After the server restarts one day, Apache cannot start. Check the Apache error log:
cat /var/log/httpd/error_log
The following errors are found:
[Wed Aug 25 18:49:00.134257 2021] [:error] [pid 1607] SSL Library Error: -8181 Certificate has expired
[Wed Aug 25 18:49:00.134318 2021] [:error] [pid 1607] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
Use the following command to view the certificate information and find that the certificate has expired:
certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Fri Jan 24 15:03:11 2017
Not After : Wed Jan 24 15:03:11 2021
You can use temporary methods to solve this problem:
first set the certificate inspection prohibition, and then cancel this setting after the certificate is updated. Operation method:
add the nssenforcevalidcerts off setting in the/etc/httpd/conf.d/nss.conf file to temporarily cancel the certificate inspection.
The permanent solution is to regenerate the certificate. The command is as follows:
yum install httpd mod_nss
certutil -d /etc/httpd/alias -L -n Server-Cert
cd /etc/httpd/alias
rm -f *.db
/usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
Then check that the certificate expiration date is normal.
certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Fri Aug 27 07:27:30 2021
Not After : Wed Aug 27 07:27:30 2025
Try to start Apache and find that it still can’t be started. Check the error log again and find a new error report:
[Fri Aug 27 15:38:17.483837 2021] [:error] [pid 15043] Server user apache lacks read access to NSS key database /etc/httpd/alias/key3.db.
It should be that the Apache user does not have permission to the key3.db file
let’s check the file attributes:
ls -l /etc/httpd/alias/
total 88
-rw-------. 1 root root 65536 Oct 26 17:26 cert8.db
-rw-------. 1 root root 5872 Oct 26 17:26 install.log
-rw-------. 1 root root 16384 Oct 26 17:26 key3.db
lrwxrwxrwx. 1 root root 24 Nov 15 10:58 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-------. 1 root root 16384 Oct 26 17:26 secmod.db
Then modify the attributes of all DB files in the/etc/httpd/alias/Directory:
chown :apache /etc/httpd/alias/*.db
chmod u=rw,g=r *.db
The effect is the same with the following two commands:
chown root.apache /etc/httpd/alias/*.db
chmod 0640 /etc/httpd/alias/*.db
After modification, check the properties of the DB file:
ls -l /etc/httpd/alias/
total 88
-rw-r-----. 1 root apache 65536 Oct 26 17:26 cert8.db
-rw-------. 1 root root 5872 Oct 26 17:26 install.log
-rw-r-----. 1 root apache 16384 Oct 26 17:26 key3.db
lrwxrwxrwx. 1 root root 24 Nov 15 10:58 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r-----. 1 root apache 16384 Oct 26 17:26 secmod.db
Finally, start Apache:
systemctl start httpd
Start successfully!
Download page Закончился срок действия сертификата на web-сервер.
Astra Linux Special Edition 1.6
Диагностика
-
Проверить сообщения об ошибках в лог-файлах:
/var/log/syslog
May 29 09:39:51 astra apachectl[1712]: Action 'start' failed. May 29 09:39:51 astra apachectl[1712]: The Apache error log may have more information. May 29 09:39:51 astra systemd[1]: apache2.service: Control process exited, code=exited status=1 May 29 09:39:51 astra systemd[1]: Failed to start The Apache HTTP Server. May 29 09:39:51 astra systemd[1]: apache2.service: Unit entered failed state. May 29 09:39:51 astra systemd[1]: apache2.service: Failed with result 'exit-code'. May 29 09:39:51 astra systemd[1]: Stopping Kerberos 5 Key Distribution Center... May 29 09:39:51 astra systemd[1]: Stopped Kerberos 5 Key Distribution Center. May 29 09:39:51 astra systemd[1]: Stopping Kerberos 5 Admin Server... May 29 09:39:51 astra systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=2/INVALIDARGUMENT May 29 09:39:51 astra systemd[1]: Stopped Kerberos 5 Admin Server. May 29 09:39:51 astra systemd[1]: krb5-admin-server.service: Unit entered failed state. May 29 09:39:51 astra systemd[1]: krb5-admin-server.service: Failed with result 'exit-code'. May 29 09:39:52 astra systemd[1]: Stopping BIND Domain Name Server with native PKCS#11...CODE
/var/log/apache2/error.log
[Wed May 29 10:22:09.166202 2019] [:warn] [pid 1631] NSSSessionCacheTimeout is deprecated. Ignoring. [Wed May 29 10:22:09.251851 2019] [:error] [pid 1631] SSL Library Error: -8181 Certificate has expired [Wed May 29 10:22:09.251901 2019] [:error] [pid 1631] Unable to verify certificate 'astra.noname.rf'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.CODE
Проблема начинается с того, что сервис
apache2не запускается, после этого останавливаются другие сервисы FreeIPA —dirsrv,kerberos,bind9-pkcs11. -
Библиотека SSL возвращает ошибку о том, что срок действия сертификата истек.
Подробные данные по сертификату:Раскрыть
# certutil -d /etc/apache2/nssdb/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate C,, ipa-upd2.gtfo.rbt u,u,u root@ipa-upd2:/home/admin# certutil -d /etc/apache2/nssdb/ -L -n ipa-upd2.gtfo.rbt Certificate: Data: Version: 1 (0x0) Serial Number: 00:93:44:78:ae:18:ed:93:68 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate" Validity: Not Before: Mon Jun 03 12:12:40 2019 Not After : Wed Jul 03 12:12:40 2019 Subject: "CN=ipa-upd2.gtfo.rbt"CODE
Ошибка возникает в том случае, если системное время выходит за указанные в сертификате рамки (в примере — 18 строка).
Решение
Внимание! Для доступа с помощью учетной записи нового личного кабинета необходимо авторизоваться на странице.
Hello,
sorry if it is not the right place to post this…
Anyway my problem is:
I realized that the https certificate for my freeipa web ui has expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
So it seemed it went well. I tried to restart ipa but it failed:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Failed to start httpd Service
Shutting down
What went wrong ? I’m running in a freeipa-server docker on a linux server…
It is quite a big deal since I can not run my master freeipa anymore even from a backup !
Since then, I’m unable to restart freeIPA. I even tried using a backup, restarting the docker container, nothing works. I have a replica running, could it explain that even running from a backup still fails ?
I’d really appreciate some help, thanks.
logs
# systemctl status httpd.service
* httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service)
Drop-In: /usr/lib/systemd/system/httpd.service.d
`-abc.conf
Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST; 3min 52s ago
Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS)
Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 28717 (code=exited, status=1/FAILURE)
Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server...
Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP Server.
and (excerpt from journalctl -xe)
-- The start-up result is done.
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28918:604682378 (system bus
name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus)
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28932:604682393 (system bus na
me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb
-update.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is mas
ked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fus
e-connections.mount is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is maske
d.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-upda
te-done.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-a
utorelabel-mark.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f
ailed to load)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found
Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa : INFO KDC proxy enabled
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state.
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28932:604682393 (system bus
name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus)
Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28944:604682474 (system bus na
me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC...
-- Subject: Unit krb5kdc.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel