Hello,
Today I realized that the https certificate for my freeipa web ui has expired. I tried to renew it using: #ipa-cacert-manage renew Renewing CA certificate, please wait
CA certificate successfully renewed The ipa-cacert-manage command was successful
So it seemed to went well. I tried to restart ipa but it failed: # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. Failed to start httpd Service Shutting down
What went wrong ? I'm running in a freeipa-server docker on a linux server... It is quite a big deal since I can not run my master freeipa anymore even from a backup !
Thanks.
logs ===
# systemctl status httpd.service * httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service) Drop-In: /usr/lib/systemd/system/httpd.service.d `-abc.conf Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST; 3min 52s ago Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS) Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 28717 (code=exited, status=1/FAILURE)
Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP Server.
and (excerpt from journalctl -xe)
-- The start-up result is done. Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28918:604682378 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28932:604682393 (system bus na me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb -update.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is mas ked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fus e-connections.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is maske d. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-upda te-done.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-a utorelabel-mark.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL certificate ??
Thanks.
Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like you have renewed the CA certificate which presumably would invalidate all existing certificates it has authorised.
From your description it sounded like you just wanted the CA to issue a new certificate for your IPA UI, this you can do via the interface.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL certificate ??
Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Jul 12, 2017 at 11:38 AM, Callum Guy callum.guy@x-on.co.uk wrote:
Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like you have renewed the CA certificate which presumably would invalidate all existing certificates it has authorised.
I guess you are right. It rather seems that the SSL certificate of the web UI is not tracked by ipa:
# ipa-getcert list Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio.com@QUARTZBIO.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
but the actual certificate is in /etc/https/alias: # certutil -L -d /etc/httpd/alias/ -n "Server-Cert" Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=QUARTZBIO.COM" Validity: Not Before: Thu Jul 09 09:42:56 2015 Not After : Sun Jul 09 09:42:56 2017
From your description it sounded like you just wanted the CA to issue a new certificate for your IPA UI, this you can do via the interface.
https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ Guide/certificates.html#certificate-request-ui
I'm not so sure: inspecting the host corresponding to my replica which is working (SSL certificate still valid), shows: Host Certificate Certificate: No Valid Certificate
Moreover these certificates already exist, they just should be renewed.
Anyway I still tried ,but the submission of a newly generated certificate failed with "error, expired certificate"
Thank you for your help.
On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL certificate ??
Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
-- Callum Guy Head of Information Security X-on
*0333 332 0000 | www.x-on.co.uk http://www.x-on.co.uk | ** https://www.linkedin.com/company/x-on https://www.facebook.com/XonTel https://twitter.com/xonuk * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
Yes. Yikes. Karl, I already replied to your earlier thread, but `ipa-cacert-renew` was not the right command to run.
On Wed, Jul 12, 2017 at 09:38:44AM +0000, Callum Guy via FreeIPA-users wrote:
Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like you have renewed the CA certificate which presumably would invalidate all existing certificates it has authorised.
No, it does not invalidate existing certs, unless you change the key, CA name or (for an externally-signed CA) you chain the new CA cert up to an untrusted superior CA.
BUT! The notBefore time of the new CA cert will be the time of issuance. If you then wind the time back prior to this time, it will mean that the service certificates are within the validity period, but the certificate of the issuing CA is not (i.e. it is NOT YET VALID). This the service certs will not be accepted.
To recover from this situation you should reinstall the old CA certificate via ipa-cacert-manage. If you can't find a copy of that lying around you should (for a self-signed IPA CA) be able to retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca. (Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should check the subject and validity before installing it to make sure the particulars are correct). The attribution you want is 'userCertificate;binary'.
HTH, Fraser
From your description it sounded like you just wanted the CA to issue a new certificate for your IPA UI, this you can do via the interface.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL certificate ??
Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Callum Guy Head of Information Security X-on
--
*0333 332 0000 | www.x-on.co.uk http://www.x-on.co.uk | ** https://www.linkedin.com/company/x-on https://www.facebook.com/XonTel https://twitter.com/xonuk * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
To recover from this situation you should reinstall the old CA certificate via ipa-cacert-manage. If you can't find a copy of that lying around you should (for a self-signed IPA CA) be able to retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca. (Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should check the subject and validity before installing it to make sure the particulars are correct). The attribution you want is 'userCertificate;binary'.
