Bug 712491
Summary: | Admin server NSS errors when full SSL access (http+ldap+console) required | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Rich Megginson <rmeggins> |
Component: | Admin | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 1.2.8 | CC: | amsharma, andrey.ivanov, jgalipea, listas.vhs, luke+redhat, nkinder, volga629 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-07 16:40:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 717730 | ||
Bug Blocks: | 434915 | ||
Attachments: |
Description
Rich Megginson
2011-06-10 18:59:02 UTC
This is caused by the memleak in https://bugzilla.redhat.com/show_bug.cgi?id=717730 Because of the way Apache works, loading and unloading modules, and forking workers, we call NSS_Shutdown and NSS_Initialize several times. If mod_admserv makes a TLS/SSL call to the directory server between one of the inits and shutdowns, the leak will cause shutdown to fail, which will then cause init to fail. In the meantime, you can use the NSS_STRICT_NOFORK=DISABLED hack to make this work. Just add something like this to /etc/sysconfig/dirsrv-admin: export NSS_STRICT_NOFORK=DISABLED Please let me know if the workaround works for you. Thanks Rich. I can confirm that adding "export NSS_STRICT_NOFORK=DISABLED" to /etc/sysconfig/dirsrv-admin does work. I also followed instructions at: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html, especially section 14.2.3.2. Enabling TLS/SSL in the Directory Server, Admin Server, and Console. After configuration, things seem to be working properly, but I notice two strange things: 1) When connecting with the console, in the windows, it doesn't display that I am using a secure connection (screenshot attached). 2) Also through the console, I am no longer able to "Manage Certificates" for the directory server, although it does work for the admin-serv (screenshot attached). Created attachment 511345 [details]
No SSL displayed for connection
Created attachment 511346 [details]
After enabling SSL on Admin Serv, I am no longer able to manage certs on the directory server via the console
(In reply to comment #3) > Created attachment 511345 [details] > No SSL displayed for connection You have to go into the Admin Server configuration for the User Directory and configure it to use SSL, in order for the console to display that it is using TLS/SSL for the User Directory. (In reply to comment #4) > Created attachment 511346 [details] > After enabling SSL on Admin Serv, I am no longer able to manage certs on the > directory server via the console This is https://bugzilla.redhat.com/show_bug.cgi?id=710372 You might be able to work around this by adding a SetEnv directive to console.conf: SetEnv NSS_STRICT_NOFORK DISABLED not sure if this will work for Manage Certificates (In reply to comment #6) > (In reply to comment #4) > > Created attachment 511346 [details] > > After enabling SSL on Admin Serv, I am no longer able to manage certs on the > > directory server via the console > > This is https://bugzilla.redhat.com/show_bug.cgi?id=710372 > > You might be able to work around this by adding a SetEnv directive to > console.conf: > > SetEnv NSS_STRICT_NOFORK DISABLED > > not sure if this will work for Manage Certificates I tried this, unfortunately without success. I am still unable to manage dirsrv certificates from the console. (In reply to comment #5) > (In reply to comment #3) > > Created attachment 511345 [details] > > No SSL displayed for connection > > You have to go into the Admin Server configuration for the User Directory and > configure it to use SSL, in order for the console to display that it is using > TLS/SSL for the User Directory. I believe I did do this according to the instructions (see screenshot), however, I found that I needed to "edit" the settings in the console to get it to stick (see screenshot). Created attachment 511347 [details]
Modified User Directory settings for SSL
Created attachment 511348 [details]
Manually changed console settings to display secure connection
