I made the following soft link ln -s /etc/apache2/nssdb /etc/httpd/alias But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-FYfJPZ/ccache 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-svWgpP/ccache 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-DSagx_/ccache 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello Can I get some attention? Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
roy liang via FreeIPA-users wrote:
I made the following soft link ln -s /etc/apache2/nssdb /etc/httpd/alias But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-FYfJPZ/ccache 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-svWgpP/ccache 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-DSagx_/ccache 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello Can I get some attention? Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking should already be using /etc/apache2/nssdb. If not I'd correct it. This database is likely baked in other places as well.
I think the key may be this message:
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen because the RA cert couldn't be loaded because libnsspem was missing. Timo, do you recall what versions(s) of IPA this affected?
rob
On 25.7.2022 16.33, Rob Crittenden wrote:
roy liang via FreeIPA-users wrote:
I made the following soft link ln -s /etc/apache2/nssdb /etc/httpd/alias But return code 77 as well, so what do I need to do?
root@migration-ipa-65-186:/.ipa/log# tailf renew.log 2022-04-09T16:02:13Z 21810 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-FYfJPZ/ccache 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:22Z 21811 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:23Z 21811 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f307a537290> 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:24Z 21811 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-svWgpP/ccache 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:32Z 21809 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:33Z 21809 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbd8bfd6f80> 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:34Z 21809 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Initializing principal host/migration-ipa-65-186.hiido.host.yydevops.com(a)YYDEVOPS.COM using keytab /etc/krb5.keytab 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG using ccache /var/run/certmonger/tmp-DSagx_/ccache 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Attempt 1/1: success 2022-04-09T16:02:42Z 21812 MainThread ipa DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG flushing ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 from SchemaCache 2022-04-09T16:02:43Z 21812 MainThread ipa.ipapython.ipaldap.SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://migration-ipa-65-186.hiido.host.yydevops.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f1c70811b00> 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Starting external process 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG args=/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -vv 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG Process finished, return code=3 2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stdout=Error 77 connecting to https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/pro...: Problem with the SSL CA cert (path? access rights?).
2022-04-09T16:02:44Z 21812 MainThread ipa DEBUG stderr=* Trying 10.12.65.186...
- Connected to migration-ipa-65-186.hiido.host.yydevops.com (10.12.65.186) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/httpd/alias
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates
will not work.
- Closing connection 0
GET "https://migration-ipa-65-186.hiido.host.yydevops.com:8443/ca/agent/ca/profil..." code = 77 code_text = "Problem with the SSL CA cert (path? access rights?)" results = "(null)"
root@migration-ipa-65-186:/.ipa/log# ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 10 00:00 /etc/httpd/alias -> /etc/apache2/nssdb
hello Can I get some attention? Using Ubuntu install freeipa is an addition left by the company, I also feel very sorry. If I fix the expiration problem, I will migrate to centos, but I need to solve the certificate expiration problem first, Ubuntu does not use /etc/httpd/alias service and certificate store./etc/apache2/nssdb /apache2/nssdb /etc/apache2/nssdb
There is nothing special about /etc/httpd/alias. The certmonger tracking should already be using /etc/apache2/nssdb. If not I'd correct it. This database is likely baked in other places as well.
I think the key may be this message:
- WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL
PEM certificates will not work
IIRC there was a problem on old Ubuntu where renewal couldn't happen because the RA cert couldn't be loaded because libnsspem was missing. Timo, do you recall what versions(s) of IPA this affected?
libnsspem has been in the distro since 18.04 ("bionic"), though it's called nss-plugin-pem since
I think this installation was somehow rolled manually, because the packaging has used the right nssdb location for a long time now
On 25.7.2022 16.33, Rob Crittenden wrote:
libnsspem has been in the distro since 18.04 ("bionic"), though it's called nss-plugin-pem since
I think this installation was somehow rolled manually, because the packaging has used the right nssdb location for a long time now
hello My system is ubuntu16.04, I did not find this libnsspem package, what should I do?
