1079959 – mod_revocator does not shut down httpd server if expired CRL is fetched

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1079959 - mod_revocator does not shut down httpd server if expired CRL is fetched

Summary: mod_revocator does not shut down httpd server if expired CRL is fetched

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_revocator
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1295988
TreeView+	depends on / blocked

Reported:	2014-03-24 11:58 UTC by Kaleem
Modified:	2018-04-16 20:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1295988 (view as bug list)
Environment:
Last Closed:	2018-04-16 20:43:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Kaleem 2014-03-24 11:58:00 UTC

Description of problem:


Version-Release number of selected component (if applicable):
[root@mclient ~]# rpm -q mod_revocator
mod_revocator-1.0.3-19.el7.x86_64
[root@mclient ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Install mod_revocator and configure to fetch CRL 

   [root@mclient conf.d]# cat revocator.conf 

#   CRL Engine Switch:
#   Enable/Disable CRL retrieval

#CRLEngine off
CRLEngine on

#   CRL Age Check Switch:
#   Shut the server down if a CRL expires
#CRLAgeCheck off
CRLAgeCheck on

#   CRL Update Critical Switch:
#   Shut the server down if a CRL cannot be retrieved
CRLUpdateCritical off
#CRLUpdateCritical on

#   CRL Helper:
#   This helper program does the actual CRL retrieval
#
#   NOTE:  Located at '/usr/bin/crlhelper' prior to 'mod_revocator-1.0.3-16'.
#
CRLHelper /usr/libexec/crlhelper

#   CRL URLs:
#   A space delimited list of URLs to retrieve and install.
#        protocol://urldata;update_interval;max_age
#CRLFile "ldap://ldap.example.com:5000/o=example.net?usercertificate%3binary?sub?(sn=Jensen)??;30;30"
#CRLFile "exec:///usr/sbin/ldapget|ldap://ldap.example.com:3389/o=example.com?userCertificate%3bbinary?sub?(uid=crl)??;30;30"
#CRLFile "https://ca.example.com:1025/getCRL?op=getCRL&issuepoint=MasterCRL;30;30"
CRLFile "http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;2;2"
#CRLFile "https://master.testrelm.test:8443/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;2;2"
#CRLFile "exec:///bin/cat|/etc/httpd/alias/crl.der;2;2"
[root@mclient conf.d]# 


2. start apache so that CRL is fetched

   Following log shown in /var/log/httpd/error_log for sucessful CRL download

[Mon Mar 24 17:20:06.312518 2014] [:info] [pid 20468] Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Mon Mar 24 17:00:00 2014, nextupdate = Mon Mar 24 21:00:00 2014
[Mon Mar 24 17:20:06.312636 2014] [:notice] [pid 20468] Revocation subsystem initialized 2

3. Now change the system date to 20 days ahead so that downloaded crl appears expired to system.

[root@mclient ~]# date -s "+20 days"
Sun Apr 13 17:20:47 IST 2014
[root@mclient ~]# 

snip from /var/log/httpd/error_log
==================================
[Sun Apr 13 17:20:51.329698 2014] [:debug] [pid 20471] mod_rev.c(289): Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Mon Mar 24 17:00:00 2014, nextupdate = Mon Mar 24 21:00:00 2014
[Sun Apr 13 17:20:51.329747 2014] [:error] [pid 20471] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 20465

apache service status 
=====================
[root@mclient ~]# service httpd status
Redirecting to /bin/systemctl status  httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Mon 2014-03-24 17:20:05 IST; 2 weeks 6 days ago
 Main PID: 20465 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─20465 /usr/sbin/httpd -DFOREGROUND
           ├─20466 /usr/libexec/nss_pcache 6193194 off /etc/httpd/alias
           ├─20467 /usr/libexec/crlhelper 6225963 20465 /etc/httpd/alias
           ├─20468 /usr/sbin/httpd -DFOREGROUND
           ├─20469 /usr/sbin/httpd -DFOREGROUND
           ├─20470 /usr/sbin/httpd -DFOREGROUND
           ├─20471 /usr/sbin/httpd -DFOREGROUND
           └─20472 /usr/sbin/httpd -DFOREGROUND

Mar 24 17:20:04 mclient.testrelm.test systemd[1]: Starting The Apache HTTP Server...
Mar 24 17:20:05 mclient.testrelm.test systemd[1]: Started The Apache HTTP Server.
[root@mclient ~]# 
Actual results:
apache is running and up

Expected results:
apache should be down.

