Bug 669963
Summary: | mod_nss's postinstall script doesn't work properly | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Yasuhiro Ozone <yasuhiro.ozone> |
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.6 | CC: | aenright, benl, bloch, Colin.Simpson, dave.armin, dpal, ekuric, ernie.joynt, jgalipea, justin.guidroz, kchamart, lzh1984, madadmin, mailings, massi.ergosum, mpoole, mworsham, nkinder, ohudlick, pasteur, redhatbugzilla, sweigand, ubeck, wnefal+redhatbugzilla |
Target Milestone: | rc | Keywords: | Regression, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mod_nss-1.0.8-4.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-01-08 07:00:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 679748 |
Description
Yasuhiro Ozone
2011-01-16 09:25:44 UTC
It made a mistake in the version and it reported. > mod_ssl-1.0.8.3.el5 mod_ssn-1.0.8.3.el5 (In reply to comment #0) > Description of problem: > I updated all packages by yum tools, and then restarted host. > But The HTTP service didnt't start properly. > I confirmed the error reports of http, and I found the fllowing the > error messages on it. > [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. > [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED > I checked the mod_nss' postinstall scripts. > # rpm -qa --scripts mod_nss > postinstall scriptlet (using /bin/sh): > umask 077 > if [ "$1" -eq 1 ] ; then > if [ ! -e /etc/httpd/alias/key3.db ]; then > /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1 > fi > # Make sure that the database ownership is setup properly. > /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp > apache {} \; > /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r > {} \; > fi > But actually results, > # ls -la /etc/httpd/alias/*.db > -rw------- 1 root root 65536 12月 12 00:47 /etc/httpd/alias/cert8.db > -rw------- 1 root root 16384 12月 12 00:47 /etc/httpd/alias/key3.db > -rw------- 1 root root 16384 12月 12 00:46 /etc/httpd/alias/secmod.db > Maybe mod_nss's postinstall script doesn't work properly. > Version-Release number of selected component (if applicable): > mod_ssl-1.0.8.3.el5 > # rpm -qi mod_nss > Name : mod_nss Relocations: (not relocatable) > Version : 1.0.8 Vendor: Red Hat, Inc. > Release : 3.el5 Build Date: Tue Dec 14 06:13:30 > 2010 > Install Date: Sun Jan 16 13:12:58 2011 Build Host: > x86-003.build.bos.redhat.com > Group : System Environment/Daemons Source RPM: > mod_nss-1.0.8-3.el5.src.rpm > Size : 216702 License: ASL 2.0 > Signature : DSA/SHA1, Thu Dec 16 16:23:47 2010, Key ID 5326810137017186 > Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> > URL : http://directory.fedoraproject.org/wiki/Mod_nss > Summary : SSL/TLS module for the Apache HTTP server > Description : > The mod_nss module provides strong cryptography for the Apache Web > server via the Secure Sockets Layer (SSL) and Transport Layer > Security (TLS) protocols using the Network Security Services (NSS) > security library. > How reproducible: > If you restart the HTTP service , you can be reproduced by 100%. > Steps to Reproduce: > 1. yum update mod_nss, and dependency > 2. /etc/rc.d/init.d/http restart or service httpd restart > 3. Check your httpd error reports > Actual results: > error messages on it. > [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED > [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. > [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED > [notice] child pid 8068 exit signal Segmentation fault (11) > [notice] child pid 8071 exit signal Segmentation fault (11) > <snip> > Expected results: > The HTTP service start properly and completely. > Additional info: > I tried to change the owner and permission of /etc/httpd/alias/*.db > ,and then restarted the HTTP service. > The following command; > # chmod g+r /etc/httpd/alias/*.db > # chgrp apache /etc/httpd/alias/*.db > # ls -la /etc/httpd/alias/*.db > -rw-r----- 1 root apache 65536 12月 12 00:47 /etc/httpd/alias/cert8.db > -rw-r----- 1 root apache 16384 12月 12 00:47 /etc/httpd/alias/key3.db > -rw-r----- 1 root apache 16384 12月 12 00:46 /etc/httpd/alias/secmod.db > I could start the HTTP service properly and completely. > Perhaps, I think that there is a problem in the mod_nss's postinstall script. I'm sorry. mod_nss version 1.0.8.3.el5 I'm sorry. mod_nss version 1.0.8.3.el5 It made a mistake in the version and it reported.
> mod_ssl-1.0.8.3.el5
mod_nss-1.0.8.3.el5
Was this on a brand new installation of mod_nss or was mod_nss already installed and working? Was advised to watch this bug after watching Bug 451960. I had this problem after installing Release 6 for RHEL5 x86 this morning. And the fix was the permissions update. The strange thing is that I did not have a problem on my other servers after the update and they have SSL certs. This is occurring on systems that are being updated. The problem is related to the rebase of mod_nss from 1.0.3 to 1.0.8. In 1.0.3 the NSS database is initialized while the server is still running as root, before it has forked its children. This init-before-fork violated the PKCS#11 spec. Because the initialization happened while root the database was owned by root:root mode 0600. 1.0.8 initializes NSS in each child so the database needs to be readable by the group apache. When 1.0.8 is installed for the first time it will generate a new database and ensures that the file ownership is correct. The ownership needs to be root:apache mode 0640 The bug here is %postinstall script tests like this: if [ "$1" -eq 1 ] ; then The incoming value tells how many versions are installed currently. 1 means new install, 2 or higher means upgrade and 0 means last version is uninstalled. The test should be: if [ "$1" -gt 0 ] ; then This only affects those upgrading from 1.0.3 to 1.0.8. New installs will be unaffected. Confirming that this issue occurs on existing EL5 systems with the yum httpd group installed, have the following entries in /var/log/httpd/error_log when requesting an httpd connection: [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [notice] child pid 17734 exit signal Segmentation fault (11) Also confirming that changing group ownership of the /etc/httpd/alias/*db to the "apache" group with adding group read permission makes the problem disappear chgrp apache /etc/httpd/alias/*db and chmod g+w /etc/httpd/alias/*db RPM packages on affected "updated" systems with the above problem: httpd-2.2.3-45.el5 mod_nss-1.0.8-3.el5 mod_ssl-2.2.3-45.el5 Comparing with an "un-updated" system without the issue above has the following RPMS: httpd-2.2.3-43.el5_5.3 mod_nss-1.0.3-8.el5 mod_ssl-2.2.3-43.el5_5.3 If you already installed the old package mod_nss-1.0.3*, you would have this troubles. Because the bug here is %postinstall script tests like this: if [ "$1" -eq 1 ] ; then Thanks Rob Crittenden But if you have already installed the old package mod_nss-1.0.3*, you would get the same return code. That is 2. Perhaps, I think that it wrong when the package is permuted and is not possible to know. If the old package is installed in your systems, you should get the return code 2. If you try to install the new package in your systems, you will get the return code 1. Therefore i have changed the install scripts. The folowing if [ "$1" -gt 1 ] ; then if [ ! -e %{_sysconfdir}/httpd/alias/key3.db ]; then %{_sbindir}/gencert %{_sysconfdir}/httpd/alias > %{_sysconfdir}/httpd/alias/install.log 2>&1 fi # Make sure that the database ownership is setup properly. /usr/bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec %{__chgrp} apache {} \; /usr/bin/find %{_sysconfdir}/httpd/alias -user root -name "*.db" -exec %{__chmod} g+r {} \; fi Case 1 if you try to install the new package, you will be successful Case 2 if the old package is installed in your systems, you will be successful. Thanks No, this won't work for new installs. A new install needs to generate an empty NSS database. So you can either use: if [ "$1" -ge 1 ] ; then or if [ "$1" -gt 0 ] ; then Just the same issue after the last update: # rpm -q httpd mod_nss mod_ssl httpd-2.2.3-45.el5 mod_nss-1.0.8-3.el5 mod_ssl-2.2.3-45.el5 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.6 (Tikanga) We are also running into the same issue (we don't have mod_ssl installed). # rpm -q httpd mod_nss httpd-2.2.3-45.el5 mod_nss-1.0.8-3.el5 We had to set the permissions to 640 on the /etc/httpd/alias/*.db files. We also had to set the group to 'apache' for the same files as well. # chmod 640 /etc/httpd/alias/*.db # chgrp apache /etc/httpd/alias/*.db # ls -la /etc/httpd/alias/*.db -rw-r----- 1 root apache 65536 Jan 20 12:42 /etc/httpd/alias/cert8.db -rw-r----- 1 root apache 16384 Jan 20 12:42 /etc/httpd/alias/key3.db -rw-r----- 1 root apache 16384 Jan 20 12:34 /etc/httpd/alias/secmod.db Also, since we were using the 'NSSPassPhraseDialog' in the nss.conf, a file variable setting (i.e. /etc/httpd/conf/password.conf): /etc/httpd/conf.d/nss.conf NSSPassPhraseDialog file:/etc/httpd/conf/password.conf The permissions have to be the same as above ('apache' for group and 640 for chmod) just like the alias/*.db files: # chmod 640 /etc/httpd/conf/password.conf # chgrp apache /etc/httpd/conf/password.conf # ls -la /etc/httpd/conf/password.conf -rw-r----- 1 root apache 48 Jun 15 2010 /etc/httpd/conf/password.conf Once all these changes were made, we were able to bring up the Apache/httpd process successfully. *** Bug 676449 has been marked as a duplicate of this bug. *** Seeing this same issue on a new install of RHEL 5.6. Permissions are set correctly on the database files, but Apache error_log with these errors [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED Disregard my comment. The issue was narrowed down to an application changing the group httpd was running as. this was hurting me too. the workaround in comment 1 works for me BTW the test if [[ "$1" .... should maybe be if [[ $1 ... because otherwise you'd be comparing a string to a number VERIFIED RHEL 5.8 beta (x86_64) ####################################################################### [root@hp-nehalem-02 ~]# rpm -q mod_nss mod_nss-1.0.8-6.el5 [root@hp-nehalem-02 ~]# rpm -qi mod_nss Name : mod_nss Relocations: (not relocatable) Version : 1.0.8 Vendor: Red Hat, Inc. Release : 6.el5 Build Date: Wed 09 Nov 2011 09:55:11 PM EST Install Date: Thu 22 Dec 2011 07:14:16 AM EST Build Host: x86-007.build.bos.redhat.com ####################################################################### [root@hp-nehalem-02 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga) ####################################################################### [root@hp-nehalem-02 ~]# yum install mod_nss Loaded plugins: katello, product-id, security, subscription-manager Updating certificate-based repositories. Unable to read consumer identity Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_nss.x86_64 0:1.0.8-6.el5 set to be updated beaker-Cluster/filelists | 117 kB 00:00 beaker-ClusterStorage/filelists | 13 kB 00:00 beaker-Server/filelists | 3.0 MB 00:00 beaker-VT/filelists | 46 kB 00:00 beaker-debug/filelists | 1.4 MB 00:00 beaker-harness/filelists | 45 kB 00:00 beaker-tasks/filelists | 1.4 MB 00:00 --> Processing Dependency: httpd for package: mod_nss --> Running transaction check ---> Package httpd.x86_64 0:2.2.3-61.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================================================================================== Installing: mod_nss x86_64 1.0.8-6.el5 beaker-Server 89 k Installing for dependencies: httpd x86_64 2.2.3-61.el5 beaker-Server 1.2 M Transaction Summary ================================================================================================================================================================================================================== Install 2 Package(s) Upgrade 0 Package(s) Total download size: 1.3 M Is this ok [y/N]: y Downloading Packages: (1/2): mod_nss-1.0.8-6.el5.x86_64.rpm | 89 kB 00:00 (2/2): httpd-2.2.3-61.el5.x86_64.rpm | 1.2 MB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 6.5 MB/s | 1.3 MB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : httpd 1/2 Installing : mod_nss 2/2 Installed products updated. Installed: mod_nss.x86_64 0:1.0.8-6.el5 Dependency Installed: httpd.x86_64 0:2.2.3-61.el5 Complete! ####################################################################### [root@hp-nehalem-02 ~]# ll /etc/httpd/alias/*.db -rw-r----- 1 root apache 65536 Dec 22 05:11 /etc/httpd/alias/cert8.db -rw-r----- 1 root apache 16384 Dec 22 05:11 /etc/httpd/alias/key3.db -rw-r----- 1 root apache 16384 Dec 22 05:11 /etc/httpd/alias/secmod.db [root@hp-nehalem-02 ~]# ####################################################################### [root@hp-nehalem-02 ~]# rpm -qa --scripts mod_nss postinstall scriptlet (using /bin/sh): umask 077 if [ "$1" -gt 0 ] ; then if [ ! -e /etc/httpd/alias/key3.db ]; then /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1 fi # Make sure that the database ownership is setup properly. /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi [root@hp-nehalem-02 ~]# ####################################################################### Reference: Also, previously verified on RHEL 5.6.Z -- https://bugzilla.redhat.com/show_bug.cgi?id=679748#c6 VERIFIED. Version Info: #---------------------------------------------------------------------# [root@tvmel5 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.9 Beta (Tikanga) [root@tvmel5 ~]# rpm -q mod_nss mod_nss-1.0.8-7.el5 [root@tvmel5 ~]# [root@tvmel5 ~]# arch x86_64 [root@tvmel5 ~]# #---------------------------------------------------------------------# Verification Info: #---------------------------------------------------------------------# [root@tvmel5 ~]# yum install mod_nss Loaded plugins: product-id, security Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_nss.x86_64 0:1.0.8-7.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: mod_nss x86_64 1.0.8-7.el5 rhel-5.9 89 k Transaction Summary ==================================================================================================================================================== Install 1 Package(s) Upgrade 0 Package(s) Total download size: 89 k Is this ok [y/N]: y Downloading Packages: mod_nss-1.0.8-7.el5.x86_64.rpm | 89 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : mod_nss 1/1 Installed: mod_nss.x86_64 0:1.0.8-7.el5 Complete! [root@tvmel5 ~]# #---------------------------------------------------------------------# [root@tvmel5 ~]# ll /etc/httpd/alias/*.db -rw-r----- 1 root apache 65536 Apr 30 03:11 /etc/httpd/alias/cert8.db -rw-r----- 1 root apache 16384 Apr 30 03:11 /etc/httpd/alias/key3.db -rw-r----- 1 root apache 16384 Apr 30 03:11 /etc/httpd/alias/secmod.db [root@tvmel5 ~]# #---------------------------------------------------------------------# [root@tvmel5 ~]# rpm -qa --scripts mod_nss postinstall scriptlet (using /bin/sh): umask 077 if [ "$1" -gt 0 ] ; then if [ ! -e /etc/httpd/alias/key3.db ]; then /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1 fi # Make sure that the database ownership is setup properly. /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; /usr/bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi [root@tvmel5 ~]# #---------------------------------------------------------------------# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0009.html |