root@ubuntu:/home/liangrui# find / -name libnsspem* root@ubuntu:/home/liangrui#
# apt-get update -y # apt-get install -y libnsspem Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package libnsspem
On 25.7.2022 16.33, Rob Crittenden wrote:
libnsspem has been in the distro since 18.04 ("bionic"), though it's called nss-plugin-pem since
I think this installation was somehow rolled manually, because the packaging has used the right nssdb location for a long time now
ubuntu16.04 not libnsspem Should have used LiBNSS3? root@migration-ipa-65-186:/home/liangrui# dpkg -l|grep libnss3 ii libnss3:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service libraries ii libnss3:i386 2:3.28.4-0ubuntu0.16.04.14 i386 Network Security Service libraries ii libnss3-1d:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service libraries - transitional package ii libnss3-dev:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Development files for the Network Security Service libraries ii libnss3-nssdb 2:3.28.4-0ubuntu0.16.04.14 all Network Security Security libraries - shared databases ii libnss3-tools 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service tools
roy liang via FreeIPA-users wrote:
On 25.7.2022 16.33, Rob Crittenden wrote:
libnsspem has been in the distro since 18.04 ("bionic"), though it's called nss-plugin-pem since
I think this installation was somehow rolled manually, because the packaging has used the right nssdb location for a long time now
ubuntu16.04 not libnsspem Should have used LiBNSS3? root@migration-ipa-65-186:/home/liangrui# dpkg -l|grep libnss3 ii libnss3:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service libraries ii libnss3:i386 2:3.28.4-0ubuntu0.16.04.14 i386 Network Security Service libraries ii libnss3-1d:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service libraries - transitional package ii libnss3-dev:amd64 2:3.28.4-0ubuntu0.16.04.14 amd64 Development files for the Network Security Service libraries ii libnss3-nssdb 2:3.28.4-0ubuntu0.16.04.14 all Network Security Security libraries - shared databases ii libnss3-tools 2:3.28.4-0ubuntu0.16.04.14 amd64 Network Security Service tools
You may want to broaden your search for just pem.
It's possible this was never available in your release. I don't know if it can be backported or not.
What this does is lets flat files, which in this case contain the RA certificate and private key necessary for IPA to authenticate to the CA, be used by an NSS database by making them appear as a PKCS#11 device.
rob
roy liang via FreeIPA-users wrote:
You may want to broaden your search for just pem.
It's possible this was never available in your release. I don't know if it can be backported or not.
What this does is lets flat files, which in this case contain the RA certificate and private key necessary for IPA to authenticate to the CA, be used by an NSS database by making them appear as a PKCS#11 device.
rob
Like this?What do I need to do next?
# find / -name *.pem* /usr/local/i386/comm_repos/platform/yy-cacert.pem /usr/local/i386/comm_repos/platform/yy-cacert-20220212.pem.bak /usr/lib/python2.7/dist-packages/twisted/test/server.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing1.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2-duplicate.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/chain.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2.pem /usr/lib/python2.7/dist-packages/twisted/mail/test/server.pem /usr/share/gnupg2/sks-keyservers.netCA.pem /usr/share/doc/libnet-ssleay-perl/examples/server_key.pem /usr/share/doc/libssl-doc/demos/sign/cert.pem /usr/share/doc/libssl-doc/demos/sign/key.pem /usr/share/doc/libssl-doc/demos/smime/cakey.pem /usr/share/doc/libssl-doc/demos/smime/cacert.pem /usr/share/doc/libssl-doc/demos/smime/signer2.pem /usr/share/doc/libssl-doc/demos/smime/signer.pem /usr/share/doc/libssl-doc/demos/easy_tls/cacerts.pem /usr/share/doc/libssl-doc/demos/easy_tls/cert.pem /usr/share/doc/libssl-doc/demos/bio/server.pem /usr/share/doc/libssl-doc/demos/privkey.pem /usr/share/doc/libssl-doc/demos/tunala/CA.pem /usr/share/doc/libssl-doc/demos/tunala/A-client.pem.gz /usr/share/doc/libssl-doc/demos/tunala/A-server.pem.gz /usr/share/doc/libssl-doc/demos/cms/cakey.pem /usr/share/doc/libssl-doc/demos/cms/cacert.pem /usr/share/doc/libssl-doc/demos/cms/signer2.pem /usr/share/doc/libssl-doc/demos/cms/signer.pem /etc/apache2/nssdb/kra-agent.pem /etc/ssl/certs/SwissSign_Platinum_CA_-_G2.pem /etc/ssl/certs/COMODO_RSA_Certification_Authority.pem /etc/ssl/certs/NetLock_Business_=Class_B=_Root.pem /etc/ssl/certs/E-Tugra_Certification_Authority.pem /etc/ssl/certs/certSIGN_ROOT_CA.pem /etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem /etc/ssl/certs/Security_Communication_Root_CA.pem /etc/ssl/certs/Swisscom_Root_EV_CA_2.pem /etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem /etc/ssl/certs/AffirmTrust_Premium.pem /etc/ssl/certs/Global_Chambersign_Root_-_2008.pem /etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem /etc/ssl/certs/Certigna.pem /etc/ssl/certs/EC-ACC.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/CA_Disig_Root_R2.pem /etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_G2.pem /etc/ssl/certs/Secure_Global_CA.pem /etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/Chambers_of_Commerce_Root_-_2008.pem /etc/ssl/certs/Starfield_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem /etc/ssl/certs/WoSign.pem /etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem /etc/ssl/certs/DigiCert_Trusted_Root_G4.pem /etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.pem /etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem /etc/ssl/certs/SecureTrust_CA.pem /etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/Buypass_Class_2_Root_CA.pem /etc/ssl/certs/Certinomis_-_Root_CA.pem /etc/ssl/certs/IGC_A.pem /etc/ssl/certs/AffirmTrust_Commercial.pem /etc/ssl/certs/NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem /etc/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem /etc/ssl/certs/Starfield_Class_2_CA.pem /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem /etc/ssl/certs/Security_Communication_RootCA2.pem /etc/ssl/certs/Hongkong_Post_Root_CA_1.pem /etc/ssl/certs/Equifax_Secure_CA.pem /etc/ssl/certs/TeliaSonera_Root_CA_v1.pem /etc/ssl/certs/CA_WoSign_ECC_Root.pem /etc/ssl/certs/QuoVadis_Root_CA.pem /etc/ssl/certs/CNNIC_ROOT.pem /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_2009.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_G3.pem /etc/ssl/certs/Microsec_e-Szigno_Root_CA.pem /etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem /etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2007.pem /etc/ssl/certs/Security_Communication_EV_RootCA1.pem /etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem /etc/ssl/certs/Comodo_Secure_Services_root.pem /etc/ssl/certs/RSA_Security_2048_v3.pem /etc/ssl/certs/StartCom_Certification_Authority_2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem /etc/ssl/certs/QuoVadis_Root_CA_3_G3.pem /etc/ssl/certs/Actalis_Authentication_Root_CA.pem /etc/ssl/certs/EE_Certification_Centre_Root_CA.pem /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem /etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem /etc/ssl/certs/GeoTrust_Global_CA.pem /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_3.pem /etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem /etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem /etc/ssl/certs/Baltimore_CyberTrust_Root.pem /etc/ssl/certs/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.pem /etc/ssl/certs/Taiwan_GRCA.pem /etc/ssl/certs/Network_Solutions_Certificate_Authority.pem /etc/ssl/certs/TWCA_Root_Certification_Authority.pem /etc/ssl/certs/Izenpe.com.pem /etc/ssl/certs/Buypass_Class_2_CA_1.pem /etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem /etc/ssl/certs/StartCom_Certification_Authority_G2.pem /etc/ssl/certs/Buypass_Class_3_Root_CA.pem /etc/ssl/certs/NetLock_Express_=Class_C=_Root.pem /etc/ssl/certs/Trustis_FPS_Root_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/TC_TrustCenter_Class_3_CA_II.pem /etc/ssl/certs/Certplus_Class_2_Primary_CA.pem /etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem /etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem /etc/ssl/certs/AffirmTrust_Networking.pem /etc/ssl/certs/CA_Disig.pem /etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem /etc/ssl/certs/QuoVadis_Root_CA_2.