Fuji San via FreeIPA-users wrote:
Ok I figured out what happened.
After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been modified somehow
preventing the httpd server to start.
Line 5 : Listen 443 https
I had to comment it.
Line 61: #ServerName myserver.mydomain:443
I had to uncomment it. Somehow it was commented!
Line 103: SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Line 104: #SSLCertificateFile /etc/pki/tls/certs/myserver.mydomain.crt
Line 103 was added and the next line (the original one) was commented. So I removed line
103 and uncommented line 104.
Line 112: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Line 113: #SSLCertificateKeyFile /etc/pki/tls/private/myserver.mydonmain.key
Same here, I removed line 112 and uncommented line 113.
So, the question is : What happened ?
Hard to say. IPA does absolutely nothing with mod_ssl so my guess is
that someone installed the package at some point between the last
restart and the upgrade.
I'd recommend uninstalling mod_ssl completely.
rob
-------------------------------------------
$ ipa-server-upgrade
Upgrading IPA:
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: starting directory server
[6/10]: updating schema
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-mydomain/certmap.conf is now managed by IPA. It will be overwritten. A
backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty
zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
The IPA services were upgraded
The ipa-server-upgrade command was successful
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org