Morgan Marodin wrote:
> What do you mean with backup database?
> 
> Updating again the mod_nss RPM, Apache doesn't start ... so, this is the
> problem.

You said "and restoring the original /etc/httpd/alias/ folder". Original
from what, where did that come from?

So merely updating mod_nss breaks things? Strange. What is the working
version? rpm -q mod_nss

rob

> 
> 2016-11-18 15:43 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>:
> 
>     Morgan Marodin wrote:
>     > It works!
>     > Thanks for your support.
>     >
>     > Anyway, I will try to update againt mod_nss package! :D
> 
>     Glad it's working for you. I'm curious what the backup database was for.
>     Did you create that?
> 
>     rob
> 
>     > Bye!
>     >
>     >
>     > 2016-11-18 15:21 GMT+01:00 Morgan Marodin <mor...@marodin.it 
> <mailto:mor...@marodin.it>
>     > <mailto:mor...@marodin.it <mailto:mor...@marodin.it>>>:
>     >
>     >     A little good news.
>     >
>     >     Downgrading the /mod_nss/ RPM package, and restoring the original
>     >     //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
>     >     finished well:
>     >     /# ipa-server-upgrade
>     >     Upgrading IPA:
>     >       [1/10]: stopping directory server
>     >       [2/10]: saving configuration
>     >       [3/10]: disabling listeners
>     >       [4/10]: enabling DS global lock
>     >       [5/10]: starting directory server
>     >       [6/10]: updating schema
>     >       [7/10]: upgrading server
>     >       [8/10]: stopping directory server
>     >       [9/10]: restoring configuration
>     >       [10/10]: starting directory server
>     >     Done.
>     >     Update complete
>     >     Upgrading IPA services
>     >     Upgrading the configuration of the IPA services
>     >     [Verifying that root certificate is published]
>     >     [Migrate CRL publish directory]
>     >     CRL tree already moved
>     >     [Verifying that CA proxy configuration is correct]
>     >     [Verifying that KDC configuration is using ipa-kdb backend]
>     >     [Fix DS schema file syntax]
>     >     Syntax already fixed
>     >     [Removing RA cert from DS NSS database]
>     >     RA cert already removed
>     >     [Enable sidgen and extdom plugins by default]
>     >     [Updating HTTPD service IPA configuration]
>     >     [Updating mod_nss protocol versions]
>     >     Protocol versions already updated
>     >     [Updating mod_nss cipher suite]
>     >     [Fixing trust flags in /etc/httpd/alias]
>     >     Trust flags already processed
>     >     [Exporting KRA agent PEM file]
>     >     KRA is not enabled
>     >     [Removing self-signed CA]
>     >     [Removing Dogtag 9 CA]
>     >     [Checking for deprecated KDC configuration files]
>     >     [Checking for deprecated backups of Samba configuration files]
>     >     [Setting up Firefox extension]
>     >     [Add missing CA DNS records]
>     >     IPA CA DNS records already processed
>     >     [Removing deprecated DNS configuration options]
>     >     [Ensuring minimal number of connections]
>     >     [Enabling serial autoincrement in DNS]
>     >     [Updating GSSAPI configuration in DNS]
>     >     [Updating pid-file configuration in DNS]
>     >     [Checking global forwarding policy in named.conf to avoid
>     conflicts
>     >     with automatic empty zones]
>     >     Global forward policy in named.conf will be changed to "only" to
>     >     avoid conflicts with automatic empty zones
>     >     [Adding server_id to named.conf]
>     >     Changes to named.conf have been made, restart named
>     >     Custodia service is being configured
>     >     Configuring ipa-custodia
>     >       [1/5]: Generating ipa-custodia config file
>     >       [2/5]: Making sure custodia container exists
>     >       [3/5]: Generating ipa-custodia keys
>     >       [4/5]: starting ipa-custodia
>     >       [5/5]: configuring ipa-custodia to start on boot
>     >     Done configuring ipa-custodia.