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem /etc/ssl/certs/Atos_TrustedRoot_2011.pem /etc/ssl/certs/Comodo_Trusted_Services_root.pem /etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem /etc/ssl/certs/Camerfirma_Global_Chambersign_Root.pem /etc/ssl/certs/ACEDICOM_Root.pem /etc/ssl/certs/GeoTrust_Universal_CA_2.pem /etc/ssl/certs/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.pem /etc/ssl/certs/Cybertrust_Global_Root.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/S-TRUST_Universal_Root_CA.pem /etc/ssl/certs/ePKI_Root_Certification_Authority.pem /etc/ssl/certs/Certification_Authority_of_WoSign_G2.pem /etc/ssl/certs/Comodo_AAA_Services_root.pem /etc/ssl/certs/Certum_Root_CA.pem /etc/ssl/certs/UTN_USERFirst_Email_Root_CA.pem /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ssl/certs/Juur-SK.pem /etc/ssl/certs/SecureSign_RootCA11.pem /etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem /etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem /etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem /etc/ssl/certs/DigiCert_Global_Root_CA.pem /etc/ssl/certs/Certinomis_-_Autorité_Racine.pem /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem /etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Certum_Trusted_Network_CA.pem /etc/ssl/certs/WoSign_China.pem /etc/ssl/certs/QuoVadis_Root_CA_3.pem /etc/ssl/certs/COMODO_Certification_Authority.pem /etc/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem /etc/ssl/certs/Swisscom_Root_CA_1.pem /etc/ssl/certs/GeoTrust_Universal_CA.pem /etc/ssl/certs/Equifax_Secure_eBusiness_CA_1.pem /etc/ssl/certs/GlobalSign_Root_CA.pem /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.pem /etc/ssl/certs/NetLock_Notary_=Class_A=_Root.pem /etc/ssl/certs/Go_Daddy_Class_2_CA.pem /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority.pem /etc/ssl/certs/GeoTrust_Global_CA_2.pem /etc/ssl/certs/CFCA_EV_ROOT.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem /etc/ssl/certs/Visa_eCommerce_Root.pem /etc/ssl/certs/StartCom_Certification_Authority.pem /etc/ssl/certs/AddTrust_Public_Services_Root.pem /etc/ssl/certs/DST_ACES_CA_X6.pem /etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem /etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem /etc/ssl/certs/ipa-ca.pem /etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/DigiCert_Global_Root_G2.pem /etc/ssl/certs/Microsec_e-Szigno_Root_CA_2009.pem /etc/ssl/certs/TWCA_Global_Root_CA.pem /etc/ssl/certs/AC_Raíz_Certicámara_S.A..pem /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /etc/ssl/certs/Swisscom_Root_CA_2.pem /etc/ssl/certs/ACCVRAIZ1.pem /etc/ssl/certs/AffirmTrust_Premium_ECC.pem /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem /etc/ssl/certs/Sonera_Class_1_Root_CA.pem /etc/ssl/certs/CA_Disig_Root_R1.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem /etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem /etc/ssl/certs/China_Internet_Network_Information_Center_EV_Certificates_Root.pem /etc/ssl/certs/AddTrust_External_Root.pem /etc/ssl/certs/PSCProcert.pem /etc/ssl/certs/Sonera_Class_2_Root_CA.pem /etc/ssl/certs/DigiCert_Global_Root_G3.pem /etc/ssl/certs/Root_CA_Generalitat_Valenciana.pem /etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem /etc/ssl/certs/XRamp_Global_CA_Root.pem /etc/ssl/certs/ComSign_CA.pem /etc/ssl/certs/Entrust_Root_Certification_Authority.pem /etc/ssl/yy-cacert.pem
roy liang via FreeIPA-users wrote:
roy liang via FreeIPA-users wrote:
You may want to broaden your search for just pem.
It's possible this was never available in your release. I don't know if it can be backported or not.
What this does is lets flat files, which in this case contain the RA certificate and private key necessary for IPA to authenticate to the CA, be used by an NSS database by making them appear as a PKCS#11 device.
rob
Like this?What do I need to do next?
You searched for the wrong thing. We want to see if the NSS pem library is installed so drop the leading dot.
If it isn't you'll need to try to find it for your OS release and see if that helps.
