Bug 676449

Summary: Latest update breaks mod_nss and SSL sites.
Product: Red Hat Enterprise Linux 5 Reporter: Arthur Enright <aenright>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 5.6CC: benl, dpal
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-11 15:18:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sosreport none

Description Arthur Enright 2011-02-09 22:03:40 UTC 
Description of problem: Patched a public web server and reloaded httpd resulting in httpd writing nss errors to error_log and CA warnings to ssl_error_log


Version-Release number of selected component (if applicable):
Feb 08 22:51:45 Updated: httpd-2.2.3-45.el5.x86_64
Feb 08 22:52:24 Updated: mod_nss-1.0.8-3.el5.x86_64


How reproducible: Patch to latest update level


Steps to Reproduce:
1. yum -y update
2. service httpd reload
3. observe log files and Apache's inability to serve content.
  
Actual results:

CPU spike and the following messages repeating in the logs:

/var/log/httpd/error_log

[Tue Feb 08 23:12:51 2011] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Tue Feb 08 23:12:51 2011] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
..
[Tue Feb 08 23:12:52 2011] [notice] child pid 19005 exit signal Segmentation fault (11)
...
[Tue Feb 08 23:12:52 2011] [notice] child pid 19040 exit signal Segmentation fault (11)

/var/log/httpd/ssl_error_log

[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
...
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

Expected results:

Apache starts up and serves non SSL content as well as SSL content


Additional info:

For non-SSL content, removing the nss.conf file from /etc/httpd/conf.d as well as any SSL vhosts allows for serving unencrypted traffic.  Simply removing nss.conf does not fix the SSL vhost issue.

I expect this is potentially impacting a number of customers.

sosreport to be attached shortly.
Comment 1 Arthur Enright 2011-02-09 22:19:15 UTC 
Created attachment 477917 [details]
sosreport

sosreport with nss.conf moved out of httpd/conf.d and SSL vhosts temporarily removed.
Comment 2 Joe Orton 2011-02-10 08:48:01 UTC 
Can you determine whether the regression was caused by the httpd upgrade or the mod_nss upgrade?  (i.e. if you downgrade httpd does it still break?)
Comment 3 Arthur Enright 2011-02-10 20:11:32 UTC 
I rolled back the following packages:

httpd-2.2.3-43.el5
mod_ssl-2.2.3-43.el5

The mod_nss issues persist but when I move httpd/conf.d/mod_nss out of the way my SSL sites now work.

This solves the most immediate issue as the server can now serve SSL traffic.

Would you like me to roll back mod_nss or any of the core NSS libraries and test?

-Art
Comment 4 Joe Orton 2011-02-11 08:34:00 UTC 
Re-assigning to mod_nss.
Comment 5 Rob Crittenden 2011-02-11 14:45:07 UTC 
This may be related to https://bugzilla.redhat.com/show_bug.cgi?id=669963

Can you check the permissions on the .db files in /etc/httpd/alias?  They should be mode 0640 root:apache.
Comment 6 Arthur Enright 2011-02-11 15:03:06 UTC 
Current perms after update:

# pwd
/etc/httpd/alias
# ll
total 128
-rw------- 1 root root 65536 Jun  8  2010 cert8.db
-rw------- 1 root root  4395 Jun  8  2010 install.log
-rw------- 1 root root 16384 Jun  8  2010 key3.db
lrwxrwxrwx 1 root root    33 Feb  8 22:52 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw------- 1 root root 16384 Jun  8  2010 secmod.db

after changing ownership and perms I was able to move the nss.conf file back into place, update the httpd and mod_ssl RPMs to latest and bounce Apache w/out any errors.

Did the latest mod_nss RPM fail to set perms after update?
Comment 7 Rob Crittenden 2011-02-11 15:18:27 UTC 
Yes, there is a bug in the %post script in mod_nss that misses fixing permissions on existing databases.

mod_nss 1.0.3 opened the NSS databases only as root. mod_nss 1.0.8 needs to open it as the apache user. The difference is opening in prefork vs in each child.

Marking as a duplicate of 669963.

*** This bug has been marked as a duplicate of bug 669963 ***