Bug 719408

Summary: certificates supplied with mod_nss have expired and prevent httpd starting
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: mod_nssAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, jb60, john.bramley, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 711085 Environment:
Last Closed: 2016-01-05 22:26:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 711085    
Bug Blocks: 1205796    

Description Dmitri Pal 2011-07-06 18:07:45 UTC 
+++ This bug was initially created as a clone of Bug #711085 +++

Description of problem:
Certificates created when mod_nss was installed (cacert, Server-Cert and alpha) (over four years ago) have expired preventing the restarting of httpd (apache) with certificate expired errors in /var/log/httpd/error_log

Version-Release number of selected component (if applicable): 
mod_nss-1.0.8-4.el5_6.1

How reproducible:
Always

Steps to Reproduce:
1. rpm -e mod_nss
2. rm /etc/httpd/alias/*
3. service ntpd stop
3. date 060614332006  # set date back over four years
4. yum install mod_nss
5. ntpdate ntp0   # set time back to current time - using our local timeserver in this instance
6. service httpd restart

  
Actual results:
httpd fails to start: 
Starting httpd:                                            [FAILED]
/var/log/httpd/error_log  contains:
[Mon Jun 06 14:36:45 2011] [error] SSL Library Error: -8181 Certificate has expired
[Mon Jun 06 14:36:45 2011] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Expected results:
httpd start successfully, or better error messages.  Should 'NSSEnforceValidCerts off' be the default?  Having a service just stop working after a number of years service because a certificate it isn't actually using has expired seems very strange behaviour.

Additional info:
httpd was set up and running ok using a properly signed certificate for https traffic (ssl.conf:SSLCertificateFile /etc/pki/tls/certs/mycert.crt), one day when the system restarted httpd for some reason, it failed to restart with the rather cryptic error message.

A quick fix was to add 'NSSEnforceValidCerts off' as suggested, but figuring out what caused the problem took a fair bit of work.  

Removing mod_nss and the certificates it created, and reinstalling allows httpd to start:
rpm -e mod_nss
rm /etc/httpd/alias/*
yum install mod_nss
service httpd restart

--- Additional comment from rcritten on 2011-06-06 10:39:14 EDT ---

Enforcing valid certificates is a sanity and security feature. What is unclear about the message, the fact that it is being genreated from mod_nss?

If you aren't using mod_nss you can simply remove the package and avoid this altogether.

--- Additional comment from jb60.uk on 2011-06-22 09:24:26 EDT ---

(In reply to comment #1)
> Enforcing valid certificates is a sanity and security feature. What is unclear
> about the message, the fact that it is being genreated from mod_nss?
> 
> If you aren't using mod_nss you can simply remove the package and avoid this
> altogether.

Yes the fact the problem is generated in mod_nss - will result in admins who can't figure it out to just add 'NSSEnforceValidCerts off' resulting in reduced security.

Anyway by creating this bug entry here hopefully users who have the same problem can do a search here and get to this page to see a better solution.

Thanks.

--- Additional comment from dpal on 2011-07-06 14:06:55 EDT ---

The issue will be addressed in the later RHEL releases.
Comment 4 Matthew Harmsen 2016-01-05 22:26:49 UTC 
Per discussion with rcritten, this is an upstream bug -- closing as WONTFIX.