Bug 451098
| Summary: | ipa-server-certinstall for httpd problem | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Eric Desgranges <eric> | ||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 1.0 | CC: | benl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-08-04 18:21:30 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 453489 | ||||||
| Attachments: |
|
||||||
|
Description
Eric Desgranges
2008-06-12 19:13:44 UTC
Can you provide the output of: certutil -L -d /etc/httpd/alias -----------------------------------------
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Equifax Secure Global eBusiness CA CT,C,
directory.fronteranet.com - Equifax Secure Inc. u,u,u
-----------------------------------------
Yes, this script assumes that the certificate nickname doesn't change... A fix to get you going is to edit /etc/httpd/conf.d/nss.conf and set NSSNickname to "directory.fronteranet.com - Equifax Secure Inc." It is currently set to Server-Cert. I believe the quotes are necessary for Apache to parse it properly It was already set to the right value: ----------------------------------------------- # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. NSSNickname "directory.fronteranet.com - Equifax Secure Inc." # SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc ----------------------------------------------- Actually I noticed that the script didn't give httpd the right to read the files in /etc/httpd/alias. Doing a chmod 644 cert8.db secmod.db key3.db fixed the problem. I was just about to suggest that and got a mid-air collision.
Ok, so the bug is that permissions and ownership aren't set properly after import.
Looks like the fix for the webserver is:
diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..35fb721 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -19,6 +19,8 @@
#
import sys
+import os
+import pwd
import traceback
@@ -134,7 +136,7 @@ def main():
if options.dirsrv:
dm_password = getpass.getpass("Directory Manager password: ")
realm = get_realm_name()
- dirname = dsinstance.config_dirname(realm)
+ dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
server_cert = import_cert(dirname, pkcs12_fname)
set_ds_cert_name(server_cert[0], dm_password)
@@ -144,6 +146,16 @@ def main():
print server_cert
set_http_cert_name(server_cert[0])
+ # Fix the database permissions
+ os.chmod(NSS_DIR + "/cert8.db", 0640)
+ os.chmod(NSS_DIR + "/key3.db", 0640)
+ os.chmod(NSS_DIR + "/secmod.db", 0640)
+
+ pent = pwd.getpwnam("apache")
+ os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+ os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
+ os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+
except Exception, e:
print "an unexpected error occurred: %s" % str(e)
traceback.print_exc()
Created attachment 310671 [details] fix NSS database file permissions/ownership The in-line patch included a fix from another bug. The attached patch will fix just the web issue (see bug 451014) master: ec597b0ef1010b3da4980b5ad2da8c0034b409f2 *** Bug 453758 has been marked as a duplicate of this bug. *** Need to commit to ipa-1-0 as well Pushed another minor change to master. Used wrong variable name. master: fb9f92c9f3dad3b16a739d46928bf8d72cdaf5ac commits to ipa-1-0: 0d032fb63714db159e8a6044ddc65b43c6c07f41 8fe17d2d06f75b925b4910ace0af3648cac6f086 Verified, bug closed
Test is below:
[root@client64 ~]# ipa-server-certinstall -w --http_pin=redhat123
yi.server.cert.p12
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-server-cert
Certificate number [1]: 2
[root@client64 ~]# cd /etc/dirsrv/slapd-IPAQA-COM/
[root@client64 slapd-IPAQA-COM]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,u,Cu
Server-Cert u,u,u
[root@client64 slapd-IPAQA-COM]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
yi-cert-01 CT,C,
yi-server-cert u,u,u
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html |