On 25.7.2022 16.33, Rob Crittenden wrote:
roy liang via FreeIPA-users wrote:
I made the following soft link ln -s /etc/apache2/nssdb /etc/httpd/alias But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-FYfJPZ/ccache 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-svWgpP/ccache 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-DSagx_/ccache 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello Can I get some attention? Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking should already be using /etc/apache2/nssdb. If not I'd correct it. This database is likely baked in other places as well.
I think the key may be this message:
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen because the RA cert couldn't be loaded because libnsspem was missing. Timo, do you recall what versions(s) of IPA this affected?
libnsspem has been in the distro since 18.04 ("bionic"), though it's called nss-plugin-pem since
I think this installation was somehow rolled manually, because the packaging has used the right nssdb location for a long time now