Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451098 - ipa-server-certinstall for httpd problem
Summary: ipa-server-certinstall for httpd problem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 453758 (view as bug list)
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
 
Reported: 2008-06-12 19:13 UTC by Eric Desgranges
Modified: 2015-01-04 23:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-04 18:21:30 UTC


Attachments (Terms of Use)
fix NSS database file permissions/ownership (deleted)
2008-07-01 14:11 UTC, Rob Crittenden
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0643 normal SHIPPED_LIVE ipa bug fix update 2008-08-04 18:20:50 UTC

Description Eric Desgranges 2008-06-12 19:13:44 UTC
ipa-server-certinstall -w ...

doesn't output any error messages but httpd doesn't take SSL requests anymore.

I'm running Fedora 9.

-------------------------------------
[Thu Jun 12 11:55:43 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:55:43 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:16 2008] [error] Turning off the OCSP default responder failed.
[Thu Jun 12 11:56:16 2008] [error] SSL Library Error: -8187 Security library:
invalid arguments
[Thu Jun 12 11:56:19 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:21 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:23 2008] [warn] child process 1566 still did not exit, sending
a SIGTERM
[Thu Jun 12 11:56:25 2008] [error] child process 1566 still did not exit,
sending a SIGKILL
[Thu Jun 12 11:56:26 2008] [notice] caught SIGTERM, shutting down
[Thu Jun 12 11:56:27 2008] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0
[Thu Jun 12 11:56:27 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Jun 12 11:56:28 2008] [notice] Digest: generating secret for digest
authentication ...
[Thu Jun 12 11:56:28 2008] [notice] Digest: done
[Thu Jun 12 11:56:28 2008] [notice] mod_python: Creating 4 session mutexes based
on 256 max processes and 0 max threads.
[Thu Jun 12 11:56:28 2008] [notice] mod_python: using mutex_directory /tmp 
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [error] NSS_Initialize failed. Certificate database:
/etc/httpd/alias.
[Thu Jun 12 11:56:28 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Thu Jun 12 11:56:28 2008] [notice] Apache/2.2.8 (Unix) DAV/2 mod_auth_kerb/5.3
mod_nss/2.2.8 NSS/3.12 Beta 3 mod_python/3.3.1 Python/2.5.1 configured --
resuming normal operations
[Thu Jun 12 11:56:30 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:31 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:41 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:42 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:49 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
[Thu Jun 12 11:56:50 2008] [error] SSL Library Error: -12268 Cannot connect: SSL
is disabled
-------------------------------------

Comment 1 Rob Crittenden 2008-06-12 19:20:13 UTC
Can you provide the output of:

certutil -L -d /etc/httpd/alias

Comment 2 Eric Desgranges 2008-06-12 19:26:12 UTC
-----------------------------------------
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Equifax Secure Global eBusiness CA                           CT,C,
directory.fronteranet.com - Equifax Secure Inc.              u,u,u
-----------------------------------------

Comment 3 Rob Crittenden 2008-06-12 19:36:33 UTC
Yes, this script assumes that the certificate nickname doesn't change...

A fix to get you going is to edit /etc/httpd/conf.d/nss.conf and set NSSNickname
to "directory.fronteranet.com - Equifax Secure Inc."

It is currently set to Server-Cert.

I believe the quotes are necessary for Apache to parse it properly

Comment 4 Eric Desgranges 2008-06-12 19:45:22 UTC
It was already set to the right value:

-----------------------------------------------
#   SSL Certificate Nickname:         
#   The nickname of the RSA server certificate you are going to use.
NSSNickname "directory.fronteranet.com - Equifax Secure Inc."

#   SSL Certificate Nickname:                
#   The nickname of the ECC server certificate you are going to use, if you
#   have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
-----------------------------------------------


Comment 5 Eric Desgranges 2008-06-12 20:20:33 UTC
Actually I noticed that the script didn't give httpd the right to read the files
in /etc/httpd/alias.
Doing a chmod 644 cert8.db secmod.db key3.db fixed the problem.

Comment 6 Rob Crittenden 2008-06-12 20:30:05 UTC
I was just about to suggest that and got a mid-air collision.

Ok, so the bug is that permissions and ownership aren't set properly after import.

Looks like the fix for the webserver is:

diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..35fb721 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -19,6 +19,8 @@
 #
 
 import sys
+import os
+import pwd
 
 import traceback
 
@@ -134,7 +136,7 @@ def main():
         if options.dirsrv:
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
-            dirname = dsinstance.config_dirname(realm)
+            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
             server_cert = import_cert(dirname, pkcs12_fname)
             set_ds_cert_name(server_cert[0], dm_password)
 
@@ -144,6 +146,16 @@ def main():
             print server_cert
             set_http_cert_name(server_cert[0])
 
+            # Fix the database permissions
+            os.chmod(NSS_DIR + "/cert8.db", 0640)
+            os.chmod(NSS_DIR + "/key3.db", 0640)
+            os.chmod(NSS_DIR + "/secmod.db", 0640)
+
+            pent = pwd.getpwnam("apache")
+            os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
+            os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+
     except Exception, e:
         print "an unexpected error occurred: %s" % str(e)
         traceback.print_exc()

Comment 7 Rob Crittenden 2008-07-01 14:11:25 UTC
Created attachment 310671 [details]
fix NSS database file permissions/ownership

The in-line patch included a fix from another bug. The attached patch will fix
just the web issue (see bug 451014)

Comment 8 Rob Crittenden 2008-07-01 19:13:08 UTC
master: ec597b0ef1010b3da4980b5ad2da8c0034b409f2

Comment 9 Rob Crittenden 2008-07-03 14:44:40 UTC
*** Bug 453758 has been marked as a duplicate of this bug. ***

Comment 10 Rob Crittenden 2008-07-03 17:30:44 UTC
Need to commit to ipa-1-0 as well

Comment 11 Rob Crittenden 2008-07-03 19:25:30 UTC
Pushed another minor change to master. Used wrong variable name.

master: fb9f92c9f3dad3b16a739d46928bf8d72cdaf5ac

Comment 12 Rob Crittenden 2008-07-03 19:27:55 UTC
commits to ipa-1-0:
0d032fb63714db159e8a6044ddc65b43c6c07f41
8fe17d2d06f75b925b4910ace0af3648cac6f086

Comment 15 Yi Zhang 2008-07-25 19:05:28 UTC
Verified, bug closed

Test is below:
[root@client64 ~]# ipa-server-certinstall -w --http_pin=redhat123
yi.server.cert.p12 
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-server-cert
Certificate number [1]: 2

[root@client64 ~]# cd /etc/dirsrv/slapd-IPAQA-COM/
[root@client64 slapd-IPAQA-COM]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,u,Cu
Server-Cert                                                  u,u,u
[root@client64 slapd-IPAQA-COM]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CT,C,
yi-server-cert                                               u,u,u


Comment 17 errata-xmlrpc 2008-08-04 18:21:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html


Note You need to log in before you can comment on or make changes to this bug.