>     >     [Upgrading CA schema]
>     >     CA schema update complete
>     >     [Verifying that CA audit signing cert has 2 year validity]
>     >     [Update certmonger certificate renewal configuration to version 5]
>     >     Configuring certmonger to stop tracking system certificates for CA
>     >     Certmonger certificate renewal configuration updated to version 5
>     >     [Enable PKIX certificate path discovery and validation]
>     >     PKIX already enabled
>     >     [Authorizing RA Agent to modify profiles]
>     >     [Authorizing RA Agent to manage lightweight CAs]
>     >     [Ensuring Lightweight CAs container exists in Dogtag database]
>     >     [Adding default OCSP URI configuration]
>     >     pki-tomcat configuration changed, restart pki-tomcat
>     >     [Ensuring CA is using LDAPProfileSubsystem]
>     >     [Migrating certificate profiles to LDAP]
>     >     [Ensuring presence of included profiles]
>     >     [Add default CA ACL]
>     >     Default CA ACL already added
>     >     [Set up lightweight CA key retrieval]
>     >     Creating principal
>     >     Retrieving keytab
>     >     Creating Custodia keys
>     >     Configuring key retriever
>     >     The IPA services were upgraded
>     >     The ipa-server-upgrade command was successful/
>     >
>     >     And Apache has started, BUT there is a problem with the web 
> certificate:
>     >     /# tail -f /var/log/httpd/error_log
>     >     [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to
>     >     child 2 established (server mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>
>     >     <http://mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252)
>     >     [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input
>     >     filter read failed.
>     >     [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library
>     >     Error: -12285 Unable to find the certificate or key necessary for
>     >     authentication
>     >     [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to
>     >     child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>
>     >     <http://mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252)/
>     >
>     >     How do you suggest to go on with my issue?
>     >
>     >     Thanks, Morgan
>     >
>     >     2016-11-18 12:11 GMT+01:00 Morgan Marodin <mor...@marodin.it 
> <mailto:mor...@marodin.it>
>     >     <mailto:mor...@marodin.it <mailto:mor...@marodin.it>>>:
>     >
>     >         I've tried to add it to a new test folder, with a new
>     >         certificate nickname, and then to replace it to /nss.conf/.
>     >
>     >         But the problem persists:
>     >         /# certutil -V -u V -d /etc/httpd/test -n ipa01cert
>     >         certutil: certificate is valid/
>     >
>     >         /# tail -f /var/log/httpd/error_log
>     >         /
>     >         /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552]
>     >         AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>     >         [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552]
>     >         NSSSessionCacheTimeout is deprecated. Ignoring.
>     >         [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
>     >         nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>> -> ipa01cert
>     >         [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The
>     >         server key database has not been initialized.
>     >         [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
>     >         Configuring server for SSL protocol
>     >         ...
>     >         [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using
>     >         nickname ipa01cert.
>     >         [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552]
>     >         Certificate not found: 'ipa01cert'/
>     >
>     >         I've found this guide:/
>     >         Combine the server cert and key into a single file
>     >         # cp localhost.crt > Server-Cert.txt
>     >         # cat localhost.key >> Server-Cert.txt
>     >         Convert the server cert into a p12 file
>     >         # openssl pkcs12 -export -in Server-Cert.txt -out
>     >         Server-Cert.p12 -name "Server-Cert"
>     >         Now Import the Public and Private keys into the database at the
>     >         same time.
>     >         #pk12util -i /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias
>     >         -n Server-Cert/
>     >
>     >         Where is stored the key certificate file?
>     >
>     >         Thanks, Morgan
>     >
>     >
>     >         2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud 
> <f...@redhat.com <mailto:f...@redhat.com>
>     >         <mailto:f...@redhat.com <mailto:f...@redhat.com>>>:
>     >
>     >             On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>     >
>     >                 Hi Florence.
>     >
>     >                 I've tried to configure the wrong certificate in
>     >                 nss.conf (/ipaCert/),
>     >                 and with this Apache started.
>     >                 So I think the problem is in the /Server-Cert/ stored in
>     >                 //etc/httpd/alias/, even if all manul checks are ok.
>     >
>     >                 These are logs with the wrong certificate test:
>     >                 /# tail -f /var/log/httpd/error_log/
>     >                 /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid
>     >                 7709] AH01232:
>     >                 suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>     >                 [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>     >                 NSSSessionCacheTimeout is deprecated. Ignoring.
