A little good news. Downgrading the *mod_nss* RPM package, and restoring the original */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well:
*# ipa-server-upgradeUpgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory serverDone.Update completeUpgrading IPA servicesUpgrading the configuration of the IPA services[Verifying that root certificate is published][Migrate CRL publish directory]CRL tree already moved[Verifying that CA proxy configuration is correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS schema file syntax]Syntax already fixed[Removing RA cert from DS NSS database]RA cert already removed[Enable sidgen and extdom plugins by default][Updating HTTPD service IPA configuration][Updating mod_nss protocol versions]Protocol versions already updated[Updating mod_nss cipher suite][Fixing trust flags in /etc/httpd/alias]Trust flags already processed[Exporting KRA agent PEM file]KRA is not enabled[Removing self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC configuration files][Checking for deprecated backups of Samba configuration files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS records already processed[Removing deprecated DNS configuration options][Ensuring minimal number of connections][Enabling serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating pid-file configuration in DNS][Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]Global forward policy in named.conf will be changed to "only" to avoid conflicts with automatic empty zones[Adding server_id to named.conf]Changes to named.conf have been made, restart namedCustodia service is being configuredConfiguring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA schema]CA schema update complete[Verifying that CA audit signing cert has 2 year validity][Update certmonger certificate renewal configuration to version 5]Configuring certmonger to stop tracking system certificates for CACertmonger certificate renewal configuration updated to version 5[Enable PKIX certificate path discovery and validation]PKIX already enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag database][Adding default OCSP URI configuration]pki-tomcat configuration changed, restart pki-tomcat[Ensuring CA is using LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring presence of included profiles][Add default CA ACL]Default CA ACL already added[Set up lightweight CA key retrieval]Creating principalRetrieving keytabCreating Custodia keysConfiguring key retrieverThe IPA services were upgradedThe ipa-server-upgrade command was successful* And Apache has started, BUT there is a problem with the web certificate: *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to child 2 established (server mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)* How do you suggest to go on with my issue? Thanks, Morgan 2016-11-18 12:11 GMT+01:00 Morgan Marodin <mor...@marodin.it>: > I've tried to add it to a new test folder, with a new certificate > nickname, and then to replace it to *nss.conf*. > > But the problem persists: > > *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate > is valid* > > > *# tail -f /var/log/httpd/error_log* > > > > > > > > *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18 > 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is > deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552] > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880 > 2016] [:error] [pid 11552] The server key database has not been > initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552] > Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016] > [:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678 > 2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'* > > I've found this guide: > > > > > > > *Combine the server cert and key into a single file# cp localhost.crt > > Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server > cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out > Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys > into the database at the same time.#pk12util -i > /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert* > > Where is stored the key certificate file? > > Thanks, Morgan > > > 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: > >> On 11/18/2016 10:04 AM, Morgan Marodin wrote: >> >>> Hi Florence. >>> >>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/), >>> and with this Apache started. >>> So I think the problem is in the /Server-Cert/ stored in >>> //etc/httpd/alias/, even if all manul checks are ok. >>> >>> These are logs with the wrong certificate test: >>> /# tail -f /var/log/httpd/error_log/ >>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232: >>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709] >>> NSSSessionCacheTimeout is deprecated. Ignoring. >>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709] >>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert >>> >>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> as virtual name. >>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709] >>> AH01757: generating secret for digest authentication ... >>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709] >>> AH02282: No slotmem from mod_heartmonitor >>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709] >>> NSSSessionCacheTimeout is deprecated. Ignoring. >>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709] >>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert >>> >>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709] >>> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 >>> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured >>> -- resuming normal operations >>> [Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094: >>> Command line: '/usr/sbin/httpd -D FOREGROUND' >>> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717] >>> proxy_util.c(1838): AH00924: worker ajp://localhost shared already >>> initialized >>> [Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717] >>> proxy_util.c(1880): AH00926: worker ajp://localhost local already >>> initialized >>> ... >>> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719] >>> proxy_util.c(1838): AH00924: worker >>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already >>> initialized >>> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719] >>> proxy_util.c(1880): AH00926: worker >>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already >>> initialized >>> [Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> >>> as virtual name. >>> [Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> >>> as virtual name. >>> [Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> as virtual