I believe this is related to https://bugzilla.redhat.com/show_bug.cgi?id=717730 Please confirm what version of openldap you have, update to the latest 389 packages in updates-testing, and try to reproduce the problem. On the servers: openldap-2.4.24-3.fc15 openldap-clients-2.4.24-3.fc15 I can confirm that the updates from testing resolve this issue and I was able to remove SetEnv NSS_STRICT_NOFORK DISABLED. I am now using SSL in dirsrv, admin-serv, and console. Thank you. Should be able to verify this now that there is a build of openldap containing the fix for this issue. I have used SSL in dirsrv, admin-serv, and console with build [root@snmaptest /]# rpm -qa | grep 389 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-1.2.1-2.el6.noarch 389-ds-base-devel-1.2.8.2-1.el6_1.12.x86_64 389-admin-1.1.23-1.el6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-adminutil-1.1.14-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-adminutil-devel-1.1.14-1.el6.x86_64 389-ds-base-debuginfo-1.2.8.2-1.el6_1.3.x86_64 389-ds-base-1.2.8.2-1.el6_1.12.x86_64 389-ds-base-libs-1.2.8.2-1.el6_1.12.x86_64 Hence VERIFIED. This bug is currently active at Centos and EPEL 6. my version is: 389-console-1.1.7-1.el6.noarch 389-admin-1.1.29-1.el6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-adminutil-1.1.15-1.el6.x86_64 389-ds-base-1.2.11.15-14.el6_4.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-1.el6.noarch 389-dsgw-1.1.10-1.el6.x86_64 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64 openldap-2.4.23-32.el6_4.x86_64 openldap-clients-2.4.23-32.el6_4.x86_64 and for us, is imposible to change to testing version.. because is a production server !!! any idea ??? thanks (In reply to comment #15) > This bug is currently active at Centos and EPEL 6. > > my version is: > 389-console-1.1.7-1.el6.noarch > 389-admin-1.1.29-1.el6.x86_64 > 389-admin-console-1.1.8-1.el6.noarch > 389-ds-console-doc-1.2.6-1.el6.noarch > 389-ds-1.2.2-1.el6.noarch > 389-adminutil-1.1.15-1.el6.x86_64 > 389-ds-base-1.2.11.15-14.el6_4.x86_64 > 389-ds-console-1.2.6-1.el6.noarch > 389-admin-console-doc-1.1.8-1.el6.noarch > 389-dsgw-1.1.10-1.el6.x86_64 > 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64 > openldap-2.4.23-32.el6_4.x86_64 > openldap-clients-2.4.23-32.el6_4.x86_64 > > and for us, is imposible to change to testing version.. because is a > production server !!! > > any idea ??? > > thanks What version of CentOS? 6.3? 6.4? Is it possible you are not running into 712491 but instead are running into https://bugzilla.redhat.com/show_bug.cgi?id=923122? Have you tried the workaround in https://bugzilla.redhat.com/show_bug.cgi?id=712491#c6 ? (In reply to comment #16) > (In reply to comment #15) > > This bug is currently active at Centos and EPEL 6. [...] > > any idea ??? > > > > thanks > > What version of CentOS? 6.3? 6.4? 6.4 full update. > Is it possible you are not running into 712491 but instead are running into > https://bugzilla.redhat.com/show_bug.cgi?id=923122? I dont have access to it :-( "You are not authorized to access bug #923122." > Have you tried the workaround in > https://bugzilla.redhat.com/show_bug.cgi?id=712491#c6 ? yes.. I tried it.. but the resulted is the same. and my problem is not in the console.. is in dirsrv-admin so, I tried to put "export NSS_STRICT_NOFORK=DISABLED" in "/etc/sysconfig/dirsrv-admin" too, but the resulted is the same. thanks and antetive. (In reply to comment #17) > (In reply to comment #16) > > (In reply to comment #15) > > > This bug is currently active at Centos and EPEL 6. > > [...] > > > > any idea ??? > > > > > > thanks > > > > What version of CentOS? 6.3? 6.4? > > 6.4 full update. > > > > Is it possible you are not running into 712491 but instead are running into > > https://bugzilla.redhat.com/show_bug.cgi?id=923122? > > I dont have access to it :-( > "You are not authorized to access bug #923122." Ok. Are you seeing error messages like this? [Mon Mar 18 21:06:04 2013] [error] NSS_Initialize failed. Certificate database: /etc/dirsrv/admin-serv. [Mon Mar 18 21:06:04 2013] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Mar 18 21:06:05 2013] [notice] child pid 5725 exit signal Segmentation fault (11) That is, do you see a Segmentation fault? > > > > Have you tried the workaround in > > https://bugzilla.redhat.com/show_bug.cgi?id=712491#c6 ? > > yes.. I tried it.. but the resulted is the same. > and my problem is not in the console.. is in dirsrv-admin > so, I tried to put "export NSS_STRICT_NOFORK=DISABLED" in > "/etc/sysconfig/dirsrv-admin" too, but the resulted is the same. > > thanks and antetive. Can you provide the exact error messages you are seeing in your logs? (In reply to comment #18) [...] > > > Is it possible you are not running into 712491 but instead are running into > > > https://bugzilla.redhat.com/show_bug.cgi?id=923122? > > > > I dont have access to it :-( > > "You are