Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden
Morgan Marodin wrote:
> What do you mean with backup database?
> 
> Updating again the mod_nss RPM, Apache doesn't start ... so, this is the
> problem.

You said "and restoring the original /etc/httpd/alias/ folder". Original
from what, where did that come from?

So merely updating mod_nss breaks things? Strange. What is the working
version? rpm -q mod_nss

rob

> 
> 2016-11-18 15:43 GMT+01:00 Rob Crittenden  >:
> 
> Morgan Marodin wrote:
> > It works!
> > Thanks for your support.
> >
> > Anyway, I will try to update againt mod_nss package! :D
> 
> Glad it's working for you. I'm curious what the backup database was for.
> Did you create that?
> 
> rob
> 
> > Bye!
> >
> >
> > 2016-11-18 15:21 GMT+01:00 Morgan Marodin  
> > >>:
> >
> > A little good news.
> >
> > Downgrading the /mod_nss/ RPM package, and restoring the original
> > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> > finished well:
> > /# ipa-server-upgrade
> > Upgrading IPA:
> >   [1/10]: stopping directory server
> >   [2/10]: saving configuration
> >   [3/10]: disabling listeners
> >   [4/10]: enabling DS global lock
> >   [5/10]: starting directory server
> >   [6/10]: updating schema
> >   [7/10]: upgrading server
> >   [8/10]: stopping directory server
> >   [9/10]: restoring configuration
> >   [10/10]: starting directory server
> > Done.
> > Update complete
> > Upgrading IPA services
> > Upgrading the configuration of the IPA services
> > [Verifying that root certificate is published]
> > [Migrate CRL publish directory]
> > CRL tree already moved
> > [Verifying that CA proxy configuration is correct]
> > [Verifying that KDC configuration is using ipa-kdb backend]
> > [Fix DS schema file syntax]
> > Syntax already fixed
> > [Removing RA cert from DS NSS database]
> > RA cert already removed
> > [Enable sidgen and extdom plugins by default]
> > [Updating HTTPD service IPA configuration]
> > [Updating mod_nss protocol versions]
> > Protocol versions already updated
> > [Updating mod_nss cipher suite]
> > [Fixing trust flags in /etc/httpd/alias]
> > Trust flags already processed
> > [Exporting KRA agent PEM file]
> > KRA is not enabled
> > [Removing self-signed CA]
> > [Removing Dogtag 9 CA]
> > [Checking for deprecated KDC configuration files]
> > [Checking for deprecated backups of Samba configuration files]
> > [Setting up Firefox extension]
> > [Add missing CA DNS records]
> > IPA CA DNS records already processed
> > [Removing deprecated DNS configuration options]
> > [Ensuring minimal number of connections]
> > [Enabling serial autoincrement in DNS]
> > [Updating GSSAPI configuration in DNS]
> > [Updating pid-file configuration in DNS]
> > [Checking global forwarding policy in named.conf to avoid
> conflicts
> > with automatic empty zones]
> > Global forward policy in named.conf will be changed to "only" to
> > avoid conflicts with automatic empty zones
> > [Adding server_id to named.conf]
> > Changes to named.conf have been made, restart named
> > Custodia service is being configured
> > Configuring ipa-custodia
> >   [1/5]: Generating ipa-custodia config file
> >   [2/5]: Making sure custodia container exists
> >   [3/5]: Generating ipa-custodia keys
> >   [4/5]: starting ipa-custodia
> >   [5/5]: configuring ipa-custodia to start on boot
> > Done configuring ipa-custodia.
> > [Upgrading CA schema]
> > CA schema update complete
> > [Verifying that CA audit signing cert has 2 year validity]
> > [Update certmonger certificate renewal configuration to version 5]
> > Configuring certmonger to stop tracking system certificates for CA
> > Certmonger certificate renewal configuration updated to version 5
> > [Enable PKIX certificate path discovery and validation]
> > PKIX already enabled
> > [Authorizing RA Agent to modify profiles]
> > [Authorizing RA Agent to manage lightweight CAs]
> > [Ensuring Lightweight CAs container exists in Dogtag database]
> > [Adding default OCSP URI configuration]
> > pki-tomcat configuration changed, restart pki-tomcat
> > [Ensuring CA is using LDAPProfileSubsystem]
> > [Migrating certificate profiles to LDAP]
> > [Ensuring presence of included profiles]
>  

