Bug 711085
Summary: | certificates supplied with mod_nss have expired and prevent httpd starting | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | john.bramley | |
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | |
Status: | CLOSED WONTFIX | QA Contact: | Chandrasekar Kannan <ckannan> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 5.6 | CC: | benl, dpal, jb60, rcritten, ryan.dunkerley, vishal.kamble | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 719408 (view as bug list) | Environment: | ||
Last Closed: | 2011-07-06 18:08:20 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 719408 |
Description
john.bramley
2011-06-06 13:53:20 UTC
Enforcing valid certificates is a sanity and security feature. What is unclear about the message, the fact that it is being genreated from mod_nss? If you aren't using mod_nss you can simply remove the package and avoid this altogether. (In reply to comment #1) > Enforcing valid certificates is a sanity and security feature. What is unclear > about the message, the fact that it is being genreated from mod_nss? > > If you aren't using mod_nss you can simply remove the package and avoid this > altogether. Yes the fact the problem is generated in mod_nss - will result in admins who can't figure it out to just add 'NSSEnforceValidCerts off' resulting in reduced security. Anyway by creating this bug entry here hopefully users who have the same problem can do a search here and get to this page to see a better solution. Thanks. The issue will be addressed in the later RHEL releases. The issue will not be addressed in RHEL 5.x. John, Questions about the mod_nss reinstall solution. Will this process in any way compromise existing ssl cert + key installations? I've tested this procedure on my dev machine and it works great! However, I want to make sure that if I follow this procedure on my production machine, the keys and installed 3rd party certs will not have to be re-gen'ed. For instance, I have an SSL cert provided from goDaddy for which I gen'ed the key via openssl on my RH server. Thanks! -ryan There is no re-install solution. The reported problem was that mod_nss generates a certificate upon first installation. This certificate, like all SSL certificates, eventually expires. mod_nss requires a valid cert for Apache to start. The concern was that for an admin that had installed but never actually ever used the mod_nss package this could be confusing. One solution is to uninstall mod_nss if you aren't using it. Rob, Thanks for the quick reply! The scenario you describe exactly happened to me... one day Apache went down and couldn't restart... error logs + google got me to this thread. I tested John's reinstall procedure from above on a dev server, and it re-created the mod_ssl cert as needed for Apache to restart. What I need to know is if mod_ssl is necessary for use of SSL certs in Apache (particularly ones which use a locally gen'd openssl key and a 3rd party cert, e.g. Starfield Technologies)? I just want to make sure that if I uninstall mod_nss, I won't break existing SSL certs I have in use in Apache. -ryan The mod_nss and mod_ssl certificate stores are completely separate. Both are SSL engines, they just use different crypto libraries. One does not rely on the other. If you aren't using mod_nss then your best bet is to simply uninstall the package. Thank Rob Crittenden as per your suggestion i have just uninstalled mos_ss and restarted the services it workig.I am using centos 5.8 . Thank you very much |