name. >>> [Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> >>> as virtual name. >>> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server >>> for SSL protocol >>> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719] >>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719] >>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719] >>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719] >>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719] >>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] >>> nss_engine_init.c(906): Disabling TLS Session Tickets >>> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719] >>> nss_engine_init.c(916): Enabling DHE key exchange >>> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719] >>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>> ciphers >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] >>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>> ... >>> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719] >>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname >>> ipaCert. >>> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration >>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>> as virtual name. >>> [Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING: >>> session memcached servers not running >>> [Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING: >>> session memcached servers not running >>> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: *** >>> PROCESS START *** >>> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: *** >>> PROCESS START *** >>> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child >>> 1 established (server mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239) >>> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter >>> read failed. >>> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error: >>> -12285 Unable to find the certificate or key necessary for authentication >>> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child >>> 1 closed (server mlv-ipa01.ipa.mydomain.com:443 >>> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239) >>> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709] >>> AH00170: caught SIGWINCH, shutting down gracefully/ >>> >>> Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport >>> it from the original certificates of /mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com>/? >>> Where are stored the original certificates? >>> >>> Hi Morgan, >> >> with ldapsearch you should be able to find the certificate: >> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w >> password -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN >> ,cn=services,cn=accounts,dc=IPADOMAIN >> >> The cert will be stored in the field "usercertificate". >> >> HTH, >> Flo. >> >> Please let me know, thanks. >>> Bye, Morgan >>> >>> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com >>> <mailto:f...@redhat.com>>: >>> >>> >>> On 11/17/2016 04:51 PM, Morgan Marodin wrote: >>> >>> Hi Rob. >>> >>> I've just tried to remove the group write to the *.db files, but >>> it's >>> not the problem. >>> /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf >>> NSSNickname Server-Cert/ >>> >>> I've tried to run manually /dirsrv.target/ and >>> /krb5kdc.service/, and it >>> works, services went up. >>> The same for /ntpd/, /named-pkcs11.service/, /smb.service/, >>> /winbind.service/, /kadmin.service/, /memcached.service/ and >>> /pki-tomcatd.target/. >>> >>> But if I try to start /httpd.service/: >>> /[root@mlv-ipa01 ~]# tail -f /var/log/messages >>> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP >>> Server... >>> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : >>> INFO KDC >>> proxy enabled >>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process >>> exited, code=exited, status=1/FAILURE >>> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process "" >>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control >>> process >>> exited, code=exited status=1 >>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache >>> HTTP >>> Server. >>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered >>> failed >>> state. >>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./ >>> >>> Any other ideas? >>> >>> Hi, >>> >>> - Does the NSS Db contain the private key for Server-Cert? If yes, >>> the command >>> $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt >>> should display a line like this one: >>> < 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS >>> Certificate DB:Server-Cert >>> >>> - Is your system running with SElinux enforcing? If yes, you can >>> check if there were SElinux permission denials using >>> $ ausearch -m avc --start recent >>> >>> - If the certificate was expired, I believe you would see a >>> different message, but it doesn't hurt to check its validity >>> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not >>> Before|Not After" >>> >>> >>> Flo. >>> >>> >>> Please let me know, thanks. >>> Morgan >>> >>> 2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com> >>> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>: >>> >>> >>> >>> Morgan Marodin wrote: >>> > Hi Florence. >>> > >>> > Thanks for your support. >>> > >>> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems >>> that all >>> > permissions and certificates are good: >>> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ >>> > total 184 >>> > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc >>> > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db >>> > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig >>> > -rw-------. 1 root root 4833 Sep 4 2015 install.log >>> > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db >>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig >>> > lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so >>> -> >>> > /usr/lib64/libnssckbi.so >>> > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt >>> > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db >>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 >>> secmod.db.orig/ >>> >>> Eventually you'll want to remove group write on the *.db >>> files. >>> >>> > And password validations seems ok, too: >>> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f >>> > /etc/httpd/alias/pwdfile.txt >>> good >>> >>> > Enabling mod-nss debug I can see these logs: >>> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log >>> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid >>> 10660] AH01232: >>> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >>> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] >>> > NSSSessionCacheTimeout is