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden
Morgan Marodin wrote:
> It works!
> Thanks for your support.
> 
> Anyway, I will try to update againt mod_nss package! :D

Glad it's working for you. I'm curious what the backup database was for.
Did you create that?

rob

> Bye!
> 
> 
> 2016-11-18 15:21 GMT+01:00 Morgan Marodin  >:
> 
> A little good news.
> 
> Downgrading the /mod_nss/ RPM package, and restoring the original
> //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> finished well:
> /# ipa-server-upgrade
> Upgrading IPA:
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
>   [4/10]: enabling DS global lock
>   [5/10]: starting directory server
>   [6/10]: updating schema
>   [7/10]: upgrading server
>   [8/10]: stopping directory server
>   [9/10]: restoring configuration
>   [10/10]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> [Removing self-signed CA]
> [Removing Dogtag 9 CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Checking global forwarding policy in named.conf to avoid conflicts
> with automatic empty zones]
> Global forward policy in named.conf will be changed to "only" to
> avoid conflicts with automatic empty zones
> [Adding server_id to named.conf]
> Changes to named.conf have been made, restart named
> Custodia service is being configured
> Configuring ipa-custodia
>   [1/5]: Generating ipa-custodia config file
>   [2/5]: Making sure custodia container exists
>   [3/5]: Generating ipa-custodia keys
>   [4/5]: starting ipa-custodia
>   [5/5]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> [Upgrading CA schema]
> CA schema update complete
> [Verifying that CA audit signing cert has 2 year validity]
> [Update certmonger certificate renewal configuration to version 5]
> Configuring certmonger to stop tracking system certificates for CA
> Certmonger certificate renewal configuration updated to version 5
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> [Authorizing RA Agent to modify profiles]
> [Authorizing RA Agent to manage lightweight CAs]
> [Ensuring Lightweight CAs container exists in Dogtag database]
> [Adding default OCSP URI configuration]
> pki-tomcat configuration changed, restart pki-tomcat
> [Ensuring CA is using LDAPProfileSubsystem]
> [Migrating certificate profiles to LDAP]
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> Default CA ACL already added
> [Set up lightweight CA key retrieval]
> Creating principal
> Retrieving keytab
> Creating Custodia keys
> Configuring key retriever
> The IPA services were upgraded
> The ipa-server-upgrade command was successful/
> 
> And Apache has started, BUT there is a problem with the web certificate:
> /# tail -f /var/log/httpd/error_log
> [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to
> child 2 established (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)
> [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input
> filter read failed.
> [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library
> Error: -12285 Unable to find the certificate or key necessary for
> authentication
> [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to
> child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)/
> 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
It works!
Thanks for your support.

Anyway, I will try to update againt mod_nss package! :D
Bye!


2016-11-18 15:21 GMT+01:00 Morgan Marodin :

