Bug 711085

Summary: certificates supplied with mod_nss have expired and prevent httpd starting
Product: Red Hat Enterprise Linux 5 Reporter: john.bramley
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.6CC: benl, dpal, jb60, rcritten, ryan.dunkerley, vishal.kamble
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 719408 (view as bug list) Environment:
Last Closed: 2011-07-06 18:08:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 719408    

Description john.bramley 2011-06-06 13:53:20 UTC
Description of problem:
Certificates created when mod_nss was installed (cacert, Server-Cert and alpha) (over four years ago) have expired preventing the restarting of httpd (apache) with certificate expired errors in /var/log/httpd/error_log

Version-Release number of selected component (if applicable): 

How reproducible:

Steps to Reproduce:
1. rpm -e mod_nss
2. rm /etc/httpd/alias/*
3. service ntpd stop
3. date 060614332006  # set date back over four years
4. yum install mod_nss
5. ntpdate ntp0   # set time back to current time - using our local timeserver in this instance
6. service httpd restart

Actual results:
httpd fails to start: 
Starting httpd:                                            [FAILED]
/var/log/httpd/error_log  contains:
[Mon Jun 06 14:36:45 2011] [error] SSL Library Error: -8181 Certificate has expired
[Mon Jun 06 14:36:45 2011] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Expected results:
httpd start successfully, or better error messages.  Should 'NSSEnforceValidCerts off' be the default?  Having a service just stop working after a number of years service because a certificate it isn't actually using has expired seems very strange behaviour.

Additional info:
httpd was set up and running ok using a properly signed certificate for https traffic (ssl.conf:SSLCertificateFile /etc/pki/tls/certs/mycert.crt), one day when the system restarted httpd for some reason, it failed to restart with the rather cryptic error message.

A quick fix was to add 'NSSEnforceValidCerts off' as suggested, but figuring out what caused the problem took a fair bit of work.  

Removing mod_nss and the certificates it created, and reinstalling allows httpd to start:
rpm -e mod_nss
rm /etc/httpd/alias/*
yum install mod_nss
service httpd restart

Comment 1 Rob Crittenden 2011-06-06 14:39:14 UTC
Enforcing valid certificates is a sanity and security feature. What is unclear about the message, the fact that it is being genreated from mod_nss?

If you aren't using mod_nss you can simply remove the package and avoid this altogether.

Comment 2 John Bramley 2011-06-22 13:24:26 UTC
(In reply to comment #1)
> Enforcing valid certificates is a sanity and security feature. What is unclear
> about the message, the fact that it is being genreated from mod_nss?
> If you aren't using mod_nss you can simply remove the package and avoid this
> altogether.

Yes the fact the problem is generated in mod_nss - will result in admins who can't figure it out to just add 'NSSEnforceValidCerts off' resulting in reduced security.

Anyway by creating this bug entry here hopefully users who have the same problem can do a search here and get to this page to see a better solution.


Comment 3 Dmitri Pal 2011-07-06 18:06:55 UTC
The issue will be addressed in the later RHEL releases.

Comment 4 Dmitri Pal 2011-07-06 18:08:20 UTC
The issue will not be addressed in RHEL 5.x.

Comment 5 Ryan 2013-04-22 15:48:11 UTC

Questions about the mod_nss reinstall solution. Will this process in any way compromise existing ssl cert + key installations? I've tested this procedure on my dev machine and it works great! However, I want to make sure that if I follow this procedure on my production machine, the keys and installed 3rd party certs will not have to be re-gen'ed. For instance, I have an SSL cert provided from goDaddy for which I gen'ed the key via openssl on my RH server. 



Comment 6 Rob Crittenden 2013-04-22 16:01:39 UTC
There is no re-install solution.

The reported problem was that mod_nss generates a certificate upon first installation. This certificate, like all SSL certificates, eventually expires. mod_nss requires a valid cert for Apache to start. The concern was that for an admin that had installed but never actually ever used the mod_nss package this could be confusing. One solution is to uninstall mod_nss if you aren't using it.

Comment 7 Ryan 2013-04-22 16:21:32 UTC

Thanks for the quick reply! The scenario you describe exactly happened to me... one day Apache went down and couldn't restart... error logs + google got me to this thread. I tested John's reinstall procedure from above on a dev server, and it re-created the mod_ssl cert as needed for Apache to restart.

What I need to know is if mod_ssl is necessary for use of SSL certs in Apache (particularly ones which use a locally gen'd openssl key and a 3rd party cert, e.g. Starfield Technologies)? I just want to make sure that if I uninstall mod_nss, I won't break existing SSL certs I have in use in Apache.


Comment 8 Rob Crittenden 2013-04-22 17:41:59 UTC
The mod_nss and mod_ssl certificate stores are completely separate. Both are SSL engines, they just use different crypto libraries. One does not rely on the other.

If you aren't using mod_nss then your best bet is to simply uninstall the package.

Comment 9 Mr.Vishal Kamle 2016-10-14 06:19:08 UTC
Thank Rob Crittenden 
as per your suggestion i have just uninstalled mos_ss and restarted the services
it workig.I am using centos 5.8 . Thank you very much