Red Hat Bugzilla – Bug 451098
ipa-server-certinstall for httpd problem
Last modified: 2015-01-04 18:32:47 EST
ipa-server-certinstall -w ... doesn't output any error messages but httpd doesn't take SSL requests anymore. I'm running Fedora 9. ------------------------------------- [Thu Jun 12 11:55:43 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:55:43 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:16 2008] [error] Turning off the OCSP default responder failed. [Thu Jun 12 11:56:16 2008] [error] SSL Library Error: -8187 Security library: invalid arguments [Thu Jun 12 11:56:19 2008] [warn] child process 1566 still did not exit, sending a SIGTERM [Thu Jun 12 11:56:21 2008] [warn] child process 1566 still did not exit, sending a SIGTERM [Thu Jun 12 11:56:23 2008] [warn] child process 1566 still did not exit, sending a SIGTERM [Thu Jun 12 11:56:25 2008] [error] child process 1566 still did not exit, sending a SIGKILL [Thu Jun 12 11:56:26 2008] [notice] caught SIGTERM, shutting down [Thu Jun 12 11:56:27 2008] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Thu Jun 12 11:56:27 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jun 12 11:56:28 2008] [notice] Digest: generating secret for digest authentication ... [Thu Jun 12 11:56:28 2008] [notice] Digest: done [Thu Jun 12 11:56:28 2008] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Jun 12 11:56:28 2008] [notice] mod_python: using mutex_directory /tmp [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Thu Jun 12 11:56:28 2008] [notice] Apache/2.2.8 (Unix) DAV/2 mod_auth_kerb/5.3 mod_nss/2.2.8 NSS/3.12 Beta 3 mod_python/3.3.1 Python/2.5.1 configured -- resuming normal operations [Thu Jun 12 11:56:30 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:41 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled [Thu Jun 12 11:56:50 2008] [error] SSL Library Error: -12268 Cannot connect: SSL is disabled -------------------------------------
Can you provide the output of: certutil -L -d /etc/httpd/alias
----------------------------------------- Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Equifax Secure Global eBusiness CA CT,C, directory.fronteranet.com - Equifax Secure Inc. u,u,u -----------------------------------------
Yes, this script assumes that the certificate nickname doesn't change... A fix to get you going is to edit /etc/httpd/conf.d/nss.conf and set NSSNickname to "directory.fronteranet.com - Equifax Secure Inc." It is currently set to Server-Cert. I believe the quotes are necessary for Apache to parse it properly
It was already set to the right value: ----------------------------------------------- # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. NSSNickname "directory.fronteranet.com - Equifax Secure Inc." # SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc -----------------------------------------------
Actually I noticed that the script didn't give httpd the right to read the files in /etc/httpd/alias. Doing a chmod 644 cert8.db secmod.db key3.db fixed the problem.
I was just about to suggest that and got a mid-air collision. Ok, so the bug is that permissions and ownership aren't set properly after import. Looks like the fix for the webserver is: diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst all/ipa-server-certinstall index e769627..35fb721 100644 --- a/ipa-server/ipa-install/ipa-server-certinstall +++ b/ipa-server/ipa-install/ipa-server-certinstall @@ -19,6 +19,8 @@ # import sys +import os +import pwd import traceback @@ -134,7 +136,7 @@ def main(): if options.dirsrv: dm_password = getpass.getpass("Directory Manager password: ") realm = get_realm_name() - dirname = dsinstance.config_dirname(realm) + dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re alm)) server_cert = import_cert(dirname, pkcs12_fname) set_ds_cert_name(server_cert[0], dm_password) @@ -144,6 +146,16 @@ def main(): print server_cert set_http_cert_name(server_cert[0]) + # Fix the database permissions + os.chmod(NSS_DIR + "/cert8.db", 0640) + os.chmod(NSS_DIR + "/key3.db", 0640) + os.chmod(NSS_DIR + "/secmod.db", 0640) + + pent = pwd.getpwnam("apache") + os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid ) + os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid ) + os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid ) + except Exception, e: print "an unexpected error occurred: %s" % str(e) traceback.print_exc()
Created attachment 310671 [details] fix NSS database file permissions/ownership The in-line patch included a fix from another bug. The attached patch will fix just the web issue (see bug 451014)
master: ec597b0ef1010b3da4980b5ad2da8c0034b409f2
*** Bug 453758 has been marked as a duplicate of this bug. ***
Need to commit to ipa-1-0 as well
Pushed another minor change to master. Used wrong variable name. master: fb9f92c9f3dad3b16a739d46928bf8d72cdaf5ac
commits to ipa-1-0: 0d032fb63714db159e8a6044ddc65b43c6c07f41 8fe17d2d06f75b925b4910ace0af3648cac6f086
Verified, bug closed Test is below: [root@client64 ~]# ipa-server-certinstall -w --http_pin=redhat123 yi.server.cert.p12 Please select the certificate to use: 1. Certificate Nickname Trust 2. yi-server-cert Certificate number [1]: 2 [root@client64 ~]# cd /etc/dirsrv/slapd-IPAQA-COM/ [root@client64 slapd-IPAQA-COM]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Server-Cert u,u,u [root@client64 slapd-IPAQA-COM]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI yi-cert-01 CT,C, yi-server-cert u,u,u
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html