> A little good news.
>
> Downgrading the *mod_nss* RPM package, and restoring the original
> */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished
> well:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
> [2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
> DS global lock  [5/10]: starting directory server  [6/10]: updating schema
> [7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
> restoring configuration  [10/10]: starting directory serverDone.Update
> completeUpgrading IPA servicesUpgrading the configuration of the IPA
> services[Verifying that root certificate is published][Migrate CRL publish
> directory]CRL tree already moved[Verifying that CA proxy configuration is
> correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
> database]RA cert already removed[Enable sidgen and extdom plugins by
> default][Updating HTTPD service IPA configuration][Updating mod_nss
> protocol versions]Protocol versions already updated[Updating mod_nss cipher
> suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
> processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
> self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
> configuration files][Checking for deprecated backups of Samba configuration
> files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
> records already processed[Removing deprecated DNS configuration
> options][Ensuring minimal number of connections][Enabling serial
> autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
> pid-file configuration in DNS][Checking global forwarding policy in
> named.conf to avoid conflicts with automatic empty zones]Global forward
> policy in named.conf will be changed to "only" to avoid conflicts with
> automatic empty zones[Adding server_id to named.conf]Changes to named.conf
> have been made, restart namedCustodia service is being
> configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
> file  [2/5]: Making sure custodia container exists  [3/5]: Generating
> ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
> ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
> schema]CA schema update complete[Verifying that CA audit signing cert has 2
> year validity][Update certmonger certificate renewal configuration to
> version 5]Configuring certmonger to stop tracking system certificates for
> CACertmonger certificate renewal configuration updated to version 5[Enable
> PKIX certificate path discovery and validation]PKIX already
> enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
> manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
> database][Adding default OCSP URI configuration]pki-tomcat configuration
> changed, restart pki-tomcat[Ensuring CA is using
> LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
> presence of included profiles][Add default CA ACL]Default CA ACL already
> added[Set up lightweight CA key retrieval]Creating principalRetrieving
> keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
> upgradedThe ipa-server-upgrade command was successful*
>
> And Apache has started, BUT there is a problem with the web certificate:
>
>
>
>
> *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
> [:info] [pid 18673] Connection to child 2 established (server
> mlv-ipa01.ipa.mydomain.com:443 ,
> client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
> SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
> [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
> necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
> 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)*
>
> How do you suggest to go on with my issue?
>
> Thanks, Morgan
>
> 2016-11-18 12:11 GMT+01:00 Morgan Marodin :
>
>> I've tried to add it to a new test folder, with a new certificate
>> nickname, and then to replace it to *nss.conf*.
>>
>> But the problem persists:
>>
>> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
>> is valid*
>>
>>
>> *# tail -f /var/log/httpd/error_log*
>>
>>
>>
>>
>>
>>
>>
>> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
A little good news.

Downgrading the *mod_nss* RPM package, and restoring the original
*/etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well:


















































































*# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
[2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
DS global lock  [5/10]: starting directory server  [6/10]: updating schema
[7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
restoring configuration  [10/10]: starting directory serverDone.Update
completeUpgrading IPA servicesUpgrading the configuration of the IPA
services[Verifying that root certificate is published][Migrate CRL publish
directory]CRL tree already moved[Verifying that CA proxy configuration is
correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
database]RA cert already removed[Enable sidgen and extdom plugins by
default][Updating HTTPD service IPA configuration][Updating mod_nss
protocol versions]Protocol versions already updated[Updating mod_nss cipher
suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
configuration files][Checking for deprecated backups of Samba configuration
files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
records already processed[Removing deprecated DNS configuration
options][Ensuring minimal number of connections][Enabling serial
autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
pid-file configuration in DNS][Checking global forwarding policy in
named.conf to avoid conflicts with automatic empty zones]Global forward
policy in named.conf will be changed to "only" to avoid conflicts with
automatic empty zones[Adding server_id to named.conf]Changes to named.conf
have been made, restart namedCustodia service is being
configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
file  [2/5]: Making sure custodia container exists  [3/5]: Generating
ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
schema]CA schema update complete[Verifying that CA audit signing cert has 2
year validity][Update certmonger certificate renewal configuration to
version 5]Configuring certmonger to stop tracking system certificates for
CACertmonger certificate renewal configuration updated to version 5[Enable
PKIX certificate path discovery and validation]PKIX already
enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
database][Adding default OCSP URI configuration]pki-tomcat configuration
changed, restart pki-tomcat[Ensuring CA is using
LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
presence of included profiles][Add default CA ACL]Default CA ACL already
added[Set up lightweight CA key retrieval]Creating principalRetrieving
keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
upgradedThe ipa-server-upgrade command was successful*

And Apache has started, BUT there is a problem with the web certificate:




*# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
[:info] [pid 18673] Connection to child 2 established (server
mlv-ipa01.ipa.mydomain.com:443 ,
client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
[pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
, client 192.168.0.252)*

How do you suggest to go on with my issue?

