I've tried to add it to a new test folder, with a new certificate nickname,
and then to replace it to *nss.conf*.

But the problem persists:

*# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is
valid*


*# tail -f /var/log/httpd/error_log*







*[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880
2016] [:error] [pid 11552] The server key database has not been
initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016]
[:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678
2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'*

I've found this guide:






*Combine the server cert and key into a single file# cp localhost.crt >
Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server
cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out
Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys
into the database at the same time.#pk12util -i
/tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert*

Where is stored the key certificate file?

Thanks, Morgan

2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>
>> Hi Florence.
>>
>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
>> and with this Apache started.
>> So I think the problem is in the /Server-Cert/ stored in
>> //etc/httpd/alias/, even if all manul checks are ok.
>>
>> These are logs with the wrong certificate test:
>> /# tail -f /var/log/httpd/error_log/
>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
>>
>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>> as virtual name.
>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
>> AH01757: generating secret for digest authentication ...
>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
>> AH02282: No slotmem from mod_heartmonitor
>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
>>
>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
>> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
>> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
>> -- resuming normal operations
>> [Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
>> Command line: '/usr/sbin/httpd -D FOREGROUND'
>> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
>> proxy_util.c(1838): AH00924: worker ajp://localhost shared already
>> initialized
>> [Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
>> proxy_util.c(1880): AH00926: worker ajp://localhost local already
>> initialized
>> ...
>> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
>> proxy_util.c(1838): AH00924: worker
>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
>> initialized
>> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
>> proxy_util.c(1880): AH00926: worker
>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
>> initialized
>> [Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>
>> as virtual name.
>> [Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>
>> as virtual name.
>> [Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>> as virtual name.
>> [Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>
>> as virtual name.
>> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>> as virtual name.
>> [Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING:
>> session memcached servers not running
>> [Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING:
>> session memcached servers not running
>> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: ***
>> PROCESS START ***
>> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
>> PROCESS START ***
>> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child
>> 1 established (server mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)
>> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter
>> read failed.
>> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error:
>> -12285 Unable to find the certificate or key necessary for authentication
>> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child
>> 1 closed (server mlv-ipa01.ipa.mydomain.com:443
>> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)
>> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709]
>> AH00170: caught SIGWINCH, shutting down gracefully/
>>
>> Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport
>> it from the original certificates of /mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com>/?
>> Where are stored the original certificates?
>>
>> Hi Morgan,
>
> with ldapsearch you should be able to find the certificate:
> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w
> password -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=
> services,cn=accounts,dc=IPADOMAIN
>
> The cert will be stored in the field "usercertificate".
>
> HTH,
> Flo.
>
> Please let me know, thanks.
>> Bye, Morgan
>>
>> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com
>> <mailto:f...@redhat.com>>:
>>
>>
>>     On 11/17/2016 04:51 PM, Morgan Marodin wrote:
>>
>>         Hi Rob.
>>
>>         I've just tried to remove the group write to the *.db files, but
>>         it's
>>         not the problem.
>>         /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>>         NSSNickname Server-Cert/
>>
>>         I've tried to run manually /dirsrv.target/ and
>>         /krb5kdc.service/, and it
>>         works, services went up.
>>         The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>>         /winbind.service/, /kadmin.service/, /memcached.service/ and
>>         /pki-tomcatd.target/.
>>
>>         But if I try to start /httpd.service/:
>>         /[root@mlv-ipa01 ~]# tail -f /var/log/messages
>>         Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP
>>         Server...
>>         Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa         :
>>         INFO     KDC
>>         proxy enabled
>>         Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
>>         exited, code=exited, status=1/FAILURE
>>         Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
>>         Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control
>> process
>>         exited, code=exited status=1
>>         Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache
>>         HTTP
>>         Server.
>>         Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered
>>         failed
>>         state.
