9:14 p.m.
I made the following soft link
ln -s /etc/apache2/nssdb /etc/httpd/alias
But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log
2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=12&xml=true"
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-FYfJPZ/ccache
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external
process
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return
code=3
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=13&xml=true"
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-svWgpP/ccache
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external
process
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return
code=3
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=14&xml=true"
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-DSagx_/ccache
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external
process
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return
code=3
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=15&xml=true"
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello
Can I get some attention?
Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry.
If I fix the expiration problem, I will migrate to centos, but I need to solve the
certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and
certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
8:33 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
> I made the following soft link
> ln -s /etc/apache2/nssdb /etc/httpd/alias
> But return code 77 as well, so what do I need to do?
>
> root@migration-ipa-65-186:/.ipa/log# tailf renew.log
> 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
> will not work.
> * Closing connection 0
> GET
>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=12&xml=true"
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing
principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-FYfJPZ/ccache
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile
from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
> 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external
process
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished,
return
> code=3
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77
connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
> will not work.
> * Closing connection 0
> GET
>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=13&xml=true"
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing
principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-svWgpP/ccache
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile
from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
> 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external
process
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished,
return
> code=3
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77
connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
> will not work.
> * Closing connection 0
> GET
>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=14&xml=true"
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing
principal
> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
> /etc/krb5.keytab
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
> /var/run/certmonger/tmp-DSagx_/ccache
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success
> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile
from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
> 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external
process
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished,
return
> code=3
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77
connecting
> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
> Problem with the SSL CA cert (path? access rights?).
>
> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying
> 10.12.65.186...
> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443
(#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
> will not work.
> * Closing connection 0
> GET
>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=15&xml=true"
> code = 77
> code_text = "Problem with the SSL CA cert (path? access rights?)"
> results = "(null)"
>
> root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
> lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello
Can I get some attention?
Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry.
If I fix the expiration problem, I will migrate to centos, but I need to solve the
certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and
certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking
should already be using /etc/apache2/nssdb. If not I'd correct it. This
database is likely baked in other places as well.
I think the key may be this message:
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen
because the RA cert couldn't be loaded because libnsspem was missing.
Timo, do you recall what versions(s) of IPA this affected?
rob
9:42 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
On 25.7.2022 16.33, Rob Crittenden wrote:
roy liang via FreeIPA-users wrote:
>> I made the following soft link
>> ln -s /etc/apache2/nssdb /etc/httpd/alias
>> But return code 77 as well, so what do I need to do?
>>
>> root@migration-ipa-65-186:/.ipa/log# tailf renew.log
>> 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=12&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing
principal
>> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-FYfJPZ/ccache
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77
connecting
>> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=13&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing
principal
>> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-svWgpP/ccache
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77
connecting
>> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=14&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing
principal
>> host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-DSagx_/ccache
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77
connecting
>> to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=15&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
>> lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
>
> hello
> Can I get some attention?
> Using Ubuntu install freeipa is an addition left by the company, I also feel very
sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the
certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and
certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking
should already be using /etc/apache2/nssdb. If not I'd correct it. This
database is likely baked in other places as well.
I think the key may be this message:
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen
because the RA cert couldn't be loaded because libnsspem was missing.
Timo, do you recall what versions(s) of IPA this affected?
libnsspem has been in the distro since 18.04 ("bionic"), though it's
called nss-plugin-pem since
I think this installation was somehow rolled manually, because the
packaging has used the right nssdb location for a long time now
--
t
2:39 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
On 25.7.2022 16.33, Rob Crittenden wrote:
libnsspem has been in the distro since 18.04 ("bionic"), though it's
called nss-plugin-pem since
I think this installation was somehow rolled manually, because the
packaging has used the right nssdb location for a long time now
hello
My system is ubuntu16.04, I did not find this libnsspem package, what should I do?
root@ubuntu:/home/liangrui# find / -name libnsspem*
root@ubuntu:/home/liangrui#
# apt-get update -y
# apt-get install -y libnsspem
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libnsspem
2:54 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
On 25.7.2022 16.33, Rob Crittenden wrote:
libnsspem has been in the distro since 18.04 ("bionic"), though it's
called nss-plugin-pem since
I think this installation was somehow rolled manually, because the
packaging has used the right nssdb location for a long time now
ubuntu16.04 not libnsspem
Should have used LiBNSS3?