Thanks, Morgan

2016-11-18 12:11 GMT+01:00 Morgan Marodin :

> I've tried to add it to a new test folder, with a new certificate
> nickname, and then to replace it to *nss.conf*.
>
> But the problem persists:
>
> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
> is valid*
>
>
> *# tail -f /var/log/httpd/error_log*
>
>
>
>
>
>
>
> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
> 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
> deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>  -> ipa01cert[Fri Nov 18 12:09:39.824880
> 2016] [:error] [pid 11552] The server key database has not been
> initialized.[Fri Nov 18 12:09:39.832443 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
I've tried to add it to a new test folder, with a new certificate nickname,
and then to replace it to *nss.conf*.

But the problem persists:

*# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is
valid*


*# tail -f /var/log/httpd/error_log*







*[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipa01cert[Fri Nov 18 12:09:39.824880
2016] [:error] [pid 11552] The server key database has not been
initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016]
[:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678
2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'*

I've found this guide:






*Combine the server cert and key into a single file# cp localhost.crt >
Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server
cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out
Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys
into the database at the same time.#pk12util -i
/tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert*

Where is stored the key certificate file?

Thanks, Morgan

2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud :

> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>
>> Hi Florence.
>>
>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
>> and with this Apache started.
>> So I think the problem is in the /Server-Cert/ stored in
>> //etc/httpd/alias/, even if all manul checks are ok.
>>
>> These are logs with the wrong certificate test:
>> /# tail -f /var/log/httpd/error_log/
>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>  -> ipaCert
>>
>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com 
>> as virtual name.
>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
>> AH01757: generating secret for digest authentication ...
>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
>> AH02282: No slotmem from mod_heartmonitor
>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>  -> ipaCert
>>
>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
>> AH00163: Apache/2.4.6 () 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Florence Blanc-Renaud

On 11/18/2016 10:04 AM, Morgan Marodin wrote:

Hi Florence.

I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
and with this Apache started.
So I think the problem is in the /Server-Cert/ stored in
//etc/httpd/alias/, even if all manul checks are ok.

These are logs with the wrong certificate test:
/# tail -f /var/log/httpd/error_log/
/[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert
[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
for SSL protocol
[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.
[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com 
as virtual name.
[Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
AH01757: generating secret for digest authentication ...
[Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
AH02282: No slotmem from mod_heartmonitor
[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert
[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
[Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
proxy_util.c(1838): AH00924: worker ajp://localhost shared already
initialized
[Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
proxy_util.c(1880): AH00926: worker ajp://localhost local already
initialized
...
[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
proxy_util.c(1838): AH00924: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
initialized
[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
proxy_util.c(1880): AH00926: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
initialized
[Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin
Hi Florence.

I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and
with this Apache started.
So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*,
even if all manul checks are ok.

These are logs with the wrong certificate test:
*# tail -f /var/log/httpd/error_log*










































































