>>         Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./
>>
>>         Any other ideas?
>>
>>     Hi,
>>
>>     - Does the NSS Db contain the private key for Server-Cert? If yes,
>>     the command
>>     $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
>>     should display a line like this one:
>>     < 0> rsa      01a6cbd773f3d785ffa44233148dcb8ade266ea5   NSS
>>     Certificate DB:Server-Cert
>>
>>     - Is your system running with SElinux enforcing? If yes, you can
>>     check if there were SElinux permission denials using
>>     $ ausearch -m avc --start recent
>>
>>     - If the certificate was expired, I believe you would see a
>>     different message, but it doesn't hurt to check its validity
>>     $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not
>>     Before|Not After"
>>
>>
>>     Flo.
>>
>>
>>         Please let me know, thanks.
>>         Morgan
>>
>>         2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
>>         <mailto:rcrit...@redhat.com>
>>         <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:
>>
>>
>>
>>             Morgan Marodin wrote:
>>             > Hi Florence.
>>             >
>>             > Thanks for your support.
>>             >
>>             > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems
>>         that all
>>             > permissions and certificates are good:
>>             > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
>>             > total 184
>>             > -r--r--r--  1 root root    1345 Sep  7  2015 cacert.asc
>>             > -rw-rw----  1 root apache 65536 Nov 17 11:06 cert8.db
>>             > -rw-r-----. 1 root apache 65536 Sep  4  2015 cert8.db.orig
>>             > -rw-------. 1 root root    4833 Sep  4  2015 install.log
>>             > -rw-rw----  1 root apache 16384 Nov 17 11:06 key3.db
>>             > -rw-r-----. 1 root apache 16384 Sep  4  2015 key3.db.orig
>>             > lrwxrwxrwx  1 root root      24 Nov 17 10:24 libnssckbi.so
>> ->
>>             > /usr/lib64/libnssckbi.so
>>             > -rw-rw----  1 root apache    20 Sep  7  2015 pwdfile.txt
>>             > -rw-rw----  1 root apache 16384 Sep  7  2015 secmod.db
>>             > -rw-r-----. 1 root apache 16384 Sep  4  2015 secmod.db.orig/
>>
>>             Eventually you'll want to remove group write on the *.db
>> files.
>>
>>             > And password validations seems ok, too:
>>             > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
>>             > /etc/httpd/alias/pwdfile.txt
>>             good
>>
>>             > Enabling mod-nss debug I can see these logs:
>>             > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
>>             > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid
>>         10660] AH01232:
>>             > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>>             > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
>>             > NSSSessionCacheTimeout is deprecated. Ignoring.
>>             > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>         <http://mlv-ipa01.ipa.mydomain.com>
>>         <http://mlv-ipa01.ipa.mydomain.com
>>         <http://mlv-ipa01.ipa.mydomain.com>>
>>             > <http://mlv-ipa01.ipa.mydomain.com
>>         <http://mlv-ipa01.ipa.mydomain.com>
>>
>>             <http://mlv-ipa01.ipa.mydomain.com
>>         <http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert
>>             > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
>>         Configuring server
>>             > for SSL protocol
>>             > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>>             > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>>             > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>>             > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>>             > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>>             > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(906): Disabling TLS Session Tickets
>>             > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(916): Enabling DHE key exchange
>>             > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
>>             > nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>>         permitted SSL
>>             > ciphers
>>             >
>>         [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>             > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
>>             > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660]
>>         Using nickname
>>             > Server-Cert.
>>             [snip]
>>             > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660]
>>         Certificate not
>>             > found: 'Server-Cert'
>>
>>             Can you shows what this returns:
>>
>>             # grep NSSNickname /etc/httpd/conf.d/nss.conf
>>
>>             > Do you think there is a kerberos problem?
>>
>>             It definitely is not.
>>
>>             You can bring the system up in a minimal way by manually
>>         starting the
>>             dir...@example.com <mailto:dir...@example.com>
>>         <mailto:dir...@example.com <mailto:dir...@example.com>> service
>>
>>         and then
>>             krb5kdc. This will at least let your
>>             users authenticate. The management framework (GUI) runs
>>         through Apache
>>             so that will be down until we can get Apache started again.
>>
>>             rob
>>
>>             >
>>             > Please let me know, thanks.
>>             > Bye, Morgan
>>             >
>>             > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud
>>         <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
>>         <mailto:f...@redhat.com>>
>>             > <mailto:f...@redhat.com <mailto:f...@redhat.com>
>>         <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>:
>>
>>             >
>>             >     On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>>             >
>>             >         Hello.
>>             >
>>             >         This morning I've tried to upgrade my IPA server,
>>         but the
>>             upgrade
>>             >         failed, and now the service doesn't start! :(
