Upgrading fs-ipa from Fedora 31 to Fedora 32

fs-ipa is always a pain when being upgraded between Fedora versions. This time, we had a very similar scenario to last time. The following command - which is run automatically - failed:

sudo ipa-server-upgrade

Systemd service httpd doesn’t start. The following error can be seen in /var/log/httpd/error_log:

[Mon Mar 08 16:18:56.769252 2021] [:error] [pid 1691:tid 1691] Server user apache lacks read access to NSS key database /etc/httpd/alias/key4.db.

Fix this issue like so:

sudo chown -R apache:apache /etc/httpd/alias/

(ref 669963 – mod_nss's postinstall script doesn't work properly)

Then, it claims this in the config file if you try to start httpd.service again:

[Mon Mar 08 16:22:12.415446 2021] [:error] [pid 1776:tid 1776] Password for slot internal is incorrect.
[Mon Mar 08 16:22:12.423420 2021] [:error] [pid 1776:tid 1776] NSS initialization failed. Certificate database: /etc/httpd/alias.
[Mon Mar 08 16:22:12.423488 2021] [:error] [pid 1776:tid 1776] SSL Library Error: -8177 The security password entered is incorrect

The fix for this is to move /etc/httpd/conf.d/nss.conf out of the way:

sudo mv /etc/httpd/conf.d/nss.conf{,.bak}

I seem to remember running that last step before, so it appears to be a long-standing issue with the system.

sudo chmod 640 /etc/httpd/alias/*.db
sudo chgrp apache /etc/httpd/alias/*.db
sudo chmod 640 /etc/httpd/conf/password.conf
sudo chgrp apache /etc/httpd/conf/password.conf

Then, I rebooted and it was all fixed. Hooray!

1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.