On 08/14/2017 05:46 PM, Rob Crittenden wrote:
> Julian Gethmann wrote:
>> Hallo,
>>
>> On 08/14/2017 04:21 PM, Rob Crittenden wrote:
>>> Julian Gethmann via FreeIPA-users wrote:
>>>> Hallo,
>>>>
>>>> Unfortunately I don't know when this problem occurred first, but it
>>>> may
>>>> have occurred after an update.
>>>> The httpd does not start and aborts with the error
>>>>
>>>> [:info] [pid 15383] Using nickname Server-Cert.
>>>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert'
>>>>
>>>> when I want to start FreeIPA via "systemctl start ipa" or
"ipactl
>>>> start"
>>>> or "systemctl start httpd"
>>>> If I turn the NSSEngine off it starts of cause.
>>>>
>>>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/
-n
>>>> Server-Cert" does find a certificate, if I get the output [1]
right.
>>>
>>> ipa-getcert shows certs that are tracked by certmonger but doesn't
>>> guarantee that those certificates actually exist in the filesystem
>>> (they
>>> did at the time tracking was started).
>>>
>>> You need to look at the Apache NSS database:
>>>
>>> # certutil -L -d /etc/httpd/alias
>> Ok, I also did this, but it seems to be there
>> # certutil -L -d /etc/httpd/alias
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> ipaCert u,u,u
>> Server-Cert Pu,u,u
>>
EXAMPLE.COM IPA CA CT,C,C
>
>
> I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache
> 0640
ok, the db were "root:apache 0660", but they were readable at least and
making them 0640 did not help either.
>
> If that checks out, look for SELinux issues by starting httpd then
> running: ausearch -m AVC -ts recent
I disabled SELinux for testing it, but that did not work. Now I also
tested:
# ausearch -m AVC -ts recent
<no matches>
>
> As a last resort perhaps the NSS database is corrupted. You can exercise
> it with:
>
> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
> /etc/httpd/alias/pwdfile.txt
>
> You should get: certutil: certificate is valid
>
I do get it:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
certutil: certificate is valid
If I just want to start httpd and not via IPA or with --force I get a
different error, which I think might be because the services started
before httpd in the IPA start-up-phase aren't running since the start of
IPA aborted:
-- Unit httpd.service has begun starting up.
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
: ERROR Unknown error while retrieving setting from ldap
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
Traceback (most recent call last):
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.con.do_bind(timeout=self.time_limit)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.do_external_bind(pw_name, timeout=timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__bind_with_wait(self.external_bind, timeout, user_name)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__wait_for_connection(timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
wait_for_open_socket(lurl.hostport, timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: raise e
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: error:
[Errno 111] Connection refused
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
: ERROR Unknown error while retrieving setting from ldap
Aug 14 19:05:14
ipa_server.example.com systemd[1]: httpd.service:
Control process exited, code=exited status=1
Aug 14 19:05:14
ipa_server.example.com audit[1]: SERVICE_START pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s
Aug 14 19:05:14
ipa_server.example.com systemd[1]: Failed to start The
Apache HTTP Server.
The KDC proxy needs to talk to LDAP. If you want to continue down this
road you can edit /etc/systemd/system/httpd.service.d/ipa.conf and
comment out the ExecStartPre command, run systemctl daemon-reload and
try to start Apache (you just really need to remember to undo this).
That is a very strange and unexpected error out of mod_nss. What distro
are you running and what version of mod_nss?
Can you share your nss.conf?
rob