Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden
Morgan Marodin wrote: > What do you mean with backup database? > > Updating again the mod_nss RPM, Apache doesn't start ... so, this is the > problem. You said "and restoring the original /etc/httpd/alias/ folder". Original from what, where did that come from? So merely updating mod_nss breaks

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden
Morgan Marodin wrote: > It works! > Thanks for your support. > > Anyway, I will try to update againt mod_nss package! :D Glad it's working for you. I'm curious what the backup database was for. Did you create that? rob > Bye! > > > 2016-11-18 15:21 GMT+01:00 Morgan Marodin

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
It works! Thanks for your support. Anyway, I will try to update againt mod_nss package! :D Bye! 2016-11-18 15:21 GMT+01:00 Morgan Marodin : > A little good news. > > Downgrading the *mod_nss* RPM package, and restoring the original > */etc/httpd/alias* folder,

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
A little good news. Downgrading the *mod_nss* RPM package, and restoring the original */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well: *# ipa-server-upgradeUpgrading IPA: [1/10]:

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
I've tried to add it to a new test folder, with a new certificate nickname, and then to replace it to *nss.conf*. But the problem persists: *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is valid* *# tail -f /var/log/httpd/error_log* *[Fri Nov 18

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Florence Blanc-Renaud
On 11/18/2016 10:04 AM, Morgan Marodin wrote: Hi Florence. I've tried to configure the wrong certificate in nss.conf (/ipaCert/), and with this Apache started. So I think the problem is in the /Server-Cert/ stored in //etc/httpd/alias/, even if all manul checks are ok. These are logs with the

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
Hi Florence. I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and with this Apache started. So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*, even if all manul checks are ok. These are logs with the wrong certificate test: *# tail -f

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi. I've tried to delete and reimport only the *Server-Cert* certificate (I've a copy of the original folder). But it happened a strange behaviour: *# certutil -L -d /etc/httpd/alias -n Server-Cert -a > /tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi. I've upgraded all packages of my distribution, not only ipa packages. There were a lot of packages. *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64* All other checks seem ok: *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n Server-Certcertutil:

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
On 11/17/2016 04:51 PM, Morgan Marodin wrote: Hi Rob. I've just tried to remove the group write to the *.db files, but it's not the problem. /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert/ I've tried to run manually /dirsrv.target/ and

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote: > Hi Rob. > > I've just tried to remove the group write to the *.db files, but it's > not the problem. I didn't expect it to be but you don't want Apache having write access to your certs and keys. > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf >

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Rob. I've just tried to remove the group write to the *.db files, but it's not the problem. *[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname Server-Cert* I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it works, services went up. The same for

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote: > Hi Florence. > > Thanks for your support. > > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all > permissions and certificates are good: > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ > total 184 > -r--r--r-- 1 root root1345 Sep 7 2015 cacert.asc >

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Florence. Thanks for your support. Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all permissions and certificates are good: *[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r-- 1 root root1345 Sep 7 2015 cacert.asc-rw-rw 1 root apache 65536

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
On 11/17/2016 12:09 PM, Morgan Marodin wrote: Hello. This morning I've tried to upgrade my IPA server, but the upgrade failed, and now the service doesn't start! :( If I try lo launch the upgrade manually this is the output: /[root@mlv-ipa01 download]# ipa-server-upgrade Upgrading IPA: