On 2016-04-29 16:51, Bret Wortman wrote: > It is contacting the correct machine. I tried again by IP with the same > results. > > /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. > > Web UI won't load. CLI won't respond either. Commands just hang. > > # netstat -ln | grep 443 > tcp6 0 0 :::8443 > :::* LISTEN > tcp6 2 0 :::443 > :::* LISTEN > # netstat -ln | grep 8009 > tcp6 0 0 127.0.0.1:8009 > :::* LISTEN > # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus > * Hostname was NOT found in DNS cache > * Trying 192.168.208.53... > * Connected to zsipa.private.net (192.168.208.53) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > (long hang at this point, so I ^C-ed) > > # openssl s_client -connect zsipa.private.net:443 -CAfile > /etc/ipa/ca.crt -verify 10 > verify depth is 10 > CONNECTED(00000003) > (long hang at this point, aborted again) > > For the other (longer) logs, see http://pastebin.com/esBBKyGZ > > Also, answering Christian's questions: > > mod_ssl has not been installed. > > # ss -tpln | grep 443 > LISTEN 0 100 :::8443 :::* > users:(("java",pid=26522,fd=84)) > LISTEN 13 128 :::443 :::* > users:(("httpd",pid=26323,fd=6)) > #
The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's Tomcat instance. The error log of Apache is more troublesome. It looks like your NSSDB is busted: [Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052: child pid 26327 exit signal Segmentation fault (11) Please run this commands to show us the content of your NSSDB. # ls -laZ /etc/httpd/ # ls -laZ /etc/httpd/alias # certutil -L -d /etc/httpd/alias Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project