>     >                 [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert
>     >
>     >                 [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709]
>     >                 Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0]
>     (minimum)
>     >                 [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2]
>     (maximum)
>     >                 [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >               
>      
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709]
>     >                 Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709]
>     >                 Misconfiguration
>     >                 of certificate's CN and virtual name. The
>     certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>>
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:33.028056 2016
>     <tel:028056%202016> <tel:028056%202016>]
>     >                 [auth_digest:notice] [pid 7709]
>     >                 AH01757: generating secret for digest authentication ...
>     >                 [Fri Nov 18 09:34:33.030039 2016
>     <tel:030039%202016> <tel:030039%202016>]
>     >                 [lbmethod_heartbeat:notice] [pid 7709]
>     >                 AH02282: No slotmem from mod_heartmonitor
>     >                 [Fri Nov 18 09:34:33.030122 2016
>     <tel:030122%202016> <tel:030122%202016>]
>     >                 [:warn] [pid 7709]
>     >                 NSSSessionCacheTimeout is deprecated. Ignoring.
>     >                 [Fri Nov 18 09:34:33.030176 2016
>     <tel:030176%202016> <tel:030176%202016>]
>     >                 [:debug] [pid 7709]
>     >                 nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert
>     >
>     >                 [Fri Nov 18 09:34:33.051481 2016
>     <tel:051481%202016> <tel:051481%202016>]
>     >                 [mpm_prefork:notice] [pid 7709]
>     >                 AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0
>     >                 mod_auth_kerb/5.4
>     >                 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4
>     >                 Python/2.7.5 configured
>     >                 -- resuming normal operations
>     >                 [Fri Nov 18 09:34:33.051551 2016
>     <tel:051551%202016> <tel:051551%202016>]
>     >                 [core:notice] [pid 7709] AH00094:
>     >                 Command line: '/usr/sbin/httpd -D FOREGROUND'
>     >                 [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 
> 7717]
>     >                 proxy_util.c(1838): AH00924: worker ajp://localhost
>     >                 shared already
>     >                 initialized
>     >                 [Fri Nov 18 09:34:33.096163 2016
>     <tel:096163%202016> <tel:096163%202016>]
>     >                 [proxy:debug] [pid 7717]
>     >                 proxy_util.c(1880): AH00926: worker ajp://localhost
>     >                 local already
>     >                 initialized
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 
> 7719]
>     >                 proxy_util.c(1838): AH00924: worker
>     >                 unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
>     >                 shared already
>     >                 initialized
>     >                 [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 
> 7719]
>     >                 proxy_util.c(1880): AH00926: worker
>     >                 unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
>     >                 local already
>     >                 initialized
>     >                 [Fri Nov 18 09:34:33.342762 2016
>     <tel:342762%202016> <tel:342762%202016>]
>     >                 [:info] [pid 7717] Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:33.342867 2016
>     <tel:342867%202016> <tel:342867%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:33.342880 2016
>     <tel:342880%202016> <tel:342880%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:33.342885 2016
>     <tel:342885%202016> <tel:342885%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:33.342890 2016
>     <tel:342890%202016> <tel:342890%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] 
> (minimum)
>     >                 [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] 
> (maximum)
>     >                 [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >                 
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>]
>     >                 [:debug] [pid 7717]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>]
>     >                 [:info] [pid 7717] Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>]
>     >                 [:error] [pid 7717] Misconfiguration
>     >                 of certificate's CN and virtual name. The certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>>
>     >
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:33.364061 2016 <tel:364061%202016>]
>     >                 [:info] [pid 7718] Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] 
> (minimum)
>     >                 [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] 
> (maximum)
>     >                 [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >                 
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>]
>     >                 [:debug] [pid 7718]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>]
>     >                 [:info] [pid 7718] Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>]
>     >                 [:error] [pid 7718] Misconfiguration
>     >                 of certificate's CN and virtual name. The certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>>
>     >
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:33.369972 2016 <tel:369972%202016>]
>     >                 [:info] [pid 7720] Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] 
> (minimum)
>     >                 [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] 
> (maximum)
>     >                 [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >                 
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>]
>     >                 [:debug] [pid 7720]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>]
>     >                 [:info] [pid 7720] Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>]
>     >                 [:info] [pid 7716] Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] 
> (minimum)
>     >                 [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] 
> (maximum)
>     >                 [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >                 
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>]
>     >                 [:debug] [pid 7716]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>]
>     >                 [:info] [pid 7716] Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>]
>     >                 [:error] [pid 7716] Misconfiguration
>     >                 of certificate's CN and virtual name. The certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>>
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:33.372295 2016 <tel:372295%202016>]
>     >                 [:error] [pid 7720] Misconfiguration
>     >                 of certificate's CN and virtual name. The certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>
>     >
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719]
>     >                 Configuring server
>     >                 for SSL protocol
>     >                 [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>     >                 [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>     >                 [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>     >                 [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(839): NSSProtocol:  [TLS 1.0]
>     (minimum)
>     >                 [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(866): NSSProtocol:  [TLS 1.2]
>     (maximum)
>     >                 [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(906): Disabling TLS Session Tickets
>     >                 [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(916): Enabling DHE key exchange
>     >                 [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(1077): NSSCipherSuite:  Configuring
>     >                 permitted SSL
>     >                 ciphers
>     >               
>      
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                 [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>     >                 ...