root@migration-ipa-65-186:/home/liangrui# dpkg -l|grep libnss3
ii libnss3:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service libraries
ii libnss3:i386 2:3.28.4-0ubuntu0.16.04.14 i386
Network Security Service libraries
ii libnss3-1d:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service libraries - transitional package
ii libnss3-dev:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Development files for the Network Security Service libraries
ii libnss3-nssdb 2:3.28.4-0ubuntu0.16.04.14 all
Network Security Security libraries - shared databases
ii libnss3-tools 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service tools
11:47 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
> On 25.7.2022 16.33, Rob Crittenden wrote:
>
> libnsspem has been in the distro since 18.04 ("bionic"), though it's
> called nss-plugin-pem since
>
> I think this installation was somehow rolled manually, because the
> packaging has used the right nssdb location for a long time now
ubuntu16.04 not libnsspem
Should have used LiBNSS3?
root@migration-ipa-65-186:/home/liangrui# dpkg -l|grep libnss3
ii libnss3:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service libraries
ii libnss3:i386 2:3.28.4-0ubuntu0.16.04.14 i386
Network Security Service libraries
ii libnss3-1d:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service libraries - transitional package
ii libnss3-dev:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64
Development files for the Network Security Service libraries
ii libnss3-nssdb 2:3.28.4-0ubuntu0.16.04.14 all
Network Security Security libraries - shared databases
ii libnss3-tools 2:3.28.4-0ubuntu0.16.04.14 amd64
Network Security Service tools
You may want to broaden your search for just pem.
It's possible this was never available in your release. I don't know if
it can be backported or not.
What this does is lets flat files, which in this case contain the RA
certificate and private key necessary for IPA to authenticate to the CA,
be used by an NSS database by making them appear as a PKCS#11 device.
rob
9:16 p.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
You may want to broaden your search for just pem.
It's possible this was never available in your release. I don't know if
it can be backported or not.
What this does is lets flat files, which in this case contain the RA
certificate and private key necessary for IPA to authenticate to the CA,
be used by an NSS database by making them appear as a PKCS#11 device.
rob
Like this?What do I need to do next?
# find / -name *.pem*
/usr/local/i386/comm_repos/platform/yy-cacert.pem
/usr/local/i386/comm_repos/platform/yy-cacert-20220212.pem.bak
/usr/lib/python2.7/dist-packages/twisted/test/server.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing1.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2-duplicate.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/chain.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2.pem
/usr/lib/python2.7/dist-packages/twisted/mail/test/server.pem
/usr/share/gnupg2/sks-keyservers.netCA.pem
/usr/share/doc/libnet-ssleay-perl/examples/server_key.pem
/usr/share/doc/libssl-doc/demos/sign/cert.pem
/usr/share/doc/libssl-doc/demos/sign/key.pem
/usr/share/doc/libssl-doc/demos/smime/cakey.pem
/usr/share/doc/libssl-doc/demos/smime/cacert.pem
/usr/share/doc/libssl-doc/demos/smime/signer2.pem
/usr/share/doc/libssl-doc/demos/smime/signer.pem
/usr/share/doc/libssl-doc/demos/easy_tls/cacerts.pem
/usr/share/doc/libssl-doc/demos/easy_tls/cert.pem
/usr/share/doc/libssl-doc/demos/bio/server.pem
/usr/share/doc/libssl-doc/demos/privkey.pem
/usr/share/doc/libssl-doc/demos/tunala/CA.pem
/usr/share/doc/libssl-doc/demos/tunala/A-client.pem.gz
/usr/share/doc/libssl-doc/demos/tunala/A-server.pem.gz
/usr/share/doc/libssl-doc/demos/cms/cakey.pem
/usr/share/doc/libssl-doc/demos/cms/cacert.pem
/usr/share/doc/libssl-doc/demos/cms/signer2.pem
/usr/share/doc/libssl-doc/demos/cms/signer.pem
/etc/apache2/nssdb/kra-agent.pem
/etc/ssl/certs/SwissSign_Platinum_CA_-_G2.pem
/etc/ssl/certs/COMODO_RSA_Certification_Authority.pem
/etc/ssl/certs/NetLock_Business_=Class_B=_Root.pem
/etc/ssl/certs/E-Tugra_Certification_Authority.pem
/etc/ssl/certs/certSIGN_ROOT_CA.pem
/etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem
/etc/ssl/certs/Security_Communication_Root_CA.pem
/etc/ssl/certs/Swisscom_Root_EV_CA_2.pem
/etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/Global_Chambersign_Root_-_2008.pem
/etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem
/etc/ssl/certs/Certigna.pem
/etc/ssl/certs/EC-ACC.pem
/etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_G2.pem
/etc/ssl/certs/Secure_Global_CA.pem
/etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/Chambers_of_Commerce_Root_-_2008.pem
/etc/ssl/certs/Starfield_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
/etc/ssl/certs/WoSign.pem
/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/etc/ssl/certs/DigiCert_Trusted_Root_G4.pem
/etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.pem
/etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem
/etc/ssl/certs/SecureTrust_CA.pem
/etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Certinomis_-_Root_CA.pem
/etc/ssl/certs/IGC_A.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem
/etc/ssl/certs/Starfield_Class_2_CA.pem
/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
/etc/ssl/certs/Security_Communication_RootCA2.pem
/etc/ssl/certs/Hongkong_Post_Root_CA_1.pem
/etc/ssl/certs/Equifax_Secure_CA.pem
/etc/ssl/certs/TeliaSonera_Root_CA_v1.pem
/etc/ssl/certs/CA_WoSign_ECC_Root.pem
/etc/ssl/certs/QuoVadis_Root_CA.pem
/etc/ssl/certs/CNNIC_ROOT.pem
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_2009.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_G3.pem
/etc/ssl/certs/Microsec_e-Szigno_Root_CA.pem
/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem
/etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2007.pem
/etc/ssl/certs/Security_Communication_EV_RootCA1.pem
/etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem
/etc/ssl/certs/Comodo_Secure_Services_root.pem
/etc/ssl/certs/RSA_Security_2048_v3.pem
/etc/ssl/certs/StartCom_Certification_Authority_2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem
/etc/ssl/certs/QuoVadis_Root_CA_3_G3.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/EE_Certification_Centre_Root_CA.pem
/etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
/etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem
/etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem
/etc/ssl/certs/GeoTrust_Global_CA.pem
/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_3.pem
/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
/etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.pem
/etc/ssl/certs/Taiwan_GRCA.pem
/etc/ssl/certs/Network_Solutions_Certificate_Authority.pem
/etc/ssl/certs/TWCA_Root_Certification_Authority.pem
/etc/ssl/certs/Izenpe.com.pem
/etc/ssl/certs/Buypass_Class_2_CA_1.pem
/etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem
/etc/ssl/certs/StartCom_Certification_Authority_G2.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/NetLock_Express_=Class_C=_Root.pem
/etc/ssl/certs/Trustis_FPS_Root_CA.pem
/etc/ssl/certs/thawte_Primary_Root_CA.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/TC_TrustCenter_Class_3_CA_II.pem
/etc/ssl/certs/Certplus_Class_2_Primary_CA.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/CA_Disig.pem
/etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem
/etc/ssl/certs/QuoVadis_Root_CA_2.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Comodo_Trusted_Services_root.pem
/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/etc/ssl/certs/Camerfirma_Global_Chambersign_Root.pem
/etc/ssl/certs/ACEDICOM_Root.pem
/etc/ssl/certs/GeoTrust_Universal_CA_2.pem