*[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
09:34:32.584142 2016] [:warn] [pid 7709] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert[Fri Nov 18 09:34:32.844487
2016] [:info] [pid 7709] Configuring server for SSL protocol[Fri Nov 18
09:34:32.844635 2016] [:debug] [pid 7709] nss_engine_init.c(770):
NSSProtocol:  Enabling TLSv1.0[Fri Nov 18 09:34:32.844657 2016] [:debug]
[pid 7709] nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1[Fri Nov
18 09:34:32.844668 2016] [:debug] [pid 7709] nss_engine_init.c(780):
NSSProtocol:  Enabling TLSv1.2[Fri Nov 18 09:34:32.844677 2016] [:debug]
[pid 7709] nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)[Fri
Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] nss_engine_init.c(866):
NSSProtocol:  [TLS 1.2] (maximum)[Fri Nov 18 09:34:32.844738 2016] [:debug]
[pid 7709] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18
09:34:32.844746 2016] [:debug] [pid 7709] nss_engine_init.c(916): Enabling
DHE key exchange[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:32.845105 2016] [:debug]
[pid 7709] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:32.845110 2016] [:info] [pid
7709] Using nickname ipaCert.[Fri Nov 18 09:34:32.847451 2016] [:error]
[pid 7709] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
 as virtual name.[Fri Nov 18
09:34:33.028056 2016] [auth_digest:notice] [pid 7709] AH01757: generating
secret for digest authentication ...[Fri Nov 18 09:34:33.030039 2016]
[lbmethod_heartbeat:notice] [pid 7709] AH02282: No slotmem from
mod_heartmonitor[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.[Fri Nov 18 09:34:33.030176
2016] [:debug] [pid 7709] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com  ->
ipaCert[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured --
resuming normal operations[Fri Nov 18 09:34:33.051551 2016] [core:notice]
[pid 7709] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'[Fri Nov
18 09:34:33.096050 2016] [proxy:debug] [pid 7717] proxy_util.c(1838):
AH00924: worker ajp://localhost shared already initialized[Fri Nov 18
09:34:33.096163 2016] [proxy:debug] [pid 7717] proxy_util.c(1880): AH00926:
worker ajp://localhost local already initialized...[Fri Nov 18
09:34:33.105626 2016] [proxy:debug] [pid 7719] proxy_util.c(1838): AH00924:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
 shared already initialized[Fri Nov 18
09:34:33.105632 2016] [proxy:debug] [pid 7719] proxy_util.c(1880): AH00926:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
 local already initialized[Fri Nov 18
09:34:33.342762 2016] [:info] [pid 7717] Configuring server for SSL
protocol[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0[Fri Nov 18
09:34:33.342880 2016] [:debug] [pid 7717] nss_engine_init.c(775):
NSSProtocol:  Enabling TLSv1.1[Fri Nov 18 09:34:33.342885 2016] [:debug]
[pid 7717] nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2[Fri Nov
18 09:34:33.342890 2016] [:debug] [pid 7717] nss_engine_init.c(839):
NSSProtocol:  [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.342894 2016] [:debug]
[pid 7717] nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.342904 2016] [:debug]
[pid 7717] nss_engine_init.c(916): Enabling 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi.

I've tried to delete and reimport only the *Server-Cert* certificate (I've
a copy of the original folder).
But it happened a strange behaviour:






















*# certutil -L -d /etc/httpd/alias -n Server-Cert -a >
/tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#
certutil -L -d .Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM  IPA
CACT,C,C# certutil -A -d
/etc/httpd/alias -n Server-Cert -t u,u,u -a -i /tmp/Server-Cert.crtNotice:
Trust flag u is set automatically if the private key is present.p11-kit:
objects of this type cannot be created# certutil -L -d
/etc/httpd/aliasCertificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM  IPA
CA
CT,C,CServer-Cert  Pu,u,u*

What's the error message in bold?
And why trust flags are set different from ones specified?

Thanks, Morgan

2016-11-17 17:36 GMT+01:00 Morgan Marodin :

> Hi.
>
> I've upgraded all packages of my distribution, not only ipa packages.
> There were a lot of packages.
>
> *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*
>
> All other checks seem ok:
>
>
>
>
>
>
>
>
>
>
>
> *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
> Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
> getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
> /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
> "NSS Certificate DB" in slot "NSS User Private Key and Certificate
> Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
> a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
> Certificate DB:ipaCert*
>
>
> *[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
> egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
> 2015Not After : Thu Sep 07 10:15:34 2017*
>
> Could it be a good idea to export and re-import all certs from
> */etc/httpd/alias* folder?
>
> Thanks
>
> 2016-11-17 17:07 GMT+01:00 Rob Crittenden :
>
>> Morgan Marodin wrote:
>> > Hi Rob.
>> >
>> > I've just tried to remove the group write to the *.db files, but it's
>> > not the problem.
>>
>> I didn't expect it to be but you don't want Apache having write access
>> to your certs and keys.
>>
>> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>> > NSSNickname Server-Cert/
>>
>> Ok.
>>
>> >
>> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
>> > works, services went up.
>> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>> > /winbind.service/, /kadmin.service/, /memcached.service/ and
>> > /pki-tomcatd.target/.
>>
>> Good, so you can limp along for a while then.
>>
>> > Any other ideas?
>>
>> So you upgraded. What did you actually upgrade? Only the IPA packages or
>> a lot more?
>>
>> What version is running now, and what version of mod_nss?
>>
>> $ rpm -q mod_nss
>>
>> Let's see if the NSS tools can find the cert:
>>
>> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>>
>> Should come back with: certutil: certificate is valid
>>
>> rob
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi.

