On 11/17/2016 04:51 PM, Morgan Marodin wrote:
Hi Rob.
I've just tried to remove the group write to the *.db files, but it's
not the problem.
/[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname Server-Cert/
I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
works, services went up.
The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
/winbind.service/, /kadmin.service/, /memcached.service/ and
/pki-tomcatd.target/.
But if I try to start /httpd.service/:
/[root@mlv-ipa01 ~]# tail -f /var/log/messages
Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server...
Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC
proxy enabled
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
exited, code=exited, status=1/FAILURE
Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP
Server.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed
state.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./
Any other ideas?
Hi,
- Does the NSS Db contain the private key for Server-Cert? If yes, the
command
$ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
should display a line like this one:
< 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS Certificate
DB:Server-Cert
- Is your system running with SElinux enforcing? If yes, you can check
if there were SElinux permission denials using
$ ausearch -m avc --start recent
- If the certificate was expired, I believe you would see a different
message, but it doesn't hurt to check its validity
$ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not
Before|Not After"
Flo.
Please let me know, thanks.
Morgan
2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>:
Morgan Marodin wrote:
> Hi Florence.
>
> Thanks for your support.
>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc
> -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig
> -rw-------. 1 root root 4833 Sep 4 2015 install.log
> -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig
> lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt
> -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/
Eventually you'll want to remove group write on the *.db files.
> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good
> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>
> <http://mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>> -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
> ciphers
>
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> Server-Cert.
[snip]
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> found: 'Server-Cert'
Can you shows what this returns:
# grep NSSNickname /etc/httpd/conf.d/nss.conf
> Do you think there is a kerberos problem?
It definitely is not.
You can bring the system up in a minimal way by manually starting the
dir...@example.com <mailto:dir...@example.com> service and then
krb5kdc. This will at least let your
users authenticate. The management framework (GUI) runs through Apache
so that will be down until we can get Apache started again.
rob
>
> Please let me know, thanks.
> Bye, Morgan
>
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>
> <mailto:f...@redhat.com <mailto:f...@redhat.com>>>:
>
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>
> Hello.
>
> This morning I've tried to upgrade my IPA server, but the
upgrade
> failed, and now the service doesn't start! :(
>
> If I try lo launch the upgrade manually this is the output:
> /[root@mlv-ipa01 download]# ipa-server-upgrade
>
> Upgrading IPA:
> [1/8]: saving configuration
> [2/8]: disabling listeners
> [3/8]: enabling DS global lock
> [4/8]: starting directory server
> [5/8]: updating schema
> [6/8]: upgrading server
> [7/8]: stopping directory server
> [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log
and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command '/bin/systemctl start
httpd.service'
> returned non-zero exit status 1
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for
> more information/
>
> These are error logs of Apache:
> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664]
> AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
> Certificate not
> found: 'Server-Cert'/
>
> The problem seems to be the /Server-Cert /that could not
be found.
> But if I try to execute the certutil command manually I
can see it:/
> [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
> Certificate Nickname
Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> Signing-Cert
u,u,u
> ipaCert
u,u,u
> Server-Cert
Pu,u,u
> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
<http://IPA.MYDOMAIN.COM>
> <http://IPA.MYDOMAIN.COM> IPA
> CA CT,C,C/
>
> Could you help me?
> What could I try to do to restart my service?
>
> Hi,
>
> I would first make sure that httpd is using /etc/httpd/alias
as NSS
> DB (check the directive NSSCertificateDatabase in
> /etc/httpd/conf.d/nss.conf).
> Then it may be a file permission issue: the NSS DB should
belong to
> root:apache (the relevant files are cert8.db, key3.db and
secmod.db).
> You should also find a pwdfile.txt in the same directory,
containing
> the NSS DB password. Check that the password is valid using
> certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
> (if the command succeeds then the password in pwdfile is OK).
>
> You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by
> setting "LogLevel debug", and check the output in
> /var/log/httpd/error_log.
>
> HTH,
> Flo.
>
> Thanks, Morgan
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
> Go to http://freeipa.org for more info on the project
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
