Hi Florence. I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and with this Apache started. So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*, even if all manul checks are ok.
These are logs with the wrong certificate test: *# tail -f /var/log/httpd/error_log* *[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709] NSSSessionCacheTimeout is deprecated. Ignoring.[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709] nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server for SSL protocol[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709] AH01757: generating secret for digest authentication ...[Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709] AH02282: No slotmem from mod_heartmonitor[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709] NSSSessionCacheTimeout is deprecated. Ignoring.[Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709] nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709] AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations[Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717] proxy_util.c(1838): AH00924: worker ajp://localhost shared already initialized[Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717] proxy_util.c(1880): AH00926: worker ajp://localhost local already initialized...[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719] proxy_util.c(1838): AH00924: worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ <http://localhost/keys/> shared already initialized[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719] proxy_util.c(1880): AH00926: worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ <http://localhost/keys/> local already initialized[Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server for SSL protocol[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname ipaCert.[Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server for SSL protocol[Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname ipaCert.[Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server for SSL protocol[Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname ipaCert.[Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server for SSL protocol[Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname ipaCert.[Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server for SSL protocol[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] nss_engine_init.c(1140): Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname ipaCert.[Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration of certificate's CN and virtual name. The certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING: session memcached servers not running[Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING: session memcached servers not running[Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: *** PROCESS START ***[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: *** PROCESS START ***[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child 1 established (server mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)[Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter read failed.[Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error: -12285 Unable to find the certificate or key necessary for authentication[Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child 1 closed (server mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)[Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709] AH00170: caught SIGWINCH, shutting down gracefully* Is possible to delete *Server-Cert* from */etc/httpd/alias* and reimport it from the original certificates of *mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>*? Where are stored the original certificates? Please let me know, thanks. Bye, Morgan 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: > On 11/17/2016 04:51 PM, Morgan Marodin wrote: > >> Hi Rob. >> >> I've just tried to remove the group write to the *.db files, but it's >> not the problem. >> /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf >> NSSNickname Server-Cert/ >> >> I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it >> works, services went up. >> The same for /ntpd/, /named-pkcs11.service/, /smb.service/, >> /winbind.service/, /kadmin.service/, /memcached.service/ and >> /pki-tomcatd.target/. >> >> But if I try to start /httpd.service/: >> /[root@mlv-ipa01 ~]# tail -f /var/log/messages >> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server... >> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC >> proxy enabled >> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process >> exited, code=exited, status=1/FAILURE >> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process "" >> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process >> exited, code=exited status=1 >> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP >> Server. >> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed >> state. >> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./ >> >> Any other ideas? >> > Hi, > > - Does the NSS Db contain the private key for Server-Cert? If yes, the > command > $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt > should display a line like this one: > < 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS Certificate > DB:Server-Cert > > - Is your system running with SElinux enforcing? If yes, you can check if > there were SElinux permission denials using > $ ausearch -m avc --start recent > > - If the certificate was expired, I believe you would see a different > message, but it doesn't hurt to check its validity > $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not Before|Not > After" > > > Flo. > >> >> Please let me know, thanks. >> Morgan >> >> 2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>>: >> >> >> Morgan Marodin wrote: >> > Hi Florence. >> > >> > Thanks for your support. >> > >> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all >> > permissions and certificates are good: >> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ >> > total 184 >> > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc >> > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db >> > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig >> > -rw-------. 