I've upgraded all packages of my distribution, not only ipa packages.
There were a lot of packages.

*[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*

All other checks seem ok:











*[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
"NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
Certificate DB:ipaCert*


*[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
2015Not After : Thu Sep 07 10:15:34 2017*

Could it be a good idea to export and re-import all certs from
*/etc/httpd/alias* folder?

Thanks

2016-11-17 17:07 GMT+01:00 Rob Crittenden :

> Morgan Marodin wrote:
> > Hi Rob.
> >
> > I've just tried to remove the group write to the *.db files, but it's
> > not the problem.
>
> I didn't expect it to be but you don't want Apache having write access
> to your certs and keys.
>
> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> > NSSNickname Server-Cert/
>
> Ok.
>
> >
> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> > works, services went up.
> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> > /winbind.service/, /kadmin.service/, /memcached.service/ and
> > /pki-tomcatd.target/.
>
> Good, so you can limp along for a while then.
>
> > Any other ideas?
>
> So you upgraded. What did you actually upgrade? Only the IPA packages or
> a lot more?
>
> What version is running now, and what version of mod_nss?
>
> $ rpm -q mod_nss
>
> Let's see if the NSS tools can find the cert:
>
> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>
> Should come back with: certutil: certificate is valid
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud

On 11/17/2016 04:51 PM, Morgan Marodin wrote:

Hi Rob.

I've just tried to remove the group write to the *.db files, but it's
not the problem.
/[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname Server-Cert/

I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
works, services went up.
The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
/winbind.service/, /kadmin.service/, /memcached.service/ and
/pki-tomcatd.target/.

But if I try to start /httpd.service/:
/[root@mlv-ipa01 ~]# tail -f /var/log/messages
Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server...
Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC
proxy enabled
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
exited, code=exited, status=1/FAILURE
Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP
Server.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed
state.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./

Any other ideas?

Hi,

- Does the NSS Db contain the private key for Server-Cert? If yes, the 
command

$ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
should display a line like this one:
< 0> rsa  01a6cbd773f3d785ffa44233148dcb8ade266ea5   NSS Certificate 
DB:Server-Cert


- Is your system running with SElinux enforcing? If yes, you can check 
if there were SElinux permission denials using

$ ausearch -m avc --start recent

- If the certificate was expired, I believe you would see a different 
message, but it doesn't hurt to check its validity
$ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not 
Before|Not After"



Flo.


Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden >:

Morgan Marodin wrote:
> Hi Florence.
>
> Thanks for your support.
>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> -rw---. 1 root root4833 Sep  4  2015 install.log
> -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/

Eventually you'll want to remove group write on the *.db files.

> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good

> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com 

> > -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> ciphers
> 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote:
> Hi Rob.
> 
> I've just tried to remove the group write to the *.db files, but it's
> not the problem.

I didn't expect it to be but you don't want Apache having write access
to your certs and keys.

> /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert/

Ok.

> 
> I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> works, services went up.
> The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> /winbind.service/, /kadmin.service/, /memcached.service/ and
> /pki-tomcatd.target/.

Good, so you can limp along for a while then.

> Any other ideas?

So you upgraded. What did you actually upgrade? Only the IPA packages or
a lot more?

What version is running now, and what version of mod_nss?