Actually after ipa-cacert-manage, I used a backup to roll back the changes, so I do think that my CA has not been actually changed. I was just surprised not to be able to restart the httpd service, but it was due to the expired SSL certificate.
Thanks a lot. Karl
HTH, Fraser
From your description it sounded like you just wanted the CA to issue a
new
certificate for your IPA UI, this you can do via the interface.
Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ Guide/certificates.html#certificate-request-ui
On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL
certificate ??
Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
-- Callum Guy Head of Information Security X-on
--
*0333 332 0000 | www.x-on.co.uk http://www.x-on.co.uk | ** https://www.linkedin.com/company/x-on <https://www.facebook.com/
XonTel>
https://twitter.com/xonuk * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this
email. Views
or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence
of
viruses in this email or any attachments.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
On Thu, Jul 13, 2017 at 10:55:39AM +0200, Karl Forner wrote:
Hi,
To recover from this situation you should reinstall the old CA certificate via ipa-cacert-manage. If you can't find a copy of that lying around you should (for a self-signed IPA CA) be able to retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca. (Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should check the subject and validity before installing it to make sure the particulars are correct). The attribution you want is 'userCertificate;binary'.
Actually after ipa-cacert-manage, I used a backup to roll back the changes, so I do think that my CA has not been actually changed. I was just surprised not to be able to restart the httpd service, but it was due to the expired SSL certificate.
Thanks; I missed the detail about the rollback.
Thanks a lot. Karl
HTH, Fraser
From your description it sounded like you just wanted the CA to issue a
new
certificate for your IPA UI, this you can do via the interface.
Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ Guide/certificates.html#certificate-request-ui
On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The problem is that the SSL certificate was not renewed by the "ipa-cacert-manage renew" command. So the http server refuses to start. Hence my question: what is the correct way to renew the SSL
certificate ??
Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
-- Callum Guy Head of Information Security X-on
--
*0333 332 0000 | www.x-on.co.uk http://www.x-on.co.uk | ** https://www.linkedin.com/company/x-on <https://www.facebook.com/
XonTel>
https://twitter.com/xonuk * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this
email. Views
or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence
of
viruses in this email or any attachments.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
I think the problem is that the web UI certificate is not tracked by Certmonger. I compared with my replica server which seems alright:
master server (with expired certificate): # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio.com@QUARTZBIO.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
replica server (with valid certificate) # ipa-getcert list
Number of certificates and requests being tracked: 8. Request ID '20151223161521': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv QUARTZBIO-COM track: yes auto-renew: yes Request ID '20151223162016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes
There are two things that seem weird to me: 1. the only tracked certificate on my master seems wrong: non-existing location: /tmp/webserver.key and wrong host name apache.quartzbio.com 2. the replica server tracks 2 certificates, and the second seems the correct SSL certificate.
I tried tracking the certificate from /etc/httpd/alias on the server:
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio.com@QUARTZBIO.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20170712124534': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM expires: 2017-07-09 09:42:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
As you can see, it almost worked, except for the " ca-error: Unable to determine principal name for signing request." message. What does it mean ?
On Tue, Jul 11, 2017 at 6:23 PM, None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello,
Today I realized that the https certificate for my freeipa web ui has expired. I tried to renew it using: #ipa-cacert-manage renew Renewing CA certificate, please wait
CA certificate successfully renewed The ipa-cacert-manage command was successful
So it seemed to went well. I tried to restart ipa but it failed: # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. Failed to start httpd Service Shutting down
What went wrong ? I'm running in a freeipa-server docker on a linux server... It is quite a big deal since I can not run my master freeipa anymore even from a backup !
Thanks.
logs
# systemctl status httpd.service
- httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service) Drop-In: /usr/lib/systemd/system/httpd.service.d `-abc.conf Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST;
3min 52s ago Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS) Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 28717 (code=exited, status=1/FAILURE)
Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP Server.
and (excerpt from journalctl -xe)
-- The start-up result is done. Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28918:604682378 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28932:604682393 (system bus na me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb -update.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is mas ked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fus e-connections.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is maske d. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-upda te-done.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-a utorelabel-mark.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun start-up -- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit httpd.service has begun starting up. Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f ailed to load) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa : INFO KDC proxy enabled Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
-- The result is failed. Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28932:604682393 (system bus name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28944:604682474 (system bus na me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC... -- Subject: Unit krb5kdc.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org