/etc/ssl/certs/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.pem
/etc/ssl/certs/Cybertrust_Global_Root.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/S-TRUST_Universal_Root_CA.pem
/etc/ssl/certs/ePKI_Root_Certification_Authority.pem
/etc/ssl/certs/Certification_Authority_of_WoSign_G2.pem
/etc/ssl/certs/Comodo_AAA_Services_root.pem
/etc/ssl/certs/Certum_Root_CA.pem
/etc/ssl/certs/UTN_USERFirst_Email_Root_CA.pem
/etc/ssl/certs/DST_Root_CA_X3.pem
/etc/ssl/certs/Juur-SK.pem
/etc/ssl/certs/SecureSign_RootCA11.pem
/etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem
/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem
/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem
/etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem
/etc/ssl/certs/DigiCert_Global_Root_CA.pem
/etc/ssl/certs/Certinomis_-_Autorité_Racine.pem
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem
/etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Certum_Trusted_Network_CA.pem
/etc/ssl/certs/WoSign_China.pem
/etc/ssl/certs/QuoVadis_Root_CA_3.pem
/etc/ssl/certs/COMODO_Certification_Authority.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem
/etc/ssl/certs/Swisscom_Root_CA_1.pem
/etc/ssl/certs/GeoTrust_Universal_CA.pem
/etc/ssl/certs/Equifax_Secure_eBusiness_CA_1.pem
/etc/ssl/certs/GlobalSign_Root_CA.pem
/etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.pem
/etc/ssl/certs/NetLock_Notary_=Class_A=_Root.pem
/etc/ssl/certs/Go_Daddy_Class_2_CA.pem
/etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority.pem
/etc/ssl/certs/GeoTrust_Global_CA_2.pem
/etc/ssl/certs/CFCA_EV_ROOT.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem
/etc/ssl/certs/Visa_eCommerce_Root.pem
/etc/ssl/certs/StartCom_Certification_Authority.pem
/etc/ssl/certs/AddTrust_Public_Services_Root.pem
/etc/ssl/certs/DST_ACES_CA_X6.pem
/etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem
/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem
/etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem
/etc/ssl/certs/ipa-ca.pem
/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/DigiCert_Global_Root_G2.pem
/etc/ssl/certs/Microsec_e-Szigno_Root_CA_2009.pem
/etc/ssl/certs/TWCA_Global_Root_CA.pem
/etc/ssl/certs/AC_Raíz_Certicámara_S.A..pem
/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem
/etc/ssl/certs/Swisscom_Root_CA_2.pem
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem
/etc/ssl/certs/Sonera_Class_1_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R1.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem
/etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
/etc/ssl/certs/China_Internet_Network_Information_Center_EV_Certificates_Root.pem
/etc/ssl/certs/AddTrust_External_Root.pem
/etc/ssl/certs/PSCProcert.pem
/etc/ssl/certs/Sonera_Class_2_Root_CA.pem
/etc/ssl/certs/DigiCert_Global_Root_G3.pem
/etc/ssl/certs/Root_CA_Generalitat_Valenciana.pem
/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem
/etc/ssl/certs/XRamp_Global_CA_Root.pem
/etc/ssl/certs/ComSign_CA.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority.pem
/etc/ssl/yy-cacert.pem
8:36 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
> roy liang via FreeIPA-users wrote:
>
> You may want to broaden your search for just pem.
>
> It's possible this was never available in your release. I don't know if
> it can be backported or not.
>
> What this does is lets flat files, which in this case contain the RA
> certificate and private key necessary for IPA to authenticate to the CA,
> be used by an NSS database by making them appear as a PKCS#11 device.
>
> rob
Like this?What do I need to do next?
You searched for the wrong thing. We want to see if the NSS pem library
is installed so drop the leading dot.
If it isn't you'll need to try to find it for your OS release and see if
that helps.
If it isn't available I don't know what to tell you.
