ipa-restore does not remove /etc/httpd/conf.d/nss.conf and this file prevents successful restart of IPA services (especially httpd server).
ipa-restore fails with the following output:
/usr/sbin/ipa-restore /var/lib/ipa/backup/ipa-full-2018-03-12-15-13-59 Directory Manager (existing master) password: Preparing restore from /var/lib/ipa/backup/ipa-full-2018-03-12-15-13-59 on vm-master.example.com Performing FULL restore from FULL backup Temporary setting umask to 022 Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Unable to get connection, skipping disabling agreements: directory server instance is not running/configured Stopping IPA services Configuring certmonger to stop tracking system certificates for CA Restoring files Systemwide CA database updated. Restoring from userRoot in EXAMPLE-COM Restoring from ipaca in EXAMPLE-COM Restarting GSS-proxy Starting IPA services Restoring umask to 18 CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'Existing service file detected!\nAssuming stale, cleaning and proceeding\nFailed to start httpd Service\nShutting down\nHint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\nAborting ipactl\n') The ipa-restore command failed. See /var/log/iparestore.log for more information
and httpd fails to start with the following logs in /var/log/httpd/error_log:
[Mon Mar 12 15:52:33.823088 2018] [:error] [pid 33958:tid 139813689901056] Server user apache lacks read access to NSS key database /etc/httpd/alias/key3.db.
ipa-restore should remove /etc/httpd/conf.d/nss.conf and allow IPA services restart.
freeipa-master hash 5a6a762fb9d87af6752d3fcdfe309f08804a70b3
Metadata Update from @frenaud: - Issue assigned to frenaud
What happens is that during uninstall, we are restoring mod_nss configuration but we're not removing it on ipa-restore. We can remove all mod_nss conf restoring on uninstall and add mod_nss to our Conflicts in the .spec file, but that would break configuration of the people who would like to use mod_nss for their virtual host. The other solution is just calling httpinstance.disable_nss_conf() on ipa-restore.
ipa-restore
httpinstance.disable_nss_conf()
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.