If it isn't available I don't know what to tell you.
rob
# find / -name *.pem* /usr/local/i386/comm_repos/platform/yy-cacert.pem /usr/local/i386/comm_repos/platform/yy-cacert-20220212.pem.bak /usr/lib/python2.7/dist-packages/twisted/test/server.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing1.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2-duplicate.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/chain.pem /usr/lib/python2.7/dist-packages/twisted/internet/test/fake_CAs/thing2.pem /usr/lib/python2.7/dist-packages/twisted/mail/test/server.pem /usr/share/gnupg2/sks-keyservers.netCA.pem /usr/share/doc/libnet-ssleay-perl/examples/server_key.pem /usr/share/doc/libssl-doc/demos/sign/cert.pem /usr/share/doc/libssl-doc/demos/sign/key.pem /usr/share/doc/libssl-doc/demos/smime/cakey.pem /usr/share/doc/libssl-doc/demos/smime/cacert.pem /usr/share/doc/libssl-doc/demos/smime/signer2.pem /usr/share/doc/libssl-doc/demos/smime/signer.pem /usr/share/doc/libssl-doc/demos/easy_tls/cacerts.pem /usr/share/doc/libssl-doc/demos/easy_tls/cert.pem /usr/share/doc/libssl-doc/demos/bio/server.pem /usr/share/doc/libssl-doc/demos/privkey.pem /usr/share/doc/libssl-doc/demos/tunala/CA.pem /usr/share/doc/libssl-doc/demos/tunala/A-client.pem.gz /usr/share/doc/libssl-doc/demos/tunala/A-server.pem.gz /usr/share/doc/libssl-doc/demos/cms/cakey.pem /usr/share/doc/libssl-doc/demos/cms/cacert.pem /usr/share/doc/libssl-doc/demos/cms/signer2.pem /usr/share/doc/libssl-doc/demos/cms/signer.pem /etc/apache2/nssdb/kra-agent.pem /etc/ssl/certs/SwissSign_Platinum_CA_-_G2.pem /etc/ssl/certs/COMODO_RSA_Certification_Authority.pem /etc/ssl/certs/NetLock_Business_=Class_B=_Root.pem /etc/ssl/certs/E-Tugra_Certification_Authority.pem /etc/ssl/certs/certSIGN_ROOT_CA.pem /etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem /etc/ssl/certs/Security_Communication_Root_CA.pem /etc/ssl/certs/Swisscom_Root_EV_CA_2.pem /etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem /etc/ssl/certs/AffirmTrust_Premium.pem /etc/ssl/certs/Global_Chambersign_Root_-_2008.pem /etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem /etc/ssl/certs/Certigna.pem /etc/ssl/certs/EC-ACC.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/CA_Disig_Root_R2.pem /etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_G2.pem /etc/ssl/certs/Secure_Global_CA.pem /etc/ssl/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/Chambers_of_Commerce_Root_-_2008.pem /etc/ssl/certs/Starfield_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem /etc/ssl/certs/WoSign.pem /etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem /etc/ssl/certs/DigiCert_Trusted_Root_G4.pem /etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.pem /etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem /etc/ssl/certs/SecureTrust_CA.pem /etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/Buypass_Class_2_Root_CA.pem /etc/ssl/certs/Certinomis_-_Root_CA.pem /etc/ssl/certs/IGC_A.pem /etc/ssl/certs/AffirmTrust_Commercial.pem /etc/ssl/certs/NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem /etc/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem /etc/ssl/certs/Starfield_Class_2_CA.pem /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem /etc/ssl/certs/Security_Communication_RootCA2.pem /etc/ssl/certs/Hongkong_Post_Root_CA_1.pem /etc/ssl/certs/Equifax_Secure_CA.pem /etc/ssl/certs/TeliaSonera_Root_CA_v1.pem /etc/ssl/certs/CA_WoSign_ECC_Root.pem /etc/ssl/certs/QuoVadis_Root_CA.pem /etc/ssl/certs/CNNIC_ROOT.pem /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_2009.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_G3.pem /etc/ssl/certs/Microsec_e-Szigno_Root_CA.pem /etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem /etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2007.pem /etc/ssl/certs/Security_Communication_EV_RootCA1.pem /etc/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem /etc/ssl/certs/Comodo_Secure_Services_root.pem /etc/ssl/certs/RSA_Security_2048_v3.pem /etc/ssl/certs/StartCom_Certification_Authority_2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem /etc/ssl/certs/QuoVadis_Root_CA_3_G3.pem /etc/ssl/certs/Actalis_Authentication_Root_CA.pem /etc/ssl/certs/EE_Certification_Centre_Root_CA.pem /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem /etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem /etc/ssl/certs/GeoTrust_Global_CA.pem /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_3.pem /etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem /etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem /etc/ssl/certs/Baltimore_CyberTrust_Root.pem /etc/ssl/certs/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.pem /etc/ssl/certs/Taiwan_GRCA.pem /etc/ssl/certs/Network_Solutions_Certificate_Authority.pem /etc/ssl/certs/TWCA_Root_Certification_Authority.pem /etc/ssl/certs/Izenpe.com.pem /etc/ssl/certs/Buypass_Class_2_CA_1.pem /etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem /etc/ssl/certs/StartCom_Certification_Authority_G2.pem /etc/ssl/certs/Buypass_Class_3_Root_CA.pem /etc/ssl/certs/NetLock_Express_=Class_C=_Root.pem /etc/ssl/certs/Trustis_FPS_Root_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/TC_TrustCenter_Class_3_CA_II.pem /etc/ssl/certs/Certplus_Class_2_Primary_CA.pem /etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem /etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem /etc/ssl/certs/AffirmTrust_Networking.pem /etc/ssl/certs/CA_Disig.pem /etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.pem /etc/ssl/certs/QuoVadis_Root_CA_2.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority.pem /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem /etc/ssl/certs/Atos_TrustedRoot_2011.pem /etc/ssl/certs/Comodo_Trusted_Services_root.pem /etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem /etc/ssl/certs/Camerfirma_Global_Chambersign_Root.pem /etc/ssl/certs/ACEDICOM_Root.pem /etc/ssl/certs/GeoTrust_Universal_CA_2.pem /etc/ssl/certs/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.pem /etc/ssl/certs/Cybertrust_Global_Root.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem /etc/ssl/certs/S-TRUST_Universal_Root_CA.pem /etc/ssl/certs/ePKI_Root_Certification_Authority.pem /etc/ssl/certs/Certification_Authority_of_WoSign_G2.pem /etc/ssl/certs/Comodo_AAA_Services_root.pem /etc/ssl/certs/Certum_Root_CA.pem /etc/ssl/certs/UTN_USERFirst_Email_Root_CA.pem /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ssl/certs/Juur-SK.pem /etc/ssl/certs/SecureSign_RootCA11.pem /etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem /etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem /etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem /etc/ssl/certs/DigiCert_Global_Root_CA.pem /etc/ssl/certs/Certinomis_-_Autorité_Racine.pem /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem /etc/ssl/certs/WellsSecure_Public_Root_Certificate_Authority.pem /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Certum_Trusted_Network_CA.pem /etc/ssl/certs/WoSign_China.pem /etc/ssl/certs/QuoVadis_Root_CA_3.pem /etc/ssl/certs/COMODO_Certification_Authority.pem /etc/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem /etc/ssl/certs/Swisscom_Root_CA_1.pem /etc/ssl/certs/GeoTrust_Universal_CA.pem /etc/ssl/certs/Equifax_Secure_eBusiness_CA_1.pem /etc/ssl/certs/GlobalSign_Root_CA.pem /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.pem /etc/ssl/certs/NetLock_Notary_=Class_A=_Root.pem /etc/ssl/certs/Go_Daddy_Class_2_CA.pem /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem /etc/ssl/certs/GeoTrust_Primary_Certification_Authority.pem /etc/ssl/certs/GeoTrust_Global_CA_2.pem /etc/ssl/certs/CFCA_EV_ROOT.pem /etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem /etc/ssl/certs/Visa_eCommerce_Root.pem /etc/ssl/certs/StartCom_Certification_Authority.pem /etc/ssl/certs/AddTrust_Public_Services_Root.pem /etc/ssl/certs/DST_ACES_CA_X6.pem /etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem /etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem /etc/ssl/certs/ipa-ca.pem /etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem /etc/ssl/certs/DigiCert_Global_Root_G2.pem /etc/ssl/certs/Microsec_e-Szigno_Root_CA_2009.pem /etc/ssl/certs/TWCA_Global_Root_CA.pem /etc/ssl/certs/AC_Raíz_Certicámara_S.A..pem /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /etc/ssl/certs/Swisscom_Root_CA_2.pem /etc/ssl/certs/ACCVRAIZ1.pem /etc/ssl/certs/AffirmTrust_Premium_ECC.pem /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem /etc/ssl/certs/Sonera_Class_1_Root_CA.pem /etc/ssl/certs/CA_Disig_Root_R1.pem /etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem /etc/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem /etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem /etc/ssl/certs/China_Internet_Network_Information_Center_EV_Certificates_Root.pem /etc/ssl/certs/AddTrust_External_Root.pem /etc/ssl/certs/PSCProcert.pem /etc/ssl/certs/Sonera_Class_2_Root_CA.pem /etc/ssl/certs/DigiCert_Global_Root_G3.pem /etc/ssl/certs/Root_CA_Generalitat_Valenciana.pem /etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem /etc/ssl/certs/XRamp_Global_CA_Root.pem /etc/ssl/certs/ComSign_CA.pem /etc/ssl/certs/Entrust_Root_Certification_Authority.pem /etc/ssl/yy-cacert.pem _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
roy liang via FreeIPA-users wrote:
You searched for the wrong thing. We want to see if the NSS pem library is installed so drop the leading dot.