rob
# find / -name *.pem*
/usr/local/i386/comm_repos/platform/yy-cacert.pem
/usr/local/i386/comm_repos/platform/yy-cacert-20220212.pem.bak
/usr/lib/python2.7/dist-packages/twisted/test/server.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing1.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2-duplicate.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/chain.pem
/usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2.pem
/usr/lib/python2.7/dist-packages/twisted/mail/test/server.pem
/usr/share/gnupg2/sks-keyservers.netCA.pem
/usr/share/doc/libnet-ssleay-perl/examples/server_key.pem
/usr/share/doc/libssl-doc/demos/sign/cert.pem
/usr/share/doc/libssl-doc/demos/sign/key.pem
/usr/share/doc/libssl-doc/demos/smime/cakey.pem
/usr/share/doc/libssl-doc/demos/smime/cacert.pem
/usr/share/doc/libssl-doc/demos/smime/signer2.pem
/usr/share/doc/libssl-doc/demos/smime/signer.pem
/usr/share/doc/libssl-doc/demos/easy_tls/cacerts.pem
/usr/share/doc/libssl-doc/demos/easy_tls/cert.pem
/usr/share/doc/libssl-doc/demos/bio/server.pem
/usr/share/doc/libssl-doc/demos/privkey.pem
/usr/share/doc/libssl-doc/demos/tunala/CA.pem
/usr/share/doc/libssl-doc/demos/tunala/A-client.pem.gz
/usr/share/doc/libssl-doc/demos/tunala/A-server.pem.gz
/usr/share/doc/libssl-doc/demos/cms/cakey.pem
/usr/share/doc/libssl-doc/demos/cms/cacert.pem
/usr/share/doc/libssl-doc/demos/cms/signer2.pem
/usr/share/doc/libssl-doc/demos/cms/signer.pem
/etc/apache2/nssdb/kra-agent.pem
/etc/ssl/certs/SwissSign_Platinum_CA_-_G2.pem
/etc/ssl/certs/COMODO_RSA_Certification_Authority.pem
/etc/ssl/certs/NetLock_Business_=Class_B=_Root.pem
/etc/ssl/certs/E-Tugra_Certification_Authority.pem
/etc/ssl/certs/certSIGN_ROOT_CA.pem
/etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem
/etc/ssl/certs/Security_Communication_Root_CA.pem
/etc/ssl/certs/Swisscom_Root_EV_CA_2.pem
/etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem
/etc/ssl/certs/AffirmTrust_Premium.pem
/etc/ssl/certs/Global_Chambersign_Root_-_2008.pem
/etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem
/etc/ssl/certs/Certigna.pem
/etc/ssl/certs/EC-ACC.pem
/etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/CA_Disig_Root_R2.pem
/etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_G2.pem
/etc/ssl/certs/Secure_Global_CA.pem
/etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/Chambers_of_Commerce_Root_-_2008.pem
/etc/ssl/certs/Starfield_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
/etc/ssl/certs/WoSign.pem
/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/etc/ssl/certs/DigiCert_Trusted_Root_G4.pem
/etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.pem
/etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem
/etc/ssl/certs/SecureTrust_CA.pem
/etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/Certinomis_-_Root_CA.pem
/etc/ssl/certs/IGC_A.pem
/etc/ssl/certs/AffirmTrust_Commercial.pem
/etc/ssl/certs/NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem
/etc/ssl/certs/Starfield_Class_2_CA.pem
/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
/etc/ssl/certs/Security_Communication_RootCA2.pem
/etc/ssl/certs/Hongkong_Post_Root_CA_1.pem
/etc/ssl/certs/Equifax_Secure_CA.pem
/etc/ssl/certs/TeliaSonera_Root_CA_v1.pem
/etc/ssl/certs/CA_WoSign_ECC_Root.pem
/etc/ssl/certs/QuoVadis_Root_CA.pem
/etc/ssl/certs/CNNIC_ROOT.pem
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_2009.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_G3.pem
/etc/ssl/certs/Microsec_e-Szigno_Root_CA.pem
/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem
/etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2007.pem
/etc/ssl/certs/Security_Communication_EV_RootCA1.pem
/etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem
/etc/ssl/certs/Comodo_Secure_Services_root.pem
/etc/ssl/certs/RSA_Security_2048_v3.pem
/etc/ssl/certs/StartCom_Certification_Authority_2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem
/etc/ssl/certs/QuoVadis_Root_CA_3_G3.pem
/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/EE_Certification_Centre_Root_CA.pem
/etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
/etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem
/etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem
/etc/ssl/certs/GeoTrust_Global_CA.pem
/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_3.pem
/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
/etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.pem
/etc/ssl/certs/Taiwan_GRCA.pem
/etc/ssl/certs/Network_Solutions_Certificate_Authority.pem
/etc/ssl/certs/TWCA_Root_Certification_Authority.pem
/etc/ssl/certs/Izenpe.com.pem
/etc/ssl/certs/Buypass_Class_2_CA_1.pem
/etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem
/etc/ssl/certs/StartCom_Certification_Authority_G2.pem
/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/NetLock_Express_=Class_C=_Root.pem
/etc/ssl/certs/Trustis_FPS_Root_CA.pem
/etc/ssl/certs/thawte_Primary_Root_CA.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/TC_TrustCenter_Class_3_CA_II.pem
/etc/ssl/certs/Certplus_Class_2_Primary_CA.pem
/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem
/etc/ssl/certs/AffirmTrust_Networking.pem
/etc/ssl/certs/CA_Disig.pem
/etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem
/etc/ssl/certs/QuoVadis_Root_CA_2.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem
/etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem
/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/etc/ssl/certs/Comodo_Trusted_Services_root.pem
/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/etc/ssl/certs/Camerfirma_Global_Chambersign_Root.pem
/etc/ssl/certs/ACEDICOM_Root.pem
/etc/ssl/certs/GeoTrust_Universal_CA_2.pem
/etc/ssl/certs/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.pem
/etc/ssl/certs/Cybertrust_Global_Root.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
/etc/ssl/certs/S-TRUST_Universal_Root_CA.pem
/etc/ssl/certs/ePKI_Root_Certification_Authority.pem
/etc/ssl/certs/Certification_Authority_of_WoSign_G2.pem
/etc/ssl/certs/Comodo_AAA_Services_root.pem
/etc/ssl/certs/Certum_Root_CA.pem
/etc/ssl/certs/UTN_USERFirst_Email_Root_CA.pem
/etc/ssl/certs/DST_Root_CA_X3.pem
/etc/ssl/certs/Juur-SK.pem
/etc/ssl/certs/SecureSign_RootCA11.pem
/etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem
/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem
/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem
/etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem
/etc/ssl/certs/DigiCert_Global_Root_CA.pem
/etc/ssl/certs/Certinomis_-_Autorité_Racine.pem
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem
/etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Certum_Trusted_Network_CA.pem
/etc/ssl/certs/WoSign_China.pem
/etc/ssl/certs/QuoVadis_Root_CA_3.pem
/etc/ssl/certs/COMODO_Certification_Authority.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem
/etc/ssl/certs/Swisscom_Root_CA_1.pem
/etc/ssl/certs/GeoTrust_Universal_CA.pem
/etc/ssl/certs/Equifax_Secure_eBusiness_CA_1.pem
/etc/ssl/certs/GlobalSign_Root_CA.pem
/etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.pem
/etc/ssl/certs/NetLock_Notary_=Class_A=_Root.pem
/etc/ssl/certs/Go_Daddy_Class_2_CA.pem
/etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem
/etc/ssl/certs/GeoTrust_Primary_Certification_Authority.pem
/etc/ssl/certs/GeoTrust_Global_CA_2.pem
/etc/ssl/certs/CFCA_EV_ROOT.pem
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem
/etc/ssl/certs/Visa_eCommerce_Root.pem
/etc/ssl/certs/StartCom_Certification_Authority.pem
/etc/ssl/certs/AddTrust_Public_Services_Root.pem
/etc/ssl/certs/DST_ACES_CA_X6.pem
/etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem
/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem
/etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem
/etc/ssl/certs/ipa-ca.pem
/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/DigiCert_Global_Root_G2.pem
/etc/ssl/certs/Microsec_e-Szigno_Root_CA_2009.pem
/etc/ssl/certs/TWCA_Global_Root_CA.pem
/etc/ssl/certs/AC_Raíz_Certicámara_S.A..pem
/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem
/etc/ssl/certs/Swisscom_Root_CA_2.pem
/etc/ssl/certs/ACCVRAIZ1.pem
/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem
/etc/ssl/certs/Sonera_Class_1_Root_CA.pem
/etc/ssl/certs/CA_Disig_Root_R1.pem
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem
/etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
/etc/ssl/certs/China_Internet_Network_Information_Center_EV_Certificates_Root.pem
/etc/ssl/certs/AddTrust_External_Root.pem
/etc/ssl/certs/PSCProcert.pem
/etc/ssl/certs/Sonera_Class_2_Root_CA.pem
/etc/ssl/certs/DigiCert_Global_Root_G3.pem
/etc/ssl/certs/Root_CA_Generalitat_Valenciana.pem
/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem
/etc/ssl/certs/XRamp_Global_CA_Root.pem
/etc/ssl/certs/ComSign_CA.pem
/etc/ssl/certs/Entrust_Root_Certification_Authority.pem
/etc/ssl/yy-cacert.pem
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1:16 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
You searched for the wrong thing. We want to see if the NSS pem library
is installed so drop the leading dot.