>     >                 [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
>     >                 nss_engine_init.c(1140): Enable cipher:
>     >                 ecdhe_rsa_aes_128_gcm_sha_256
>     >                 [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719]
>     >                 Using nickname ipaCert.
>     >                 [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719]
>     >                 Misconfiguration
>     >                 of certificate's CN and virtual name. The
>     certificate CN
>     >                 has IPA RA. We
>     >                 expected mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>>
>     >                 as virtual name.
>     >                 [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>]
>     >                 [:error] [pid 7715] ipa: WARNING:
>     >                 session memcached servers not running
>     >                 [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>]
>     >                 [:error] [pid 7714] ipa: WARNING:
>     >                 session memcached servers not running
>     >                 [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714]
>     >                 ipa: INFO: ***
>     >                 PROCESS START ***
>     >                 [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715]
>     >                 ipa: INFO: ***
>     >                 PROCESS START ***
>     >                 [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]
>     >                 Connection to child
>     >                 1 established (server mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>, client 192.168.0.239)
>     >                 [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL
>     >                 input filter
>     >                 read failed.
>     >                 [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717]
>     >                 SSL Library Error:
>     >                 -12285 Unable to find the certificate or key necessary
>     >                 for authentication
>     >                 [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717]
>     >                 Connection to child
>     >                 1 closed (server mlv-ipa01.ipa.mydomain.com:443 
> <http://mlv-ipa01.ipa.mydomain.com:443>
>     >                 <http://mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>
>     >                 <http://mlv-ipa01.ipa.mydomain.com:443
>     <http://mlv-ipa01.ipa.mydomain.com:443>>>, client
>     >                 192.168.0.239)
>     >                 [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice]
>     >                 [pid 7709]
>     >                 AH00170: caught SIGWINCH, shutting down gracefully/
>     >
>     >                 Is possible to delete /Server-Cert/ from
>     >                 //etc/httpd/alias/ and reimport
>     >                 it from the original certificates of
>     >                 /mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com 
> <http://mlv-ipa01.ipa.mydomain.com>>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>/?
>     >                 Where are stored the original certificates?
>     >
>     >             Hi Morgan,
>     >
>     >             with ldapsearch you should be able to find the certificate:
>     >             ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory
>     >             manager" -w password -LLL -b
>     >             
> krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN
>     >
>     >             The cert will be stored in the field "usercertificate".
>     >
>     >             HTH,
>     >             Flo.
>     >
>     >                 Please let me know, thanks.
>     >                 Bye, Morgan
>     >
>     >                 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud
>     >                 <f...@redhat.com <mailto:f...@redhat.com> 
> <mailto:f...@redhat.com
>     <mailto:f...@redhat.com>>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>:
>     >
>     >
>     >                     On 11/17/2016 04:51 PM, Morgan Marodin wrote:
>     >
>     >                         Hi Rob.
>     >
>     >                         I've just tried to remove the group write
>     to the
>     >                 *.db files, but
>     >                         it's
>     >                         not the problem.
>     >                         /[root@mlv-ipa01 ~]# grep NSSNickname
>     >                 /etc/httpd/conf.d/nss.conf
>     >                         NSSNickname Server-Cert/
>     >
>     >                         I've tried to run manually /dirsrv.target/ and
>     >                         /krb5kdc.service/, and it
>     >                         works, services went up.
