Bug 451098 - ipa-server-certinstall for httpd problem
ipa-server-certinstall for httpd problem
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
: 453758 (view as bug list)
Depends On:
Blocks: 453489
  Show dependency treegraph
 
Reported: 2008-06-12 15:13 EDT by Eric Desgranges
Modified: 2015-01-04 18:32 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-04 14:21:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix NSS database file permissions/ownership (1.33 KB, patch)
2008-07-01 10:11 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Eric Desgranges 2008-06-12 15:13:44 EDT
ipa-server-certinstall -w ...

doesn't output any error messages but httpd doesn't take SSL requests anymore.

I'm running Fedora 9.

-------------------------------------
[Thu Jun 12 11:55:43 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:55:43 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:16 2008] [error] Turning off the OCSP default responder failed.
[Thu Jun 12 11:56:16 2008] [error] SSL Library Error: -8187 Security library:
invalid arguments
[Thu Jun 12 11:56:19 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:21 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:23 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:25 2008] [error] child process 1566 still did not exit,
sending a SIGKILL
[Thu Jun 12 11:56:26 2008] [notice] caught SIGTERM, shutting down
[Thu Jun 12 11:56:27 2008] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0
[Thu Jun 12 11:56:27 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Jun 12 11:56:28 2008] [notice] Digest: generating secret for digest
authentication ...
[Thu Jun 12 11:56:28 2008] [notice] Digest: done
[Thu Jun 12 11:56:28 2008] [notice] mod_python: Creating 4 session mutexes based
on 256 max processes and 0 max threads.
[Thu Jun 12 11:56:28 2008] [notice] mod_python: using mutex_directory /tmp 
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [notice] Apache/2.2.8 (Unix) DAV/2 mod_auth_kerb/5.3
mod_nss/2.2.8 NSS/3.12 Beta 3 mod_python/3.3.1 Python/2.5.1 configured --
resuming normal operations
[Thu Jun 12 11:56:30 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:41 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:50 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
-------------------------------------
Comment 1 Rob Crittenden 2008-06-12 15:20:13 EDT
Can you provide the output of:

certutil -L -d /etc/httpd/alias
Comment 2 Eric Desgranges 2008-06-12 15:26:12 EDT
-----------------------------------------
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Equifax Secure Global eBusiness CA                           CT,C,
directory.fronteranet.com - Equifax Secure Inc.              u,u,u
-----------------------------------------
Comment 3 Rob Crittenden 2008-06-12 15:36:33 EDT
Yes, this script assumes that the certificate nickname doesn't change...

A fix to get you going is to edit /etc/httpd/conf.d/nss.conf and set NSSNickname
to "directory.fronteranet.com - Equifax Secure Inc."

It is currently set to Server-Cert.

I believe the quotes are necessary for Apache to parse it properly
Comment 4 Eric Desgranges 2008-06-12 15:45:22 EDT
It was already set to the right value:

-----------------------------------------------
#   SSL Certificate Nickname:         
#   The nickname of the RSA server certificate you are going to use.
NSSNickname "directory.fronteranet.com - Equifax Secure Inc."

#   SSL Certificate Nickname:                
#   The nickname of the ECC server certificate you are going to use, if you
#   have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
-----------------------------------------------
Comment 5 Eric Desgranges 2008-06-12 16:20:33 EDT
Actually I noticed that the script didn't give httpd the right to read the files
in /etc/httpd/alias.
Doing a chmod 644 cert8.db secmod.db key3.db fixed the problem.
Comment 6 Rob Crittenden 2008-06-12 16:30:05 EDT
I was just about to suggest that and got a mid-air collision.

Ok, so the bug is that permissions and ownership aren't set properly after import.

Looks like the fix for the webserver is:

diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..35fb721 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -19,6 +19,8 @@
 #
 
 import sys
+import os
+import pwd
 
 import traceback
 
@@ -134,7 +136,7 @@ def main():
         if options.dirsrv:
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
-            dirname = dsinstance.config_dirname(realm)
+            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
             server_cert = import_cert(dirname, pkcs12_fname)
             set_ds_cert_name(server_cert[0], dm_password)
 
@@ -144,6 +146,16 @@ def main():
             print server_cert
             set_http_cert_name(server_cert[0])
 
+            # Fix the database permissions
+            os.chmod(NSS_DIR + "/cert8.db", 0640)
+            os.chmod(NSS_DIR + "/key3.db", 0640)
+            os.chmod(NSS_DIR + "/secmod.db", 0640)
+
+            pent = pwd.getpwnam("apache")
+            os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+
     except Exception, e:
         print "an unexpected error occurred: %s" % str(e)
         traceback.print_exc()
Comment 7 Rob Crittenden 2008-07-01 10:11:25 EDT
Created attachment 310671 [details]
fix NSS database file permissions/ownership

The in-line patch included a fix from another bug. The attached patch will fix
just the web issue (see bug 451014)
Comment 8 Rob Crittenden 2008-07-01 15:13:08 EDT
master: ec597b0ef1010b3da4980b5ad2da8c0034b409f2
Comment 9 Rob Crittenden 2008-07-03 10:44:40 EDT
*** Bug 453758 has been marked as a duplicate of this bug. ***
Comment 10 Rob Crittenden 2008-07-03 13:30:44 EDT
Need to commit to ipa-1-0 as well
Comment 11 Rob Crittenden 2008-07-03 15:25:30 EDT
Pushed another minor change to master. Used wrong variable name.

master: fb9f92c9f3dad3b16a739d46928bf8d72cdaf5ac
Comment 12 Rob Crittenden 2008-07-03 15:27:55 EDT
commits to ipa-1-0:
0d032fb63714db159e8a6044ddc65b43c6c07f41
8fe17d2d06f75b925b4910ace0af3648cac6f086
Comment 15 Yi Zhang 2008-07-25 15:05:28 EDT
Verified, bug closed

Test is below:
[root@client64 ~]# ipa-server-certinstall -w --http_pin=redhat123
yi.server.cert.p12 
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-server-cert
Certificate number [1]: 2

[root@client64 ~]# cd /etc/dirsrv/slapd-IPAQA-COM/
[root@client64 slapd-IPAQA-COM]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,u,Cu
Server-Cert                                                  u,u,u
[root@client64 slapd-IPAQA-COM]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CT,C,
yi-server-cert                                               u,u,u
Comment 17 errata-xmlrpc 2008-08-04 14:21:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html

Note You need to log in before you can comment on or make changes to this bug.