not authorized to access bug #923122." > > Ok. Are you seeing error messages like this? > [Mon Mar 18 21:06:04 2013] [error] NSS_Initialize failed. Certificate > database: /etc/dirsrv/admin-serv. > [Mon Mar 18 21:06:04 2013] [error] SSL Library Error: -8038 > SEC_ERROR_NOT_INITIALIZED > [Mon Mar 18 21:06:05 2013] [notice] child pid 5725 exit signal Segmentation > fault (11) > > That is, do you see a Segmentation fault? No.. I dont have this errors !!! > > > Have you tried the workaround in > > > https://bugzilla.redhat.com/show_bug.cgi?id=712491#c6 ? > > > > yes.. I tried it.. but the resulted is the same. > > and my problem is not in the console.. is in dirsrv-admin > > so, I tried to put "export NSS_STRICT_NOFORK=DISABLED" in > > "/etc/sysconfig/dirsrv-admin" too, but the resulted is the same. > > > > thanks and antetive. > > Can you provide the exact error messages you are seeing in your logs? of course: ================ [Fri Apr 19 12:35:35 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Fri Apr 19 12:35:36 2013] [crit] sslinit: NSS is required to use LDAPS, but security initialization failed [-8018:(null)]. Cannot start server ================ that is all the errors in /var/log/dirsrv/admin-serv/error when I restarted the service dirsrv-admin. thanks (In reply to comment #19) > (In reply to comment #18) > > [...] > > > > > Is it possible you are not running into 712491 but instead are running into > > > > https://bugzilla.redhat.com/show_bug.cgi?id=923122? > > > > > > I dont have access to it :-( > > > "You are not authorized to access bug #923122." > > > > Ok. Are you seeing error messages like this? > > [Mon Mar 18 21:06:04 2013] [error] NSS_Initialize failed. Certificate > > database: /etc/dirsrv/admin-serv. > > [Mon Mar 18 21:06:04 2013] [error] SSL Library Error: -8038 > > SEC_ERROR_NOT_INITIALIZED > > [Mon Mar 18 21:06:05 2013] [notice] child pid 5725 exit signal Segmentation > > fault (11) > > > > That is, do you see a Segmentation fault? > > > No.. I dont have this errors !!! > > > > > > Have you tried the workaround in > > > > https://bugzilla.redhat.com/show_bug.cgi?id=712491#c6 ? > > > > > > yes.. I tried it.. but the resulted is the same. > > > and my problem is not in the console.. is in dirsrv-admin > > > so, I tried to put "export NSS_STRICT_NOFORK=DISABLED" in > > > "/etc/sysconfig/dirsrv-admin" too, but the resulted is the same. > > > > > > thanks and antetive. > > > > Can you provide the exact error messages you are seeing in your logs? > > of course: > > ================ > [Fri Apr 19 12:35:35 2013] [notice] SELinux policy enabled; httpd running as > context unconfined_u:system_r:httpd_t:s0 > [Fri Apr 19 12:35:36 2013] [crit] sslinit: NSS is required to use LDAPS, but > security initialization failed [-8018:(null)]. Cannot start server > ================ > > that is all the errors in /var/log/dirsrv/admin-serv/error when I restarted > the service dirsrv-admin. > > thanks Ok. Even though the result for you is the same, this is a different problem than the original one - the original problem was error -8038, but your problem is error -8018. Please file a ticket at https://fedorahosted.org/389/newticket I am experience exact issue as described above. Work around of export to sysconfig is resolved the issue for right now. [Mon Mar 31 21:01:05 2014] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Mar 31 21:01:06 2014] [notice] child pid 30007 exit signal Segmentation fault (11) [Mon Mar 31 21:01:07 2014] [error] NSS_Initialize failed. Certificate database: /etc/dirsrv/admin-serv. [Mon Mar 31 21:01:07 2014] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Mar 31 21:01:08 2014] [notice] child pid 30008 exit signal Segmentation fault (11) [Mon Mar 31 21:01:09 2014] [error] NSS_Initialize failed. Certificate database: /etc/dirsrv/admin-serv. [Mon Mar 31 21:01:09 2014] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Mar 31 21:01:09 2014] [notice] caught SIGTERM, shutting down [Mon Mar 31 21:01:10 2014] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Mon Mar 31 21:01:11 2014] [notice] Access Host filter is: *.pythian.com [Mon Mar 31 21:01:11 2014] [notice] Access Address filter is: * [Mon Mar 31 21:01:12 2014] [notice] Apache/2.2.15 (Unix) mod_nss/2.2.15 NSS/3.15.1 Basic ECC configured -- resuming normal operations [Mon Mar 31 21:01:12 2014] [notice] Access Host filter is: *.pythian.com [Mon Mar 31 21:01:12 2014] [notice] Access Address filter is: * |