$ rpm -q mod_nss

Let's see if the NSS tools can find the cert:

# certutil -V -u V -d /etc/httpd/alias -n Server-Cert

Should come back with: certutil: certificate is valid

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Rob.

I've just tried to remove the group write to the *.db files, but it's not
the problem.

*[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname
Server-Cert*

I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it
works, services went up.
The same for *ntpd*, *named-pkcs11.service*, *smb.service*,
*winbind.service*, *kadmin.service*, *memcached.service* and
*pki-tomcatd.target*.

But if I try to start *httpd.service*:








*[root@mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 16:46:06 mlv-ipa01
systemd[1]: Starting The Apache HTTP Server...Nov 17 16:46:06 mlv-ipa01
ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov 17 16:46:07
mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited,
status=1/FAILURENov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process
""Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to
start The Apache HTTP Server.Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
httpd.service entered failed state.Nov 17 16:46:07 mlv-ipa01 systemd[1]:
httpd.service failed.*

Any other ideas?

Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden :

> Morgan Marodin wrote:
> > Hi Florence.
> >
> > Thanks for your support.
> >
> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> > permissions and certificates are good:
> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> > total 184
> > -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> > -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> > -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> > -rw---. 1 root root4833 Sep  4  2015 install.log
> > -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> > lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> > /usr/lib64/libnssckbi.so
> > -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> > -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/
>
> Eventually you'll want to remove group write on the *.db files.
>
> > And password validations seems ok, too:
> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> > /etc/httpd/alias/pwdfile.txt
> good
>
> > Enabling mod-nss debug I can see these logs:
> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> > NSSSessionCacheTimeout is deprecated. Ignoring.
> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> >  -> Server-Cert
> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> > for SSL protocol
> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> > nss_engine_init.c(906): Disabling TLS Session Tickets
> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> > nss_engine_init.c(916): Enabling DHE key exchange
> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> > nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> > ciphers
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> > Server-Cert.
> [snip]
> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> > found: 'Server-Cert'
>
> Can you shows what this returns:
>
> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>
> > Do you think there is a kerberos problem?
>
> It definitely is not.
>
> You can bring the system up in a minimal way by manually starting the
> dir...@example.com service and then krb5kdc. This will at least let your
> users authenticate. The management framework (GUI) runs through Apache
> so that will 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote:
> Hi Florence.
> 
> Thanks for your support.
> 
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> -rw---. 1 root root4833 Sep  4  2015 install.log
> -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/

Eventually you'll want to remove group write on the *.db files.

> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good

> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>  -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> Server-Cert.
[snip]
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> found: 'Server-Cert'

Can you shows what this returns:

# grep NSSNickname /etc/httpd/conf.d/nss.conf

> Do you think there is a kerberos problem?

It definitely is not.

You can bring the system up in a minimal way by manually starting the
dir...@example.com service and then krb5kdc. This will at least let your
users authenticate. The management framework (GUI) runs through Apache
so that will be down until we can get Apache started again.

rob

> 
> Please let me know, thanks.
> Bye, Morgan
> 
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud  >:
> 
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
> 
> Hello.
> 
> This morning I've tried to upgrade my IPA server, but the upgrade
> failed, and now the service doesn't start! :(
> 
> If I try lo launch the upgrade manually this is the output:
> /[root@mlv-ipa01 download]# ipa-server-upgrade
> 
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>   [6/8]: upgrading server
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Florence.

Thanks for your support.

Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
permissions and certificates are good:











*[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r--  1 root
root1345 Sep  7  2015 cacert.asc-rw-rw  1 root apache 65536 Nov 17
11:06 cert8.db-rw-r-. 1 root apache 65536 Sep  4  2015
cert8.db.orig-rw---. 1 root root4833 Sep  4  2015
install.log-rw-rw  1 root apache 16384 Nov 17 11:06 key3.db-rw-r-.
1 root apache 16384 Sep  4  2015 key3.db.origlrwxrwxrwx  1 root root
24 Nov 17 10:24 libnssckbi.so -> /usr/lib64/libnssckbi.so-rw-rw  1 root
apache20 Sep  7  2015 pwdfile.txt-rw-rw  1 root apache 16384 Sep
7  2015 secmod.db-rw-r-. 1 root apache 16384 Sep  4  2015
secmod.db.orig*