1 root root 4833 Sep 4 2015 install.log >> > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db >> > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig >> > lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -> >> > /usr/lib64/libnssckbi.so >> > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt >> > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db >> > -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/ >> >> Eventually you'll want to remove group write on the *.db files. >> >> > And password validations seems ok, too: >> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f >> > /etc/httpd/alias/pwdfile.txt >> good >> >> > Enabling mod-nss debug I can see these logs: >> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log >> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] >> AH01232: >> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] >> > NSSSessionCacheTimeout is deprecated. Ignoring. >> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] >> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com < >> http://mlv-ipa01.ipa.mydomain.com> >> > <http://mlv-ipa01.ipa.mydomain.com >> >> <http://mlv-ipa01.ipa.mydomain.com>> -> Server-Cert >> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring >> server >> > for SSL protocol >> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] >> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] >> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] >> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] >> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] >> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] >> > nss_engine_init.c(906): Disabling TLS Session Tickets >> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] >> > nss_engine_init.c(916): Enabling DHE key exchange >> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] >> > nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >> > ciphers >> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_ >> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_ >> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_ >> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+ >> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] >> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname >> > Server-Cert. >> [snip] >> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate >> not >> > found: 'Server-Cert' >> >> Can you shows what this returns: >> >> # grep NSSNickname /etc/httpd/conf.d/nss.conf >> >> > Do you think there is a kerberos problem? >> >> It definitely is not. >> >> You can bring the system up in a minimal way by manually starting the >> dir...@example.com <mailto:dir...@example.com> service and then >> krb5kdc. This will at least let your >> users authenticate. The management framework (GUI) runs through Apache >> so that will be down until we can get Apache started again. >> >> rob >> >> > >> > Please let me know, thanks. >> > Bye, Morgan >> > >> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com >> <mailto:f...@redhat.com> >> > <mailto:f...@redhat.com <mailto:f...@redhat.com>>>: >> >> > >> > On 11/17/2016 12:09 PM, Morgan Marodin wrote: >> > >> > Hello. >> > >> > This morning I've tried to upgrade my IPA server, but the >> upgrade >> > failed, and now the service doesn't start! :( >> > >> > If I try lo launch the upgrade manually this is the output: >> > /[root@mlv-ipa01 download]# ipa-server-upgrade >> > >> > Upgrading IPA: >> > [1/8]: saving configuration >> > [2/8]: disabling listeners >> > [3/8]: enabling DS global lock >> > [4/8]: starting directory server >> > [5/8]: updating schema >> > [6/8]: upgrading server >> > [7/8]: stopping directory server >> > [8/8]: restoring configuration >> > Done. >> > Update complete >> > Upgrading IPA services >> > Upgrading the configuration of the IPA services >> > [Verifying that root certificate is published] >> > [Migrate CRL publish directory] >> > CRL tree already moved >> > [Verifying that CA proxy configuration is correct] >> > [Verifying that KDC configuration is using ipa-kdb backend] >> > [Fix DS schema file syntax] >> > Syntax already fixed >> > [Removing RA cert from DS NSS database] >> > RA cert already removed >> > [Enable sidgen and extdom plugins by default] >> > [Updating HTTPD service IPA configuration] >> > [Updating mod_nss protocol versions] >> > Protocol versions already updated >> > [Updating mod_nss cipher suite] >> > [Fixing trust flags in /etc/httpd/alias] >> > Trust flags already processed >> > [Exporting KRA agent PEM file] >> > KRA is not enabled >> > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log >> and run >> > command ipa-server-upgrade manually. >> > Unexpected error - see /var/log/ipaupgrade.log for details: >> > CalledProcessError: Command '/bin/systemctl start >> httpd.service' >> > returned non-zero exit status 1 >> > The ipa-server-upgrade command failed. See >> > /var/log/ipaupgrade.log for >> > more information/ >> > >> > These are error logs of Apache: >> > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid >> 5664] >> > AH01232: >> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664] >> > NSSSessionCacheTimeout is deprecated. Ignoring. >> > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] >> > Certificate not >> > found: 'Server-Cert'/ >> > >> > The problem seems to be the /Server-Cert /that could not >> be found. >> > But if I try to execute the certutil command manually I >> can see it:/ >> > [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/ >> > Certificate Nickname >> Trust >> > Attributes >> > >> > SSL,S/MIME,JAR/XPI >> > Signing-Cert >> u,u,u >> > ipaCert >> u,u,u >> > Server-Cert >> Pu,u,u >> > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> >> <http://IPA.MYDOMAIN.COM> >> > <http://IPA.MYDOMAIN.COM> IPA >> > CA CT,C,C/ >> > >> > Could you help me? >> > What could I try to do to restart my service? >> > >> > Hi, >> > >> > I would first make sure that httpd is using /etc/httpd/alias >> as NSS >> > DB (check the directive NSSCertificateDatabase in >> > /etc/httpd/conf.d/nss.conf). >> > Then it may be a file permission issue: the NSS DB should >> belong to >> > root:apache (the relevant files are cert8.db, key3.db and >> secmod.db). >> > You should also find a pwdfile.txt in the same directory, >> containing >> > the NSS DB password. Check that the password is valid using >> > certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt >> > (if the command succeeds then the password in pwdfile is OK). >> > >> > You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by >> > setting "LogLevel debug", and check the output in >> > /var/log/httpd/error_log. >> > >> > HTH, >> > Flo. >> > >> > Thanks, Morgan >> > >> > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> > <https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users>> >> > Go to http://freeipa.org for more info on the project >> > >> > >> >>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
