Julian Gethmann wrote:
> On 08/14/2017 05:46 PM, Rob Crittenden wrote:
>> Julian Gethmann wrote:
>>> Hallo,
>>>
>>> On 08/14/2017 04:21 PM, Rob Crittenden wrote:
>>>> Julian Gethmann via FreeIPA-users wrote:
>>>>> Hallo,
>>>>>
>>>>> Unfortunately I don't know when this problem occurred first, but
it
>>>>> may
>>>>> have occurred after an update.
>>>>> The httpd does not start and aborts with the error
>>>>>
>>>>> [:info] [pid 15383] Using nickname Server-Cert.
>>>>> [...] [:error] [pid 15383] Certificate not found:
'Server-Cert'
>>>>>
>>>>> when I want to start FreeIPA via "systemctl start ipa" or
"ipactl
>>>>> start"
>>>>> or "systemctl start httpd"
>>>>> If I turn the NSSEngine off it starts of cause.
>>>>>
>>>>> In contrast to this message "ipa-getcert list -d
/etc/httpd/alias/ -n
>>>>> Server-Cert" does find a certificate, if I get the output [1]
right.
>>>>
>>>> ipa-getcert shows certs that are tracked by certmonger but doesn't
>>>> guarantee that those certificates actually exist in the filesystem
>>>> (they
>>>> did at the time tracking was started).
>>>>
>>>> You need to look at the Apache NSS database:
>>>>
>>>> # certutil -L -d /etc/httpd/alias
>>> Ok, I also did this, but it seems to be there
>>> # certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> Signing-Cert u,u,u
>>> ipaCert u,u,u
>>> Server-Cert Pu,u,u
>>>
EXAMPLE.COM IPA CA CT,C,C
>>
>>
>> I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache
>> 0640
> ok, the db were "root:apache 0660", but they were readable at least and
> making them 0640 did not help either.
>>
>> If that checks out, look for SELinux issues by starting httpd then
>> running: ausearch -m AVC -ts recent
> I disabled SELinux for testing it, but that did not work. Now I also
> tested:
> # ausearch -m AVC -ts recent
> <no matches>
>
>>
>> As a last resort perhaps the NSS database is corrupted. You can exercise
>> it with:
>>
>> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
>> /etc/httpd/alias/pwdfile.txt
>>
>> You should get: certutil: certificate is valid
>>
> I do get it:
> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
> /etc/httpd/alias/pwdfile.txt
> certutil: certificate is valid
>
>
> If I just want to start httpd and not via IPA or with --force I get a
> different error, which I think might be because the services started
> before httpd in the IPA start-up-phase aren't running since the start of
> IPA aborted:
>
> -- Unit httpd.service has begun starting up.
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
> : ERROR Unknown error while retrieving setting from ldap
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> Traceback (most recent call last):
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> self.con.do_bind(timeout=self.time_limit)
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> self.do_external_bind(pw_name, timeout=timeout)
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> self.__bind_with_wait(self.external_bind, timeout, user_name)
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> self.__wait_for_connection(timeout)
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]:
> wait_for_open_socket(lurl.hostport, timeout)
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: File
> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: raise e
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: error:
> [Errno 111] Connection refused
> Aug 14 19:05:14
ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
> : ERROR Unknown error while retrieving setting from ldap
> Aug 14 19:05:14
ipa_server.example.com systemd[1]: httpd.service:
> Control process exited, code=exited status=1
> Aug 14 19:05:14
ipa_server.example.com audit[1]: SERVICE_START pid=1
> uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s
> Aug 14 19:05:14
ipa_server.example.com systemd[1]: Failed to start The
> Apache HTTP Server.
>
The KDC proxy needs to talk to LDAP. If you want to continue down this
road you can edit /etc/systemd/system/httpd.service.d/ipa.conf and
comment out the ExecStartPre command, run systemctl daemon-reload and
try to start Apache (you just really need to remember to undo this).
Ok. Now the
error is "Certificate not found: 'Server-Cert'" again.
That is a very strange and unexpected error out of mod_nss. What distro