And password validations seems ok, too:




*[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txtcertutil: Checking token "NSS Certificate DB"
in slot "NSS User Private Key and Certificate Services"< 0> rsa
   NSS Certificate DB:Server-Cert<
1> rsa     NSS Certificate
DB:Signing-Cert< 2> rsa     NSS
Certificate DB:ipaCert*

Enabling mod-nss debug I can see these logs:






























































































































































































































































*[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log[Thu Nov 17
15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17 15:05:10.807958 2016]
[:warn] [pid 10660] NSSSessionCacheTimeout is deprecated. Ignoring.[Thu Nov
17 15:05:10.807991 2016] [:debug] [pid 10660] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com  ->
Server-Cert[Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
Configuring server for SSL protocol[Thu Nov 17 15:05:11.002817 2016]
[:debug] [pid 10660] nss_engine_init.c(770): NSSProtocol:  Enabling
TLSv1.0[Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1[Thu Nov 17
15:05:11.002847 2016] [:debug] [pid 10660] nss_engine_init.c(780):
NSSProtocol:  Enabling TLSv1.2[Thu Nov 17 15:05:11.002856 2016] [:debug]
[pid 10660] nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)[Thu
Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] nss_engine_init.c(866):
NSSProtocol:  [TLS 1.2] (maximum)[Thu Nov 17 15:05:11.003099 2016] [:debug]
[pid 10660] nss_engine_init.c(906): Disabling TLS Session Tickets[Thu Nov
17 15:05:11.003198 2016] [:debug] [pid 10660] nss_engine_init.c(916):
Enabling DHE key exchange[Thu Nov 17 15:05:11.003313 2016] [:debug] [pid
10660] nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Thu
Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5[Thu Nov 17 15:05:11.003483 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_null_sha[Thu Nov 17
15:05:11.003491 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_40_md5[Thu Nov 17 15:05:11.003509 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_md5[Thu Nov 17
15:05:11.003632 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_128_sha[Thu Nov 17 15:05:11.003740 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc2_40_md5[Thu Nov 17
15:05:11.003747 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_des_sha[Thu Nov 17 15:05:11.003802 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: rsa_3des_sha[Thu Nov 17
15:05:11.003902 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: dhe_rsa_des_sha[Thu Nov 17 15:05:11.004001 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_sha[Thu Nov 17
15:05:11.004167 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: rsa_aes_256_sha[Thu Nov 17 15:05:11.004180 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: null_sha_256[Thu Nov 17
15:05:11.004191 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: aes_128_sha_256[Thu Nov 17 15:05:11.004285 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: aes_256_sha_256[Thu Nov 17
15:05:11.004352 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: camelia_128_sha[Thu Nov 17 

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud

On 11/17/2016 12:09 PM, Morgan Marodin wrote:

Hello.

This morning I've tried to upgrade my IPA server, but the upgrade
failed, and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:
/[root@mlv-ipa01 download]# ipa-server-upgrade
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information/

These are error logs of Apache:
/[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
found: 'Server-Cert'/

The problem seems to be the /Server-Cert /that could not be found.
But if I try to execute the certutil command manually I can see it:/
[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  Pu,u,u
IPA.MYDOMAIN.COM  IPA
CACT,C,C/

Could you help me?
What could I try to do to restart my service?


Hi,

I would first make sure that httpd is using /etc/httpd/alias as NSS DB 
(check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf).
Then it may be a file permission issue: the NSS DB should belong to 
root:apache (the relevant files are cert8.db, key3.db and secmod.db).
You should also find a pwdfile.txt in the same directory, containing the 
NSS DB password. Check that the password is valid using

certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
(if the command succeeds then the password in pwdfile is OK).

You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting 
"LogLevel debug", and check the output in /var/log/httpd/error_log.


HTH,
Flo.

Thanks, Morgan




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project