you can limp along for a while then.
> > Any other ideas?
> So you upgraded. What did you actually upgrade? Only the IPA packages or
> a lot more?
> What version is running now, and what version of mod_nss?
> $ rpm -q mod_nss
> Let's see if the NSS tools can find the cert:
> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
> Should come back with: certutil: certificate is valid
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project