Hallo,
On 08/14/2017 04:21 PM, Rob Crittenden wrote:
> Julian Gethmann via FreeIPA-users wrote:
>> Hallo,
>>
>> Unfortunately I don't know when this problem occurred first, but it may
>> have occurred after an update.
>> The httpd does not start and aborts with the error
>>
>> [:info] [pid 15383] Using nickname Server-Cert.
>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert'
>>
>> when I want to start FreeIPA via "systemctl start ipa" or "ipactl
start"
>> or "systemctl start httpd"
>> If I turn the NSSEngine off it starts of cause.
>>
>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n
>> Server-Cert" does find a certificate, if I get the output [1] right.
>
> ipa-getcert shows certs that are tracked by certmonger but doesn't
> guarantee that those certificates actually exist in the filesystem (they
> did at the time tracking was started).
>
> You need to look at the Apache NSS database:
>
> # certutil -L -d /etc/httpd/alias
Ok, I also did this, but it seems to be there
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
ipaCert u,u,u
Server-Cert Pu,u,u
EXAMPLE.COM IPA CA CT,C,C
I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640
If that checks out, look for SELinux issues by starting httpd then
running: ausearch -m AVC -ts recent
As a last resort perhaps the NSS database is corrupted. You can exercise
it with:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
You should get: certutil: certificate is valid
rob