>     >                         The same for /ntpd/, /named-pkcs11.service/,
>     >                 /smb.service/,
>     >                         /winbind.service/, /kadmin.service/,
>     >                 /memcached.service/ and
>     >                         /pki-tomcatd.target/.
>     >
>     >                         But if I try to start /httpd.service/:
>     >                         /[root@mlv-ipa01 ~]# tail -f /var/log/messages
>     >                         Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting
>     >                 The Apache HTTP
>     >                         Server...
>     >                         Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy:
>     >                 ipa         :
>     >                         INFO     KDC
>     >                         proxy enabled
>     >                         Nov 17 16:46:07 mlv-ipa01 systemd[1]:
>     >                 httpd.service: main process
>     >                         exited, code=exited, status=1/FAILURE
>     >                         Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot
>     >                 find process ""
>     >                         Nov 17 16:46:07 mlv-ipa01 systemd[1]:
>     >                 httpd.service: control process
>     >                         exited, code=exited status=1
>     >                         Nov 17 16:46:07 mlv-ipa01 systemd[1]:
>     Failed to
>     >                 start The Apache
>     >                         HTTP
>     >                         Server.
>     >                         Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
>     >                 httpd.service entered
>     >                         failed
>     >                         state.
>     >                         Nov 17 16:46:07 mlv-ipa01 systemd[1]:
>     >                 httpd.service failed./
>     >
>     >                         Any other ideas?
>     >
>     >                     Hi,
>     >
>     >                     - Does the NSS Db contain the private key for
>     >                 Server-Cert? If yes,
>     >                     the command
>     >                     $ certutil -K -d /etc/httpd/alias/ -f
>     >                 /etc/httpd/alias/pwdfile.txt
>     >                     should display a line like this one:
>     >                     < 0> rsa
>     >                 01a6cbd773f3d785ffa44233148dcb8ade266ea5   NSS
>     >                     Certificate DB:Server-Cert
>     >
>     >                     - Is your system running with SElinux
>     enforcing? If
>     >                 yes, you can
>     >                     check if there were SElinux permission denials
>     using
>     >                     $ ausearch -m avc --start recent
>     >
>     >                     - If the certificate was expired, I believe you
>     >                 would see a
>     >                     different message, but it doesn't hurt to
>     check its
>     >                 validity
>     >                     $ certutil -L -d /etc/httpd/alias/ -n
>     Server-Cert |
>     >                 egrep "Not
>     >                     Before|Not After"
>     >
>     >
>     >                     Flo.
>     >
>     >
>     >                         Please let me know, thanks.
>     >                         Morgan
>     >
>     >                         2016-11-17 16:11 GMT+01:00 Rob Crittenden
>     >                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>     >                         <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>
>     >                 <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>>>
>     >                         <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>
>     >                 <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>> <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>
>     >                 <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>>>>>:
>     >
>     >
>     >
>     >                             Morgan Marodin wrote:
>     >                             > Hi Florence.
>     >                             >
>     >                             > Thanks for your support.
>     >                             >
>     >                             > Yes, httpd is using /etc/httpd/alias as
>     >                 NSS DB. And seems
>     >                         that all
>     >                             > permissions and certificates are good:
>     >                             > /[root@mlv-ipa01 ~]# ls -l
>     /etc/httpd/alias/
>     >                             > total 184
>     >                             > -r--r--r--  1 root root    1345 Sep  7
>     >                 2015 cacert.asc
>     >                             > -rw-rw----  1 root apache 65536 Nov 17
>     >                 11:06 cert8.db
>     >                             > -rw-r-----. 1 root apache 65536 Sep  4
>     >                 2015 cert8.db.orig
>     >                             > -rw-------. 1 root root    4833 Sep  4
>     >                 2015 install.log
>     >                             > -rw-rw----  1 root apache 16384 Nov 17
>     >                 11:06 key3.db
>     >                             > -rw-r-----. 1 root apache 16384 Sep  4
>     >                 2015 key3.db.orig
>     >                             > lrwxrwxrwx  1 root root      24 Nov 17
>     >                 10:24 libnssckbi.so ->
>     >                             > /usr/lib64/libnssckbi.so
>     >                             > -rw-rw----  1 root apache    20 Sep  7
>     >                 2015 pwdfile.txt
>     >                             > -rw-rw----  1 root apache 16384 Sep  7
>     >                 2015 secmod.db
>     >                             > -rw-r-----. 1 root apache 16384 Sep  4
>     >                 2015 secmod.db.orig/
>     >
>     >                             Eventually you'll want to remove group
>     write
>     >                 on the *.db files.