If it isn't you'll need to try to find it for your OS release and see if
that helps.
If it isn't available I don't know what to tell you.
rob
Oh, OK.Happy to provide all information.
Did you say to bring that up?
libnssckbi.so -> /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
ll /etc/apache2/nssdb
total 180
-rwxrwxrwx 1 root root 1349 May 10 2020 cacert.asc
-rwxrwxrwx 1 root www-data 65536 Apr 20 01:01 cert8.db
-rwxrwxrwx 1 root www-data 65536 May 10 2020 cert8.db.orig
-rwxrwxrwx 1 root root 5148 May 10 2020 install.log
-rwxrwxrwx 1 root www-data 16384 Apr 20 01:01 key3.db
-rwxrwxrwx 1 root www-data 16384 May 10 2020 key3.db.orig
-rwxrwxrwx 1 root www-data 3343 May 10 2020 Kra-agent.pem
LRWXRWXRWX 1 root root 43 Dec 10 2015 libnssckbi.so
->/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
-rwxrwxrwx 1 root www-data 20 May 10 2020 pwdfile.txt
- RWXRWXRWX 1 root www-data 16384 May 10 2020 secmod.db
-rwxrwxrwx 1 root www-data 16384 May 10 2020 secmod.db.orig
And then I did the natural log here
# ll /etc/httpd/alias
lrwxrwxrwx 1 root root 18 Apr 27 05:15 /etc/httpd/alias -> /etc/apache2/nssdb
# cat /proc/version
Linux version 4.9.0-141-custom (root(a)yy.com) (gcc version 5.4.0 20160609 (Ubuntu
5.4.0-6ubuntu1~16.04.2) ) #19 SMP Wed Nov 28 20:32:27 CST 2018
What other information do you need to see? Please send me the order. I can provide it
Can you give me some guidance on what I need to do next, thank you
2:28 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16:
> roy liang via FreeIPA-users wrote:
>
> You searched for the wrong thing. We want to see if the NSS pem library
> is installed so drop the leading dot.
>
> If it isn't you'll need to try to find it for your OS release and see if
> that helps.
>
> If it isn't available I don't know what to tell you.
>
> rob
Oh, OK.Happy to provide all information.
Did you say to bring that up?
libnssckbi.so -> /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
ll /etc/apache2/nssdb
total 180
-rwxrwxrwx 1 root root 1349 May 10 2020 cacert.asc
-rwxrwxrwx 1 root www-data 65536 Apr 20 01:01 cert8.db
-rwxrwxrwx 1 root www-data 65536 May 10 2020 cert8.db.orig
-rwxrwxrwx 1 root root 5148 May 10 2020 install.log
-rwxrwxrwx 1 root www-data 16384 Apr 20 01:01 key3.db
-rwxrwxrwx 1 root www-data 16384 May 10 2020 key3.db.orig
-rwxrwxrwx 1 root www-data 3343 May 10 2020 Kra-agent.pem
LRWXRWXRWX 1 root root 43 Dec 10 2015 libnssckbi.so
->/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
-rwxrwxrwx 1 root www-data 20 May 10 2020 pwdfile.txt
- RWXRWXRWX 1 root www-data 16384 May 10 2020 secmod.db
-rwxrwxrwx 1 root www-data 16384 May 10 2020 secmod.db.orig
And then I did the natural log here
# ll /etc/httpd/alias
lrwxrwxrwx 1 root root 18 Apr 27 05:15 /etc/httpd/alias -> /etc/apache2/nssdb
# cat /proc/version
Linux version 4.9.0-141-custom (root(a)yy.com) (gcc version 5.4.0 20160609 (Ubuntu
5.4.0-6ubuntu1~16.04.2) ) #19 SMP Wed Nov 28 20:32:27 CST 2018
What other information do you need to see? Please send me the order. I can provide it
Can you give me some guidance on what I need to do next, thank you
As I said, 16.04
doesn't have nss-pem, 18.04 was the first release that
came with it. Besides, 16.04 is EOL since April 2021 (unless you're
paying for ESM).
