On 11/18/2016 10:04 AM, Morgan Marodin wrote:
Hi Florence.

I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
and with this Apache started.
So I think the problem is in the /Server-Cert/ stored in
//etc/httpd/alias/, even if all manul checks are ok.

These are logs with the wrong certificate test:
/# tail -f /var/log/httpd/error_log/
/[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
for SSL protocol
[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.
[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
AH01757: generating secret for digest authentication ...
[Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
AH02282: No slotmem from mod_heartmonitor
[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
[Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
proxy_util.c(1838): AH00924: worker ajp://localhost shared already
initialized
[Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
proxy_util.c(1880): AH00926: worker ajp://localhost local already
initialized
...
[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
proxy_util.c(1838): AH00924: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
initialized
[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
proxy_util.c(1880): AH00926: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
initialized
[Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname ipaCert.
[Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname ipaCert.
[Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname ipaCert.
[Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname ipaCert.
[Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname ipaCert.
[Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING:
session memcached servers not running
[Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING:
session memcached servers not running
[Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: ***
PROCESS START ***
[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
PROCESS START ***
[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child
1 established (server mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)
[Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter
read failed.
[Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error:
-12285 Unable to find the certificate or key necessary for authentication
[Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child
1 closed (server mlv-ipa01.ipa.mydomain.com:443
<http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)
[Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709]
AH00170: caught SIGWINCH, shutting down gracefully/

Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport
it from the original certificates of /mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>/?
Where are stored the original certificates?

Hi Morgan,

with ldapsearch you should be able to find the certificate:
ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w password -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN

The cert will be stored in the field "usercertificate".

HTH,
Flo.

Please let me know, thanks.
Bye, Morgan

2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>>:

    On 11/17/2016 04:51 PM, Morgan Marodin wrote:

        Hi Rob.

        I've just tried to remove the group write to the *.db files, but
        it's
        not the problem.
        /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
        NSSNickname Server-Cert/

        I've tried to run manually /dirsrv.target/ and
        /krb5kdc.service/, and it
        works, services went up.
        The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
        /winbind.service/, /kadmin.service/, /memcached.service/ and
        /pki-tomcatd.target/.

        But if I try to start /httpd.service/:
        /[root@mlv-ipa01 ~]# tail -f /var/log/messages
        Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP
        Server...
        Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa         :
        INFO     KDC
        proxy enabled
        Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
        exited, code=exited, status=1/FAILURE
        Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
        Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
        exited, code=exited status=1
        Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache
        HTTP
        Server.
        Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered
        failed
        state.
        Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./

        Any other ideas?

    Hi,

    - Does the NSS Db contain the private key for Server-Cert? If yes,
    the command
    $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
    should display a line like this one:
    < 0> rsa      01a6cbd773f3d785ffa44233148dcb8ade266ea5   NSS
    Certificate DB:Server-Cert

    - Is your system running with SElinux enforcing? If yes, you can
    check if there were SElinux permission denials using
    $ ausearch -m avc --start recent

    - If the certificate was expired, I believe you would see a
    different message, but it doesn't hurt to check its validity
    $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not
    Before|Not After"


    Flo.


        Please let me know, thanks.
        Morgan

        2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:


            Morgan Marodin wrote:
            > Hi Florence.
            >
            > Thanks for your support.
            >
            > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems
        that all
            > permissions and certificates are good:
            > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
            > total 184
            > -r--r--r--  1 root root    1345 Sep  7  2015 cacert.asc
            > -rw-rw----  1 root apache 65536 Nov 17 11:06 cert8.db
            > -rw-r-----. 1 root apache 65536 Sep  4  2015 cert8.db.orig
            > -rw-------. 1 root root    4833 Sep  4  2015 install.log
            > -rw-rw----  1 root apache 16384 Nov 17 11:06 key3.db
            > -rw-r-----. 1 root apache 16384 Sep  4  2015 key3.db.orig
            > lrwxrwxrwx  1 root root      24 Nov 17 10:24 libnssckbi.so ->
            > /usr/lib64/libnssckbi.so
            > -rw-rw----  1 root apache    20 Sep  7  2015 pwdfile.txt
            > -rw-rw----  1 root apache 16384 Sep  7  2015 secmod.db
            > -rw-r-----. 1 root apache 16384 Sep  4  2015 secmod.db.orig/

            Eventually you'll want to remove group write on the *.db files.

            > And password validations seems ok, too:
            > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
            > /etc/httpd/alias/pwdfile.txt
            good

            > Enabling mod-nss debug I can see these logs:
            > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
            > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid
        10660] AH01232:
            > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
            > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
            > NSSSessionCacheTimeout is deprecated. Ignoring.
            > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
            > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
        <http://mlv-ipa01.ipa.mydomain.com>
        <http://mlv-ipa01.ipa.mydomain.com
        <http://mlv-ipa01.ipa.mydomain.com>>
            > <http://mlv-ipa01.ipa.mydomain.com
        <http://mlv-ipa01.ipa.mydomain.com>

            <http://mlv-ipa01.ipa.mydomain.com
        <http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert
            > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
        Configuring server
            > for SSL protocol
            > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
            > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
            > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
            > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
            > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
            > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
            > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
            > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
            > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
            > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
            > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
            > nss_engine_init.c(906): Disabling TLS Session Tickets
            > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
            > nss_engine_init.c(916): Enabling DHE key exchange
            > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
            > nss_engine_init.c(1077): NSSCipherSuite:  Configuring
        permitted SSL
            > ciphers
            >
        
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
            > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
            > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660]
        Using nickname
            > Server-Cert.
            [snip]
            > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660]
        Certificate not
            > found: 'Server-Cert'

            Can you shows what this returns:

            # grep NSSNickname /etc/httpd/conf.d/nss.conf

            > Do you think there is a kerberos problem?

