roy liang via FreeIPA-users wrote:
>> I made the following soft link
>> ln -s /etc/apache2/nssdb /etc/httpd/alias
>> But return code 77 as well, so what do I need to do?
>>
>> root@migration-ipa-65-186:/.ipa/log# tailf renew.log
>> 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to
migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=12&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing
principal
>>
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-FYfJPZ/ccache
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77
connecting
>> to
https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to
migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=13&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing
principal
>>
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-svWgpP/ccache
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77
connecting
>> to
https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to
migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=14&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing
principal
>>
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
>> /etc/krb5.keytab
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
>> /var/run/certmonger/tmp-DSagx_/ccache
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1:
success
>> 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile
from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
>> 2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external
process
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
>> args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished,
return
>> code=3
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77
connecting
>> to
https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
>> Problem with the SSL CA cert (path? access rights?).
>>
>> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=*
Trying
>> 10.12.65.186...
>> * Connected to
migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias
>> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
>> will not work.
>> * Closing connection 0
>> GET
>>
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=15&xml=true"
>> code = 77
>> code_text = "Problem with the SSL CA cert (path? access rights?)"
>> results = "(null)"
>>
>> root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
>> lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
>
> hello
> Can I get some attention?
> Using Ubuntu install freeipa is an addition left by the company, I also feel very
sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the
certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and
certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking
should already be using /etc/apache2/nssdb. If not I'd correct it. This
database is likely baked in other places as well.
I think the key may be this message:
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen
because the RA cert couldn't be loaded because libnsspem was missing.
Timo, do you recall what versions(s) of IPA this affected?
libnsspem has been in the distro since 18.04 ("bionic"), though it's
called nss-plugin-pem since
I think this installation was somehow rolled manually, because the
packaging has used the right nssdb location for a long time now
--
t