If it isn't you'll need to try to find it for your OS release and see if that helps.
If it isn't available I don't know what to tell you.
rob
Oh, OK.Happy to provide all information. Did you say to bring that up? libnssckbi.so -> /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so ll /etc/apache2/nssdb total 180 -rwxrwxrwx 1 root root 1349 May 10 2020 cacert.asc -rwxrwxrwx 1 root www-data 65536 Apr 20 01:01 cert8.db -rwxrwxrwx 1 root www-data 65536 May 10 2020 cert8.db.orig -rwxrwxrwx 1 root root 5148 May 10 2020 install.log -rwxrwxrwx 1 root www-data 16384 Apr 20 01:01 key3.db -rwxrwxrwx 1 root www-data 16384 May 10 2020 key3.db.orig -rwxrwxrwx 1 root www-data 3343 May 10 2020 Kra-agent.pem LRWXRWXRWX 1 root root 43 Dec 10 2015 libnssckbi.so ->/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -rwxrwxrwx 1 root www-data 20 May 10 2020 pwdfile.txt - RWXRWXRWX 1 root www-data 16384 May 10 2020 secmod.db -rwxrwxrwx 1 root www-data 16384 May 10 2020 secmod.db.orig And then I did the natural log here # ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 27 05:15 /etc/httpd/alias -> /etc/apache2/nssdb
# cat /proc/version Linux version 4.9.0-141-custom (root@yy.com) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) ) #19 SMP Wed Nov 28 20:32:27 CST 2018
What other information do you need to see? Please send me the order. I can provide it Can you give me some guidance on what I need to do next, thank you
roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16:
roy liang via FreeIPA-users wrote:
You searched for the wrong thing. We want to see if the NSS pem library is installed so drop the leading dot.
If it isn't you'll need to try to find it for your OS release and see if that helps.
If it isn't available I don't know what to tell you.
rob
Oh, OK.Happy to provide all information. Did you say to bring that up? libnssckbi.so -> /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so ll /etc/apache2/nssdb total 180 -rwxrwxrwx 1 root root 1349 May 10 2020 cacert.asc -rwxrwxrwx 1 root www-data 65536 Apr 20 01:01 cert8.db -rwxrwxrwx 1 root www-data 65536 May 10 2020 cert8.db.orig -rwxrwxrwx 1 root root 5148 May 10 2020 install.log -rwxrwxrwx 1 root www-data 16384 Apr 20 01:01 key3.db -rwxrwxrwx 1 root www-data 16384 May 10 2020 key3.db.orig -rwxrwxrwx 1 root www-data 3343 May 10 2020 Kra-agent.pem LRWXRWXRWX 1 root root 43 Dec 10 2015 libnssckbi.so ->/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -rwxrwxrwx 1 root www-data 20 May 10 2020 pwdfile.txt
- RWXRWXRWX 1 root www-data 16384 May 10 2020 secmod.db
-rwxrwxrwx 1 root www-data 16384 May 10 2020 secmod.db.orig And then I did the natural log here # ll /etc/httpd/alias lrwxrwxrwx 1 root root 18 Apr 27 05:15 /etc/httpd/alias -> /etc/apache2/nssdb
# cat /proc/version Linux version 4.9.0-141-custom (root@yy.com) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) ) #19 SMP Wed Nov 28 20:32:27 CST 2018
What other information do you need to see? Please send me the order. I can provide it Can you give me some guidance on what I need to do next, thank you
As I said, 16.04 doesn't have nss-pem, 18.04 was the first release that came with it. Besides, 16.04 is EOL since April 2021 (unless you're paying for ESM).
roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16: As I said, 16.04 doesn't have nss-pem, 18.04 was the first release that came with it. Besides, 16.04 is EOL since April 2021 (unless you're paying for ESM).