            It definitely is not.

            You can bring the system up in a minimal way by manually
        starting the
            dir...@example.com <mailto:dir...@example.com>
        <mailto:dir...@example.com <mailto:dir...@example.com>> service
        and then
            krb5kdc. This will at least let your
            users authenticate. The management framework (GUI) runs
        through Apache
            so that will be down until we can get Apache started again.

            rob

            >
            > Please let me know, thanks.
            > Bye, Morgan
            >
            > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud
        <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
        <mailto:f...@redhat.com>>
            > <mailto:f...@redhat.com <mailto:f...@redhat.com>
        <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>:

            >
            >     On 11/17/2016 12:09 PM, Morgan Marodin wrote:
            >
            >         Hello.
            >
            >         This morning I've tried to upgrade my IPA server,
        but the
            upgrade
            >         failed, and now the service doesn't start! :(
            >
            >         If I try lo launch the upgrade manually this is
        the output:
            >         /[root@mlv-ipa01 download]# ipa-server-upgrade
            >
            >         Upgrading IPA:
            >           [1/8]: saving configuration
            >           [2/8]: disabling listeners
            >           [3/8]: enabling DS global lock
            >           [4/8]: starting directory server
            >           [5/8]: updating schema
            >           [6/8]: upgrading server
            >           [7/8]: stopping directory server
            >           [8/8]: restoring configuration
            >         Done.
            >         Update complete
            >         Upgrading IPA services
            >         Upgrading the configuration of the IPA services
            >         [Verifying that root certificate is published]
            >         [Migrate CRL publish directory]
            >         CRL tree already moved
            >         [Verifying that CA proxy configuration is correct]
            >         [Verifying that KDC configuration is using ipa-kdb
        backend]
            >         [Fix DS schema file syntax]
            >         Syntax already fixed
            >         [Removing RA cert from DS NSS database]
            >         RA cert already removed
            >         [Enable sidgen and extdom plugins by default]
            >         [Updating HTTPD service IPA configuration]
            >         [Updating mod_nss protocol versions]
            >         Protocol versions already updated
            >         [Updating mod_nss cipher suite]
            >         [Fixing trust flags in /etc/httpd/alias]
            >         Trust flags already processed
            >         [Exporting KRA agent PEM file]
            >         KRA is not enabled
            >         IPA server upgrade failed: Inspect
        /var/log/ipaupgrade.log
            and run
            >         command ipa-server-upgrade manually.
            >         Unexpected error - see /var/log/ipaupgrade.log for
        details:
            >         CalledProcessError: Command '/bin/systemctl start
            httpd.service'
            >         returned non-zero exit status 1
            >         The ipa-server-upgrade command failed. See
            >         /var/log/ipaupgrade.log for
            >         more information/
            >
            >         These are error logs of Apache:
            >         /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice]
        [pid 5664]
            >         AH01232:
            >         suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
            >         [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
            >         NSSSessionCacheTimeout is deprecated. Ignoring.
            >         [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
            >         Certificate not
            >         found: 'Server-Cert'/
            >
            >         The problem seems to be the /Server-Cert /that
        could not
            be found.
            >         But if I try to execute the certutil command
        manually I
            can see it:/
            >         [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
            >         Certificate Nickname
               Trust
            >         Attributes
            >
            >         SSL,S/MIME,JAR/XPI
            >         Signing-Cert
               u,u,u
            >         ipaCert
              u,u,u
            >         Server-Cert
              Pu,u,u
            >         IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
        <http://IPA.MYDOMAIN.COM>
            <http://IPA.MYDOMAIN.COM>
            >         <http://IPA.MYDOMAIN.COM> IPA
            >         CA                                    CT,C,C/
            >
            >         Could you help me?
            >         What could I try to do to restart my service?
            >
            >     Hi,
            >
            >     I would first make sure that httpd is using
        /etc/httpd/alias
            as NSS
            >     DB (check the directive NSSCertificateDatabase in
            >     /etc/httpd/conf.d/nss.conf).
            >     Then it may be a file permission issue: the NSS DB should
            belong to
            >     root:apache (the relevant files are cert8.db, key3.db and
            secmod.db).
            >     You should also find a pwdfile.txt in the same directory,
            containing
            >     the NSS DB password. Check that the password is valid
        using
            >     certutil -K -d /etc/httpd/alias/ -f
        /etc/httpd/alias/pwdfile.txt
            >     (if the command succeeds then the password in pwdfile
        is OK).
            >
            >     You can also enable mod-nss debug in
        /etc/httpd/conf/nss.conf by
            >     setting "LogLevel debug", and check the output in
            >     /var/log/httpd/error_log.
            >
            >     HTH,
            >     Flo.
            >
            >         Thanks, Morgan
            >
            >
            >
            >     --
            >     Manage your subscription for the Freeipa-users mailing
        list:
            >     https://www.redhat.com/mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>
            <https://www.redhat.com/mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>>
            >     <https://www.redhat.com/mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>
            <https://www.redhat.com/mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
            >     Go to http://freeipa.org for more info on the project
            >
            >


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to