--
t
3:45 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16:
As I said, 16.04
doesn't have nss-pem, 18.04 was the first release that
came with it. Besides, 16.04 is EOL since April 2021 (unless you're
paying for ESM).
So this is an unsolvable problem, right?
Or force an NSS-PEM installation on 16.04?
Or Freeipa ca-full to care-less, delete the certificate service related to PKI-Tomcat. Is
there any tutorial recommended for this?
8:28 a.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
> roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16:
> As I said, 16.04
> doesn't have nss-pem, 18.04 was the first release that
> came with it. Besides, 16.04 is EOL since April 2021 (unless you're
> paying for ESM).
So this is an unsolvable problem, right?
Or force an NSS-PEM installation on 16.04?
Maybe. You're way out in uncharted territory but I don't believe it will
hurt anything.
Or Freeipa ca-full to care-less, delete the certificate service
related to PKI-Tomcat. Is there any tutorial recommended for this?
You already tried this right?
rob
10:06 p.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
Maybe. You're way out in uncharted territory but I don't believe it will
hurt anything.
In my current state, I cannot copy the new copy of FREEIPA. If I
cannot copy the new copy, there will be a big problem one day.
Or is there some other way, that does not require PKI-Tomcat related services, to finish
copying a new copy out?
You already tried this right?
Yes, I tried, but my version and circumstances
failed, if there is no better way, I will try again, but it will take a lot of time to
verify.It would be nice to have documentation on this.
>
> rob
9:08 p.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
> roy liang via FreeIPA-users wrote:
>
> Maybe. You're way out in uncharted territory but I don't believe it will
> hurt anything.
In my current state, I cannot copy the new copy of FREEIPA. If I cannot copy the new
copy, there will be a big problem one day.
Or is there some other way, that does not require PKI-Tomcat related services, to finish
copying a new copy out?
>
> You already tried this right?
Yes, I tried, but my version and circumstances failed, if there is no better way, I will
try again, but it will take a lot of time to verify.It would be nice to have documentation
on this.
Like I've said, there is no documentation for this, a system that is
unrenewable because of a missing library.
I do have another suggestion on something to try. It's a bit half-baked
and who knows, you may have already tried it.
I'd strongly urge trying this on a clone of your production CA.
IIRC you can go back in time where all the certs are valid and the CA is
operational, right? If so, do that. If not you're still going to be
stuck and you can stop reading.
Bring up a new server one running CentOS or RHEL, and set time back on
it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to
your current version.
Install it as a client with -N to skip syncing time, then run
ipa-replica-install -N for the same reason. If you get that far, try
running ipa-ca-install. This may well give you a working CA. At that
point you'd set it as a the CA renewal master, etc (see the RHEL docs)
and you'd be back in business.
There would be more to do afterward but lets not get ahead of ourselves.
rob
9:38 p.m.
New subject: Ubuntu uses /etc/apache2/nssdb instead of the /etc/httpd/alias service and the certificate store.
roy liang via FreeIPA-users wrote:
Like I've said, there is no documentation for this, a system that is
unrenewable because of a missing library.
I do have another suggestion on something to try. It's a bit half-baked
and who knows, you may have already tried it.
I'd strongly urge trying this on a clone of your production CA.
IIRC you can go back in time where all the certs are valid and the CA is
operational, right? If so, do that. If not you're still going to be
stuck and you can stop reading.
Bring up a new server one running CentOS or RHEL, and set time back on
it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to
your current version.
Install it as a client with -N to skip syncing time, then run
ipa-replica-install -N for the same reason. If you get that far, try
running ipa-ca-install. This may well give you a working CA. At that
point you'd set it as a the CA renewal master, etc (see the RHEL docs)
and you'd be back in business.
There would be more to do afterward but lets not get ahead of ourselves.
rob
We have communicated with the operation and maintenance staff of the company and asked
them to install libnsspem.so to test the FreeiPA renewal certificate. After I have done
enough tests, I will deploy it online. It will be great if it is possible.
Executing on the server
/usr/lib/x86_64-linux-gnu/libnsspem.so
ldconfig
620
days inactive
634
days old
freeipa-users@lists.fedorahosted.org
14 comments
3 participants
participants (3)
-
Rob Crittenden -
roy liang -
Timo Aaltonen