>     >
>     >                             > And password validations seems ok, too:
>     >                             > /[root@mlv-ipa01 ~]# certutil -K -d
>     >                 /etc/httpd/alias/ -f
>     >                             > /etc/httpd/alias/pwdfile.txt
>     >                             good
>     >
>     >                             > Enabling mod-nss debug I can see
>     these logs:
>     >                             > /[root@mlv-ipa01 ~]# tail -f
>     >                 /var/log/httpd/error_log
>     >                             > [Thu Nov 17 15:05:10.807603 2016]
>     >                 [suexec:notice] [pid
>     >                         10660] AH01232:
>     >                             > suEXEC mechanism enabled (wrapper:
>     >                 /usr/sbin/suexec)
>     >                             > [Thu Nov 17 15:05:10.807958 2016]
>     [:warn]
>     >                 [pid 10660]
>     >                             > NSSSessionCacheTimeout is deprecated.
>     >                 Ignoring.
>     >                             > [Thu Nov 17 15:05:10.807991 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(454): SNI:
>     >                 mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>
>     >                         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>>
>     >                             > <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>
>     >
>     >                             <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>
>     >                         <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>
>     >                 <http://mlv-ipa01.ipa.mydomain.com
>     <http://mlv-ipa01.ipa.mydomain.com>>>>> -> Server-Cert
>     >                             > [Thu Nov 17 15:05:11.002664 2016]
>     [:info]
>     >                 [pid 10660]
>     >                         Configuring server
>     >                             > for SSL protocol
>     >                             > [Thu Nov 17 15:05:11.002817 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(770): NSSProtocol:
>     >                 Enabling TLSv1.0
>     >                             > [Thu Nov 17 15:05:11.002838 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(775): NSSProtocol:
>     >                 Enabling TLSv1.1
>     >                             > [Thu Nov 17 15:05:11.002847 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(780): NSSProtocol:
>     >                 Enabling TLSv1.2
>     >                             > [Thu Nov 17 15:05:11.002856 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(839):
>     NSSProtocol:  [TLS
>     >                 1.0] (minimum)
>     >                             > [Thu Nov 17 15:05:11.002876 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(866):
>     NSSProtocol:  [TLS
>     >                 1.2] (maximum)
>     >                             > [Thu Nov 17 15:05:11.003099 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(906): Disabling TLS
>     >                 Session Tickets
>     >                             > [Thu Nov 17 15:05:11.003198 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(916): Enabling DHE key
>     >                 exchange
>     >                             > [Thu Nov 17 15:05:11.003313 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > nss_engine_init.c(1077): NSSCipherSuite:
>     >                 Configuring
>     >                         permitted SSL
>     >                             > ciphers
>     >                             >
>     >
>     >               
>      
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>     >                             > [Thu Nov 17 15:05:11.003469 2016]
>     [:debug]
>     >                 [pid 10660]
>     >                             > [Thu Nov 17 15:05:11.006759 2016]
>     [:info]
>     >                 [pid 10660]
>     >                         Using nickname
>     >                             > Server-Cert.
>     >                             [snip]
>     >                             > [Thu Nov 17 15:05:11.006771 2016]
>     [:error]
>     >                 [pid 10660]
>     >                         Certificate not
>     >                             > found: 'Server-Cert'
>     >
>     >                             Can you shows what this returns:
>     >
>     >                             # grep NSSNickname
>     /etc/httpd/conf.d/nss.conf
>     >
>     >                             > Do you think there is a kerberos
>     problem?
>     >
>     >                             It definitely is not.
