On 08/14/2017 05:46 PM, Rob Crittenden wrote:
Julian Gethmann wrote:
> Hallo,
>
> On 08/14/2017 04:21 PM, Rob Crittenden wrote:
>> Julian Gethmann via FreeIPA-users wrote:
>>> Hallo,
>>>
>>> Unfortunately I don't know when this problem occurred first, but it may
>>> have occurred after an update.
>>> The httpd does not start and aborts with the error
>>>
>>> [:info] [pid 15383] Using nickname Server-Cert.
>>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert'
>>>
>>> when I want to start FreeIPA via "systemctl start ipa" or
"ipactl start"
>>> or "systemctl start httpd"
>>> If I turn the NSSEngine off it starts of cause.
>>>
>>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n
>>> Server-Cert" does find a certificate, if I get the output [1] right.
>>
>> ipa-getcert shows certs that are tracked by certmonger but doesn't
>> guarantee that those certificates actually exist in the filesystem (they
>> did at the time tracking was started).
>>
>> You need to look at the Apache NSS database:
>>
>> # certutil -L -d /etc/httpd/alias
> Ok, I also did this, but it seems to be there
> # certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert Pu,u,u
>
EXAMPLE.COM IPA CA CT,C,C
I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640
ok,
the db were "root:apache 0660", but they were readable at least and
making them 0640 did not help either.
If that checks out, look for SELinux issues by starting httpd then
running: ausearch -m AVC -ts recent
I disabled SELinux for testing it, but that did
not work. Now I also tested:
# ausearch -m AVC -ts recent
<no matches>
As a last resort perhaps the NSS database is corrupted. You can exercise
it with:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
You should get: certutil: certificate is valid
I do get it:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
certutil: certificate is valid
rob
If I just want to start httpd and not via IPA or with --force I get a
different error, which I think might be because the services started
before httpd in the IPA start-up-phase aren't running since the start of
IPA aborted:
-- Unit httpd.service has begun starting up.
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
: ERROR Unknown error while retrieving setting from ldap
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
Traceback (most recent call last):
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.con.do_bind(timeout=self.time_limit)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.do_external_bind(pw_name, timeout=timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__bind_with_wait(self.external_bind, timeout, user_name)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__wait_for_connection(timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
wait_for_open_socket(lurl.hostport, timeout)
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
raise e
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: error:
[Errno 111] Connection refused
Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
: ERROR Unknown error while retrieving setting from ldap
Aug 14 19:05:14
ipa_server.example.com systemd[1]: httpd.service:
Control process exited, code=exited status=1
Aug 14 19:05:14
ipa_server.example.com audit[1]: SERVICE_START pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s
Aug 14 19:05:14
ipa_server.example.com systemd[1]: Failed to start The
Apache HTTP Server.