Bug 1039281

Summary:	Error: httpd + mod_nss + "NSSOCSP on" -> Unable to verify certificate 'Server-Cert'
Product:	[Fedora] Fedora	Reporter:	Jose Luis Godoy <joseluis.gms>
Component:	mod_nss	Assignee:	Matthew Harmsen <mharmsen>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	25	CC:	cfu, dpal, hkario, mharmsen, nkinder, rcritten
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-02-03 13:43:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Jose Luis Godoy 2013-12-07 14:23:30 UTC

Description of problem:

We're testing http + mod_nss + "NSSOCSP on" to verify that certificates are revoked. We get the following errors in log file:

-SSL Library Error: -8071 The OCSP server experienced an internal error
-Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

The server works perfectly in ssl mode (NSSOCSP off).

Version-Release number of selected component (if applicable):

httpd-2.4.6-2.fc18.x86_64
mod_nss-1.0.8-24.fc18.x86_64
ocspd-1.9.0-1.fc18.x86_64
openssl-1.0.1e-30.fc18.x86_64
openssl-libs-1.0.1e-30.fc18.x86_64

How reproducible:
Easy


Steps to Reproduce:
1. Install mod_nss-1.0.8-24.fc18.x86_64

2. Configure /etc/httpd/conf.d/nss.conf
...
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
NSSVerifyClient require
...
NSSOCSP on
NSSOCSPDefaultResponder on
NSSOCSPDefaultURL http://192.168.88.132:2560
NSSOCSPDefaultName ocspd
...
LogLevel nss:trace2
...

3. Remove certificates from /etc/httpd/alias nss database
# certutil -K -n Server-Cert -d /etc/httpd/alias
# certutil -D -n cacert -d /etc/httpd/alias
# certutil -D -n alpha -d /etc/httpd/alias

4. Install new certificates for server and ocsp into /etc/httpd/alias nss database: all certificates have been generated with openssl, with "NSSOCSP off" httpd works perfectly in ssl mode, and the ocsp responder answers to openssl command:

# openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert jose.crt
Response verify OK
jose.crt: good
	This Update: Dec  1 06:56:12 2013 GMT
	Next Update: Dec  7 14:16:58 2013 GMT

# openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert fred.crt
Response verify OK
fred.crt: revoked
	This Update: Dec  1 06:56:12 2013 GMT
	Next Update: Dec  7 14:17:48 2013 GMT
	Reason: superseded
	Revocation Time: Dec  1 05:41:26 2013 GMT

# openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -serial 3
Response verify OK
3: revoked
	This Update: Dec  1 06:56:12 2013 GMT
	Next Update: Dec  7 14:18:36 2013 GMT
	Reason: superseded
	Revocation Time: Dec  1 05:41:26 2013 GMT

# certutil -A -n "signing-ca" -t "CT,," -d /etc/httpd/alias -a -i signing-ca.crt
# certutil -A -n "root-ca" -t "CT,," -d /etc/httpd/alias -a -i root-ca.crt 
# certutil -A -n "ocspd" -t "CT,," -d /etc/httpd/alias -a -i ocspd.crt
# openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "Server-Cert" -passout pass:foo
# pk12util -i server.p12 -d /etc/httpd/alias -W foo

# certutil -L -d /etc/httpd/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

signing-ca                                                   CT,, 
root-ca                                                      CT,, 
Server-Cert                                                  u,u,u
ocspd                                                        CT,,

# certutil -K  -d /etc/httpd/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      d7179b5f122c582cefc61b99d7eb9c2f244c1e19   Server-Cert

# certutil -O -n Server-Cert  -d /etc/httpd/nssdb/
"root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org]

  "signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org]

    "Server-Cert" [CN=192.168.88.131,OU=Simple Server,O=Simple Inc,DC=simple,DC=org]

# certutil -O -n ocspd  -d /etc/httpd/alias
"root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org]

  "signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org]

    "ocspd" [CN=192.168.88.132,OU=Simple OCSPD,O=Simple Inc,DC=simple,DC=org]



Actual results:

[Sat Dec 07 14:28:55.720062 2013] [:error] [pid 6382:tid 140000995559488] SSL Library Error: -8071 The OCSP server experienced an internal error
[Sat Dec 07 14:28:55.720096 2013] [:error] [pid 6382:tid 140000995559488] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

The server httpd doesn't start.

Expected results:

The server httpd starts and query de ocsp server with answer like:

"SSL Library Error: -8180 Certificate has been revoked"

when the certificate is revoked.

Additional info:

Comment 1 Jose Luis Godoy 2013-12-07 16:18:05 UTC

Hi:

I have continued with testing httpd + mod_nss + "NSSOCSP on", I can say the error is due to the ocsp responder is stopped, if the ocsp responder is started httpd starts and the communication with the ocspd works fine.

At first I think there was a problem with certificates and their ca chains but not.

I think this a serious problem that confusing me with and not referenced in any documentation I read, httpd must start even if ocspd is not started and display the WARNING but this can not be an error, it could be a possible solution to check ocspd at regular intervals.

Please, can you solve this?

Thanks.

José Luis

Comment 2 Rob Crittenden 2013-12-13 13:54:13 UTC

The initial error message seemed clear to me, stating that the OCSP check failed.

It is purposely a big hammer, not starting the server at all, if the certificate cannot be verified.

I'd be more inclined to improve the "We aren't starting because..." error message.

Comment 3 Fedora End Of Life 2013-12-21 14:48:30 UTC

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Jaroslav Reznik 2015-03-03 15:18:49 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 5 Matthew Harmsen 2016-01-05 22:16:50 UTC

Per discussion with rcritten, will try to fix this upstream as time permits for inclusion in some future release.

(better OCSP error msg at startup)

Comment 6 Fedora End Of Life 2016-07-19 18:59:24 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 7 Rob Crittenden 2016-07-19 19:12:57 UTC

Re-opening, still need a more descriptive error.

Comment 8 Jan Kurik 2016-07-26 04:45:07 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 9 Rob Crittenden 2017-02-03 13:43:49 UTC

Looked at this again and still think the error was rather clear from a client perspective. It would be nicer if NSS would report better errors but from the context of NSS all I know is that verifying the server certificate failed with a given error code. I could add more text but it would just be restating the problem.

I'm going to leave things as-is.