>     >
>     >                             You can bring the system up in a
>     minimal way
>     >                 by manually
>     >                         starting the
>     >                             dir...@example.com
>     <mailto:dir...@example.com>
>     >                 <mailto:dir...@example.com
>     <mailto:dir...@example.com>> <mailto:dir...@example.com
>     <mailto:dir...@example.com>
>     >                 <mailto:dir...@example.com
>     <mailto:dir...@example.com>>>
>     >                         <mailto:dir...@example.com
>     <mailto:dir...@example.com>
>     >                 <mailto:dir...@example.com
>     <mailto:dir...@example.com>> <mailto:dir...@example.com
>     <mailto:dir...@example.com>
>     >                 <mailto:dir...@example.com
>     <mailto:dir...@example.com>>>> service
>     >
>     >                         and then
>     >                             krb5kdc. This will at least let your
>     >                             users authenticate. The management
>     framework
>     >                 (GUI) runs
>     >                         through Apache
>     >                             so that will be down until we can get
>     Apache
>     >                 started again.
>     >
>     >                             rob
>     >
>     >                             >
>     >                             > Please let me know, thanks.
>     >                             > Bye, Morgan
>     >                             >
>     >                             > 2016-11-17 14:39 GMT+01:00 Florence
>     >                 Blanc-Renaud
>     >                         <f...@redhat.com <mailto:f...@redhat.com>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>>>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>>
>     >                         <mailto:f...@redhat.com
>     <mailto:f...@redhat.com> <mailto:f...@redhat.com
>     <mailto:f...@redhat.com>>>>
>     >                             > <mailto:f...@redhat.com
>     <mailto:f...@redhat.com>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>>>
>     >                         <mailto:f...@redhat.com
>     <mailto:f...@redhat.com> <mailto:f...@redhat.com <mailto:f...@redhat.com>>
>     >                 <mailto:f...@redhat.com <mailto:f...@redhat.com>
>     <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>>>:
>     >
>     >                             >
>     >                             >     On 11/17/2016 12:09 PM, Morgan
>     Marodin
>     >                 wrote:
>     >                             >
>     >                             >         Hello.
>     >                             >
>     >                             >         This morning I've tried to
>     upgrade
>     >                 my IPA server,
>     >                         but the
>     >                             upgrade
>     >                             >         failed, and now the service
>     >                 doesn't start! :(
>     >                             >
>     >                             >         If I try lo launch the upgrade
>     >                 manually this is
>     >                         the output:
>     >                             >         /[root@mlv-ipa01 download]#
>     >                 ipa-server-upgrade
>     >                             >
>     >                             >         Upgrading IPA:
>     >                             >           [1/8]: saving configuration
>     >                             >           [2/8]: disabling listeners
>     >                             >           [3/8]: enabling DS global lock
>     >                             >           [4/8]: starting directory
>     server
>     >                             >           [5/8]: updating schema
>     >                             >           [6/8]: upgrading server
>     >                             >           [7/8]: stopping directory
>     server
>     >                             >           [8/8]: restoring configuration
>     >                             >         Done.
>     >                             >         Update complete
>     >                             >         Upgrading IPA services
>     >                             >         Upgrading the configuration
>     of the
>     >                 IPA services
>     >                             >         [Verifying that root certificate
>     >                 is published]
>     >                             >         [Migrate CRL publish directory]
>     >                             >         CRL tree already moved
>     >                             >         [Verifying that CA proxy
>     >                 configuration is correct]
>     >                             >         [Verifying that KDC
>     configuration
>     >                 is using ipa-kdb
>     >                         backend]
>     >                             >         [Fix DS schema file syntax]
>     >                             >         Syntax already fixed
>     >                             >         [Removing RA cert from DS NSS
>     >                 database]
>     >                             >         RA cert already removed
>     >                             >         [Enable sidgen and extdom
>     plugins
>     >                 by default]
>     >                             >         [Updating HTTPD service IPA
>     >                 configuration]
>     >                             >         [Updating mod_nss protocol
>     versions]
>     >                             >         Protocol versions already
>     updated
>     >                             >         [Updating mod_nss cipher suite]
>     >                             >         [Fixing trust flags in
>     >                 /etc/httpd/alias]
>     >                             >         Trust flags already processed
>     >                             >         [Exporting KRA agent PEM file]
>     >                             >         KRA is not enabled
>     >                             >         IPA server upgrade failed:
>     Inspect
>     >                         /var/log/ipaupgrade.log
>     >                             and run
>     >                             >         command ipa-server-upgrade
>     manually.