>>             >
>>             >         If I try lo launch the upgrade manually this is
>>         the output:
>>             >         /[root@mlv-ipa01 download]# ipa-server-upgrade
>>             >
>>             >         Upgrading IPA:
>>             >           [1/8]: saving configuration
>>             >           [2/8]: disabling listeners
>>             >           [3/8]: enabling DS global lock
>>             >           [4/8]: starting directory server
>>             >           [5/8]: updating schema
>>             >           [6/8]: upgrading server
>>             >           [7/8]: stopping directory server
>>             >           [8/8]: restoring configuration
>>             >         Done.
>>             >         Update complete
>>             >         Upgrading IPA services
>>             >         Upgrading the configuration of the IPA services
>>             >         [Verifying that root certificate is published]
>>             >         [Migrate CRL publish directory]
>>             >         CRL tree already moved
>>             >         [Verifying that CA proxy configuration is correct]
>>             >         [Verifying that KDC configuration is using ipa-kdb
>>         backend]
>>             >         [Fix DS schema file syntax]
>>             >         Syntax already fixed
>>             >         [Removing RA cert from DS NSS database]
>>             >         RA cert already removed
>>             >         [Enable sidgen and extdom plugins by default]
>>             >         [Updating HTTPD service IPA configuration]
>>             >         [Updating mod_nss protocol versions]
>>             >         Protocol versions already updated
>>             >         [Updating mod_nss cipher suite]
>>             >         [Fixing trust flags in /etc/httpd/alias]
>>             >         Trust flags already processed
>>             >         [Exporting KRA agent PEM file]
>>             >         KRA is not enabled
>>             >         IPA server upgrade failed: Inspect
>>         /var/log/ipaupgrade.log
>>             and run
>>             >         command ipa-server-upgrade manually.
>>             >         Unexpected error - see /var/log/ipaupgrade.log for
>>         details:
>>             >         CalledProcessError: Command '/bin/systemctl start
>>             httpd.service'
>>             >         returned non-zero exit status 1
>>             >         The ipa-server-upgrade command failed. See
>>             >         /var/log/ipaupgrade.log for
>>             >         more information/
>>             >
>>             >         These are error logs of Apache:
>>             >         /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice]
>>         [pid 5664]
>>             >         AH01232:
>>             >         suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>>             >         [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
>>             >         NSSSessionCacheTimeout is deprecated. Ignoring.
>>             >         [Thu Nov 17 11:48:45.830910 2016] [:error] [pid
>> 5664]
>>             >         Certificate not
>>             >         found: 'Server-Cert'/
>>             >
>>             >         The problem seems to be the /Server-Cert /that
>>         could not
>>             be found.
>>             >         But if I try to execute the certutil command
>>         manually I
>>             can see it:/
>>             >         [root@mlv-ipa01 log]# certutil -L -d
>> /etc/httpd/alias/
>>             >         Certificate Nickname
>>                Trust
>>             >         Attributes
>>             >
>>             >         SSL,S/MIME,JAR/XPI
>>             >         Signing-Cert
>>                u,u,u
>>             >         ipaCert
>>               u,u,u
>>             >         Server-Cert
>>               Pu,u,u
>>             >         IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
>>         <http://IPA.MYDOMAIN.COM>
>>             <http://IPA.MYDOMAIN.COM>
>>             >         <http://IPA.MYDOMAIN.COM> IPA
>>             >         CA                                    CT,C,C/
>>             >
>>             >         Could you help me?
>>             >         What could I try to do to restart my service?
>>             >
>>             >     Hi,
>>             >
>>             >     I would first make sure that httpd is using
>>         /etc/httpd/alias
>>             as NSS
>>             >     DB (check the directive NSSCertificateDatabase in
>>             >     /etc/httpd/conf.d/nss.conf).
>>             >     Then it may be a file permission issue: the NSS DB
>> should
>>             belong to
>>             >     root:apache (the relevant files are cert8.db, key3.db
>> and
>>             secmod.db).
>>             >     You should also find a pwdfile.txt in the same
>> directory,
>>             containing
>>             >     the NSS DB password. Check that the password is valid
>>         using
>>             >     certutil -K -d /etc/httpd/alias/ -f
>>         /etc/httpd/alias/pwdfile.txt
>>             >     (if the command succeeds then the password in pwdfile
>>         is OK).
>>             >
>>             >     You can also enable mod-nss debug in
>>         /etc/httpd/conf/nss.conf by
>>             >     setting "LogLevel debug", and check the output in
>>             >     /var/log/httpd/error_log.
>>             >
>>             >     HTH,
>>             >     Flo.
>>             >
>>             >         Thanks, Morgan
>>             >
>>             >
>>             >
>>             >     --
>>             >     Manage your subscription for the Freeipa-users mailing
>>         list:
>>             >     https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>             <https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>>             >     <https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>             <https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
>>             >     Go to http://freeipa.org for more info on the project
>>             >
>>             >
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to