On 25.7.2022 16.33, Rob Crittenden wrote:
roy liang via FreeIPA-users wrote:
I made the following soft link
ln -s /etc/apache2/nssdb /etc/httpd/alias
But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log
2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=*
Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=12&xml=true";
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing
principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-FYfJPZ/ccache
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1:
success
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading
StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:23Z 21811 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290>
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting
external process
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process
finished, return
code=3
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=*
Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=13&xml=true";
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing
principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-svWgpP/ccache
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1:
success
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading
StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:33Z 21809 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80>
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting
external process
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process
finished, return
code=3
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=*
Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=14&xml=true";
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing
principal
host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab
/etc/krb5.keytab
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache
/var/run/certmonger/tmp-DSagx_/ccache
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1:
success
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading
StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from
SchemaCache
2022-04-09T16:02:43Z 21812 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00>
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting
external process
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG
args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process
finished, return
code=3
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77
connecting
to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...:
Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=*
Trying
10.12.65.186...
* Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port
8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM
certificates
will not work.
* Closing connection 0
GET
"https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview?requestId=15&xml=true";
code = 77
code_text = "Problem with the SSL CA cert (path? access rights?)"
results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias
lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello
Can I get some attention?
Using Ubuntu install freeipa is an addition left by the company, I also feel
very sorry. If I fix the expiration problem, I will migrate to centos, but I
need to solve the certificate expiration problem first, Ubuntu does not use
/etc/httpd/alias service and certificate store./etc/apache2/nssdb
/apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking
should already be using /etc/apache2/nssdb. If not I'd correct it. This
database is likely baked in other places as well.
I think the key may be this message:
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen
because the RA cert couldn't be loaded because libnsspem was missing.
Timo, do you recall what versions(s) of IPA this affected?
libnsspem has been in the distro since 18.04 ("bionic"), though it's
called nss-plugin-pem since
I think this installation was somehow rolled manually, because the
packaging has used the right nssdb location for a long time now
--
t
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