deprecated. Ignoring. >>> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com> >>> <http://mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com>> >>> > <http://mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com> >>> >>> <http://mlv-ipa01.ipa.mydomain.com >>> <http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert >>> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] >>> Configuring server >>> > for SSL protocol >>> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(906): Disabling TLS Session Tickets >>> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(916): Enabling DHE key exchange >>> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] >>> > nss_engine_init.c(1077): NSSCipherSuite: Configuring >>> permitted SSL >>> > ciphers >>> > >>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_ >>> 256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384, >>> +ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_ >>> 128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] >>> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] >>> Using nickname >>> > Server-Cert. >>> [snip] >>> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] >>> Certificate not >>> > found: 'Server-Cert' >>> >>> Can you shows what this returns: >>> >>> # grep NSSNickname /etc/httpd/conf.d/nss.conf >>> >>> > Do you think there is a kerberos problem? >>> >>> It definitely is not. >>> >>> You can bring the system up in a minimal way by manually >>> starting the >>> dir...@example.com <mailto:dir...@example.com> >>> <mailto:dir...@example.com <mailto:dir...@example.com>> service >>> >>> and then >>> krb5kdc. This will at least let your >>> users authenticate. The management framework (GUI) runs >>> through Apache >>> so that will be down until we can get Apache started again. >>> >>> rob >>> >>> > >>> > Please let me know, thanks. >>> > Bye, Morgan >>> > >>> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud >>> <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com >>> <mailto:f...@redhat.com>> >>> > <mailto:f...@redhat.com <mailto:f...@redhat.com> >>> <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>: >>> >>> > >>> > On 11/17/2016 12:09 PM, Morgan Marodin wrote: >>> > >>> > Hello. >>> > >>> > This morning I've tried to upgrade my IPA server, >>> but the >>> upgrade >>> > failed, and now the service doesn't start! :( >>> > >>> > If I try lo launch the upgrade manually this is >>> the output: >>> > /[root@mlv-ipa01 download]# ipa-server-upgrade >>> > >>> > Upgrading IPA: >>> > [1/8]: saving configuration >>> > [2/8]: disabling listeners >>> > [3/8]: enabling DS global lock >>> > [4/8]: starting directory server >>> > [5/8]: updating schema >>> > [6/8]: upgrading server >>> > [7/8]: stopping directory server >>> > [8/8]: restoring configuration >>> > Done. >>> > Update complete >>> > Upgrading IPA services >>> > Upgrading the configuration of the IPA services >>> > [Verifying that root certificate is published] >>> > [Migrate CRL publish directory] >>> > CRL tree already moved >>> > [Verifying that CA proxy configuration is correct] >>> > [Verifying that KDC configuration is using ipa-kdb >>> backend] >>> > [Fix DS schema file syntax] >>> > Syntax already fixed >>> > [Removing RA cert from DS NSS database] >>> > RA cert already removed >>> > [Enable sidgen and extdom plugins by default] >>> > [Updating HTTPD service IPA configuration] >>> > [Updating mod_nss protocol versions] >>> > Protocol versions already updated >>> > [Updating mod_nss cipher suite] >>> > [Fixing trust flags in /etc/httpd/alias] >>> > Trust flags already processed >>> > [Exporting KRA agent PEM file] >>> > KRA is not enabled >>> > IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log >>> and run >>> > command ipa-server-upgrade manually. >>> > Unexpected error - see /var/log/ipaupgrade.log for >>> details: >>> > CalledProcessError: Command '/bin/systemctl start >>> httpd.service' >>> > returned non-zero exit status 1 >>> > The ipa-server-upgrade command failed. See >>> > /var/log/ipaupgrade.log for >>> > more information/ >>> > >>> > These are error logs of Apache: >>> > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] >>> [pid 5664] >>> > AH01232: >>> > suEXEC mechanism enabled (wrapper: >>> /usr/sbin/suexec) >>> > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid >>> 5664] >>> > NSSSessionCacheTimeout is deprecated. Ignoring. >>> > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid >>> 5664] >>> > Certificate not >>> > found: 'Server-Cert'/ >>> > >>> > The problem seems to be the /Server-Cert /that >>> could not >>> be found. >>> > But if I try to execute the certutil command >>> manually I >>> can see it:/ >>> > [root@mlv-ipa01 log]# certutil -L -d >>> /etc/httpd/alias/ >>> > Certificate Nickname >>> Trust >>> > Attributes >>> > >>> > SSL,S/MIME,JAR/XPI >>> > Signing-Cert >>> u,u,u >>> > ipaCert >>> u,u,u >>> > Server-Cert >>> Pu,u,u >>> > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> >>> <http://IPA.MYDOMAIN.COM> >>> <http://IPA.MYDOMAIN.COM> >>> > <http://IPA.MYDOMAIN.COM> IPA >>> > CA CT,C,C/ >>> > >>> > Could you help me? >>> > What could I try to do to restart my service? >>> > >>> > Hi, >>> > >>> > I would first make sure that httpd is using >>> /etc/httpd/alias >>> as NSS >>> > DB (check the directive NSSCertificateDatabase in >>> > /etc/httpd/conf.d/nss.conf). >>> > Then it may be a file permission issue: the NSS DB >>> should >>> belong to >>> > root:apache (the relevant files are cert8.db, key3.db >>> and >>> secmod.db). >>> > You should also find a pwdfile.txt in the same >>> directory, >>> containing >>> > the NSS DB password. Check that the password is valid >>> using >>> > certutil -K -d /etc/httpd/alias/ -f >>> /etc/httpd/alias/pwdfile.txt >>> > (if the command succeeds then the password in pwdfile >>> is OK). >>> > >>> > You can also enable mod-nss debug in >>> /etc/httpd/conf/nss.conf by >>> > setting "LogLevel debug", and check the output in >>> > /var/log/httpd/error_log. >>> > >>> > HTH, >>> > Flo. >>> > >>> > Thanks, Morgan >>> > >>> > >>> > >>> > -- >>> > Manage your subscription for the Freeipa-users mailing >>> list: >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> <https://www.redhat.com/mailman/listinfo/freeipa-users> >>> <https://www.redhat.com/mailman/listinfo/freeipa-users >>> <https://www.redhat.com/mailman/listinfo/freeipa-users>> >>> > <https://www.redhat.com/mailman/listinfo/freeipa-users >>> <https://www.redhat.com/mailman/listinfo/freeipa-users> >>> <https://www.redhat.com/mailman/listinfo/freeipa-users >>> <https://www.redhat.com/mailman/listinfo/freeipa-users>>> >>> > Go to http://freeipa.org for more info on the project >>> > >>> > >>> >>>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project