>     >                             >         Unexpected error - see
>     >                 /var/log/ipaupgrade.log for
>     >                         details:
>     >                             >         CalledProcessError: Command
>     >                 '/bin/systemctl start
>     >                             httpd.service'
>     >                             >         returned non-zero exit status 1
>     >                             >         The ipa-server-upgrade command
>     >                 failed. See
>     >                             >         /var/log/ipaupgrade.log for
>     >                             >         more information/
>     >                             >
>     >                             >         These are error logs of Apache:
>     >                             >         /[Thu Nov 17 11:48:45.498510
>     2016]
>     >                 [suexec:notice]
>     >                         [pid 5664]
>     >                             >         AH01232:
>     >                             >         suEXEC mechanism enabled
>     (wrapper:
>     >                 /usr/sbin/suexec)
>     >                             >         [Thu Nov 17 11:48:45.499220
>     2016]
>     >                 [:warn] [pid 5664]
>     >                             >         NSSSessionCacheTimeout is
>     >                 deprecated. Ignoring.
>     >                             >         [Thu Nov 17 11:48:45.830910
>     2016]
>     >                 [:error] [pid 5664]
>     >                             >         Certificate not
>     >                             >         found: 'Server-Cert'/
>     >                             >
>     >                             >         The problem seems to be the
>     >                 /Server-Cert /that
>     >                         could not
>     >                             be found.
>     >                             >         But if I try to execute the
>     >                 certutil command
>     >                         manually I
>     >                             can see it:/
>     >                             >         [root@mlv-ipa01 log]#
>     certutil -L
>     >                 -d /etc/httpd/alias/
>     >                             >         Certificate Nickname
>     >                                Trust
>     >                             >         Attributes
>     >                             >
>     >                             >         SSL,S/MIME,JAR/XPI
>     >                             >         Signing-Cert
>     >                                u,u,u
>     >                             >         ipaCert
>     >                               u,u,u
>     >                             >         Server-Cert
>     >                               Pu,u,u
>     >                             >         IPA.MYDOMAIN.COM
>     <http://IPA.MYDOMAIN.COM>
>     >                 <http://IPA.MYDOMAIN.COM> <http://IPA.MYDOMAIN.COM>
>     >                         <http://IPA.MYDOMAIN.COM>
>     >                             <http://IPA.MYDOMAIN.COM>
>     >                             >         <http://IPA.MYDOMAIN.COM> IPA
>     >                             >         CA
>     >                     CT,C,C/
>     >                             >
>     >                             >         Could you help me?
>     >                             >         What could I try to do to
>     restart
>     >                 my service?
>     >                             >
>     >                             >     Hi,
>     >                             >
>     >                             >     I would first make sure that
>     httpd is
>     >                 using
>     >                         /etc/httpd/alias
>     >                             as NSS
>     >                             >     DB (check the directive
>     >                 NSSCertificateDatabase in
>     >                             >     /etc/httpd/conf.d/nss.conf).
>     >                             >     Then it may be a file permission
>     >                 issue: the NSS DB should
>     >                             belong to
>     >                             >     root:apache (the relevant files are
>     >                 cert8.db, key3.db and
>     >                             secmod.db).
>     >                             >     You should also find a
>     pwdfile.txt in
>     >                 the same directory,
>     >                             containing
>     >                             >     the NSS DB password. Check that the
>     >                 password is valid
>     >                         using
>     >                             >     certutil -K -d /etc/httpd/alias/ -f
>     >                         /etc/httpd/alias/pwdfile.txt
>     >                             >     (if the command succeeds then the
>     >                 password in pwdfile
>     >                         is OK).
>     >                             >
>     >                             >     You can also enable mod-nss debug in
>     >                         /etc/httpd/conf/nss.conf by
>     >                             >     setting "LogLevel debug", and check
>     >                 the output in
>     >                             >     /var/log/httpd/error_log.
>     >                             >
>     >                             >     HTH,
>     >                             >     Flo.
>     >                             >
>     >                             >         Thanks, Morgan
>     >                             >
>     >                             >
>     >                             >
>     >                             >     --
>     >                             >     Manage your subscription for the
>     >                 Freeipa-users mailing
>     >                         list:
>     >                             >
>     >                 
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>
>     >                             >
>     >                 
>     <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>     >
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     >               
>      <https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>>
>     >                             >     Go to http://freeipa.org for
>     more info
>     >                 on the project
>     >                             >
>     >                             >
>     >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to