Re: [Freeipa-users] My IPA installation doesn't work after upgrade

Thu, 17 Nov 2016 08:52:09 -0800 

Hi.

I've upgraded all packages of my distribution, not only ipa packages.
There were a lot of packages.

*[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*

All other checks seem ok:











*[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
"NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services"< 0> rsa      736...   NSS Certificate DB:Server-Cert< 1> rsa
a4b...   NSS Certificate DB:Signing-Cert< 2> rsa      0ff...   NSS
Certificate DB:ipaCert*


*[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
egrep "Not Before|Not After"            Not Before: Mon Sep 07 10:15:34
2015            Not After : Thu Sep 07 10:15:34 2017*

Could it be a good idea to export and re-import all certs from
*/etc/httpd/alias* folder?

Thanks

2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Morgan Marodin wrote:
> > Hi Rob.
> >
> > I've just tried to remove the group write to the *.db files, but it's
> > not the problem.
>
> I didn't expect it to be but you don't want Apache having write access
> to your certs and keys.
>
> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> > NSSNickname Server-Cert/
>
> Ok.
>
> >
> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> > works, services went up.
> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> > /winbind.service/, /kadmin.service/, /memcached.service/ and
> > /pki-tomcatd.target/.
>
> Good, so you can limp along for a while then.
>
> > Any other ideas?
>
> So you upgraded. What did you actually upgrade? Only the IPA packages or
> a lot more?
>
> What version is running now, and what version of mod_nss?
>
> $ rpm -q mod_nss
>
> Let's see if the NSS tools can find the cert:
>
> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>
> Should come back with: certutil: certificate is valid
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to