Bug 451098 - ipa-server-certinstall for httpd problem
Summary: ipa-server-certinstall for httpd problem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 453758 (view as bug list)
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
 
Reported: 2008-06-12 19:13 UTC by Eric Desgranges
Modified: 2015-01-04 23:32 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-08-04 18:21:30 UTC
Embargoed:


Attachments (Terms of Use)
fix NSS database file permissions/ownership (1.33 KB, patch)
2008-07-01 14:11 UTC, Rob Crittenden
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0643 0 normal SHIPPED_LIVE ipa bug fix update 2008-08-04 18:20:50 UTC

Description Eric Desgranges 2008-06-12 19:13:44 UTC
ipa-server-certinstall -w ...

doesn't output any error messages but httpd doesn't take SSL requests anymore.

I'm running Fedora 9.

-------------------------------------
[Thu Jun 12 11:55:43 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:55:43 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:16 2008] [error] Turning off the OCSP default responder failed.
[Thu Jun 12 11:56:16 2008] [error] SSL Library Error: -8187 Security library:
invalid arguments
[Thu Jun 12 11:56:19 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:21 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:23 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:25 2008] [error] child process 1566 still did not exit,
sending a SIGKILL
[Thu Jun 12 11:56:26 2008] [notice] caught SIGTERM, shutting down
[Thu Jun 12 11:56:27 2008] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0
[Thu Jun 12 11:56:27 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Jun 12 11:56:28 2008] [notice] Digest: generating secret for digest
authentication ...
[Thu Jun 12 11:56:28 2008] [notice] Digest: done
[Thu Jun 12 11:56:28 2008] [notice] mod_python: Creating 4 session mutexes based
on 256 max processes and 0 max threads.
[Thu Jun 12 11:56:28 2008] [notice] mod_python: using mutex_directory /tmp 
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [notice] Apache/2.2.8 (Unix) DAV/2 mod_auth_kerb/5.3
mod_nss/2.2.8 NSS/3.12 Beta 3 mod_python/3.3.1 Python/2.5.1 configured --
resuming normal operations
[Thu Jun 12 11:56:30 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:41 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:50 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
-------------------------------------

Comment 1 Rob Crittenden 2008-06-12 19:20:13 UTC
Can you provide the output of:

certutil -L -d /etc/httpd/alias

Comment 2 Eric Desgranges 2008-06-12 19:26:12 UTC
-----------------------------------------
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Equifax Secure Global eBusiness CA                           CT,C,
directory.fronteranet.com - Equifax Secure Inc.              u,u,u
-----------------------------------------

Comment 3 Rob Crittenden 2008-06-12 19:36:33 UTC
Yes, this script assumes that the certificate nickname doesn't change...

A fix to get you going is to edit /etc/httpd/conf.d/nss.conf and set NSSNickname
to "directory.fronteranet.com - Equifax Secure Inc."

It is currently set to Server-Cert.

I believe the quotes are necessary for Apache to parse it properly

Comment 4 Eric Desgranges 2008-06-12 19:45:22 UTC
It was already set to the right value:

-----------------------------------------------
#   SSL Certificate Nickname:         
#   The nickname of the RSA server certificate you are going to use.
NSSNickname "directory.fronteranet.com - Equifax Secure Inc."

#   SSL Certificate Nickname:                
#   The nickname of the ECC server certificate you are going to use, if you
#   have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
-----------------------------------------------


Comment 5 Eric Desgranges 2008-06-12 20:20:33 UTC
Actually I noticed that the script didn't give httpd the right to read the files
in /etc/httpd/alias.
Doing a chmod 644 cert8.db secmod.db key3.db fixed the problem.

Comment 6 Rob Crittenden 2008-06-12 20:30:05 UTC
I was just about to suggest that and got a mid-air collision.

Ok, so the bug is that permissions and ownership aren't set properly after import.

Looks like the fix for the webserver is:

diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..35fb721 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -19,6 +19,8 @@
 #
 
 import sys
+import os
+import pwd
 
 import traceback
 
@@ -134,7 +136,7 @@ def main():
         if options.dirsrv:
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
-            dirname = dsinstance.config_dirname(realm)
+            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
             server_cert = import_cert(dirname, pkcs12_fname)
             set_ds_cert_name(server_cert[0], dm_password)
 
@@ -144,6 +146,16 @@ def main():
             print server_cert
             set_http_cert_name(server_cert[0])
 
+            # Fix the database permissions
+            os.chmod(NSS_DIR + "/cert8.db", 0640)
+            os.chmod(NSS_DIR + "/key3.db", 0640)
+            os.chmod(NSS_DIR + "/secmod.db", 0640)
+
+            pent = pwd.getpwnam("apache")
+            os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+
     except Exception, e:
         print "an unexpected error occurred: %s" % str(e)
         traceback.print_exc()

Comment 7 Rob Crittenden 2008-07-01 14:11:25 UTC
Created attachment 310671 [details]
fix NSS database file permissions/ownership

The in-line patch included a fix from another bug. The attached patch will fix
just the web issue (see bug 451014)

Comment 8 Rob Crittenden 2008-07-01 19:13:08 UTC
master: ec597b0ef1010b3da4980b5ad2da8c0034b409f2

Comment 9 Rob Crittenden 2008-07-03 14:44:40 UTC
*** Bug 453758 has been marked as a duplicate of this bug. ***

Comment 10 Rob Crittenden 2008-07-03 17:30:44 UTC
Need to commit to ipa-1-0 as well

Comment 11 Rob Crittenden 2008-07-03 19:25:30 UTC
Pushed another minor change to master. Used wrong variable name.

master: fb9f92c9f3dad3b16a739d46928bf8d72cdaf5ac

Comment 12 Rob Crittenden 2008-07-03 19:27:55 UTC
commits to ipa-1-0:
0d032fb63714db159e8a6044ddc65b43c6c07f41
8fe17d2d06f75b925b4910ace0af3648cac6f086

Comment 15 Yi Zhang 2008-07-25 19:05:28 UTC
Verified, bug closed

Test is below:
[root@client64 ~]# ipa-server-certinstall -w --http_pin=redhat123
yi.server.cert.p12 
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-server-cert
Certificate number [1]: 2

[root@client64 ~]# cd /etc/dirsrv/slapd-IPAQA-COM/
[root@client64 slapd-IPAQA-COM]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,u,Cu
Server-Cert                                                  u,u,u
[root@client64 slapd-IPAQA-COM]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CT,C,
yi-server-cert                                               u,u,u


Comment 17 errata-xmlrpc 2008-08-04 18:21:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html


Note You need to log in before you can comment on or make changes to this bug.