So this is an unsolvable problem, right? Or force an NSS-PEM installation on 16.04? Or Freeipa ca-full to care-less, delete the certificate service related to PKI-Tomcat. Is there any tutorial recommended for this?
roy liang via FreeIPA-users wrote:
roy liang via FreeIPA-users kirjoitti 29.7.2022 klo 9.16: As I said, 16.04 doesn't have nss-pem, 18.04 was the first release that came with it. Besides, 16.04 is EOL since April 2021 (unless you're paying for ESM).
So this is an unsolvable problem, right? Or force an NSS-PEM installation on 16.04?
Maybe. You're way out in uncharted territory but I don't believe it will hurt anything.
Or Freeipa ca-full to care-less, delete the certificate service related to PKI-Tomcat. Is there any tutorial recommended for this?
You already tried this right?
rob
roy liang via FreeIPA-users wrote:
Maybe. You're way out in uncharted territory but I don't believe it will hurt anything.
In my current state, I cannot copy the new copy of FREEIPA. If I cannot copy the new copy, there will be a big problem one day. Or is there some other way, that does not require PKI-Tomcat related services, to finish copying a new copy out?
You already tried this right?
Yes, I tried, but my version and circumstances failed, if there is no better way, I will try again, but it will take a lot of time to verify.It would be nice to have documentation on this.
rob
roy liang via FreeIPA-users wrote:
roy liang via FreeIPA-users wrote:
Maybe. You're way out in uncharted territory but I don't believe it will hurt anything.
In my current state, I cannot copy the new copy of FREEIPA. If I cannot copy the new copy, there will be a big problem one day. Or is there some other way, that does not require PKI-Tomcat related services, to finish copying a new copy out?
You already tried this right?
Yes, I tried, but my version and circumstances failed, if there is no better way, I will try again, but it will take a lot of time to verify.It would be nice to have documentation on this.
Like I've said, there is no documentation for this, a system that is unrenewable because of a missing library.
I do have another suggestion on something to try. It's a bit half-baked and who knows, you may have already tried it.
I'd strongly urge trying this on a clone of your production CA.
IIRC you can go back in time where all the certs are valid and the CA is operational, right? If so, do that. If not you're still going to be stuck and you can stop reading.
Bring up a new server one running CentOS or RHEL, and set time back on it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to your current version.
Install it as a client with -N to skip syncing time, then run ipa-replica-install -N for the same reason. If you get that far, try running ipa-ca-install. This may well give you a working CA. At that point you'd set it as a the CA renewal master, etc (see the RHEL docs) and you'd be back in business.
There would be more to do afterward but lets not get ahead of ourselves.
rob
roy liang via FreeIPA-users wrote:
Like I've said, there is no documentation for this, a system that is unrenewable because of a missing library.
I do have another suggestion on something to try. It's a bit half-baked and who knows, you may have already tried it.
I'd strongly urge trying this on a clone of your production CA.
IIRC you can go back in time where all the certs are valid and the CA is operational, right? If so, do that. If not you're still going to be stuck and you can stop reading.
Bring up a new server one running CentOS or RHEL, and set time back on it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to your current version.
Install it as a client with -N to skip syncing time, then run ipa-replica-install -N for the same reason. If you get that far, try running ipa-ca-install. This may well give you a working CA. At that point you'd set it as a the CA renewal master, etc (see the RHEL docs) and you'd be back in business.
There would be more to do afterward but lets not get ahead of ourselves.
rob
We have communicated with the operation and maintenance staff of the company and asked them to install libnsspem.so to test the FreeiPA renewal certificate. After I have done enough tests, I will deploy it online. It will be great if it is possible.
Executing on the server /usr/lib/x86_64-linux-gnu/libnsspem.so ldconfig
freeipa-users@lists.fedorahosted.org