Additional info:
1. Apache service restart brings down the service mentioning the cause in /var/log/httpd/error_log

[Sun Apr 13 17:25:56.738301 2014] [:error] [pid 20514] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 20511
[Sun Apr 13 17:25:56.738381 2014] [:notice] [pid 20514] Revocation subsystem initialized 2
[Sun Apr 13 17:25:56.825725 2014] [core:info] [pid 20511] AH00096: removed PID file /run/httpd/httpd.pid (pid=20511)
[Sun Apr 13 17:25:56.825791 2014] [mpm_prefork:notice] [pid 20511] AH00169: caught SIGTERM, shutting down
[Sun Apr 13 17:25:56.835971 2014] [:info] [pid 20511] Shutting down SSL Session ID Cache

Comment 2 Nathan Kinder 2014-03-24 14:31:40 UTC

Does this same test work on RHEL 6.x?  I'd like to determine if this is a regression or not.

Comment 3 Kaleem 2014-03-24 15:37:32 UTC

Yes it is a regression. Same test worked on RHEL-6.5

Comment 4 Matthew Harmsen 2014-03-25 00:42:07 UTC

(In reply to Kaleem from comment #3)
> Yes it is a regression. Same test worked on RHEL-6.5

Could you please list the versions of Apache HTTPD, mod_nss, and NSS?

Comment 5 Kaleem 2014-03-25 06:32:49 UTC

(In reply to Matthew Harmsen from comment #4)
> (In reply to Kaleem from comment #3)
> > Yes it is a regression. Same test worked on RHEL-6.5
> 
> Could you please list the versions of Apache HTTPD, mod_nss, and NSS?

[root@mclient ~]# rpm -q httpd nss mod_nss
httpd-2.4.6-17.el7.x86_64
nss-3.15.4-6.el7.x86_64
mod_nss-1.0.8-32.el7.x86_64
[root@mclient ~]#

Comment 7 Matthew Harmsen 2014-03-26 21:17:50 UTC

(In reply to Kaleem from comment #5)
> (In reply to Matthew Harmsen from comment #4)
> > (In reply to Kaleem from comment #3)
> > > Yes it is a regression. Same test worked on RHEL-6.5
> > 
> > Could you please list the versions of Apache HTTPD, mod_nss, and NSS?
> 
> [root@mclient ~]# rpm -q httpd nss mod_nss
> httpd-2.4.6-17.el7.x86_64
> nss-3.15.4-6.el7.x86_64
> mod_nss-1.0.8-32.el7.x86_64
> [root@mclient ~]#

# uname -a
Linux pki-rhel7.example.com 3.10.0-115.el7.x86_64 #1 SMP Tue Mar 25 16:21:38 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 Beta (Maipo)

# rpm -q httpd nss mod_nss mod_revocator systemd kernel
httpd-2.4.6-17.el7.x86_64
nss-3.15.4-6.el7.x86_64
mod_nss-1.0.8-32.el7.x86_64
mod_revocator-1.0.3-19.el7.x86_64
systemd-208-9.el7.x86_64
kernel-3.10.0-115.el7.x86_64

===============================================================================
SETUP:  I installed and configured an instance of a Dogtag CA, and extracted
        and installed the following Certificates and CRLs into a fresh NSS
        database located at /etc/httpd/alias:

# certutil -d /etc/httpd/alias -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 

# chmod 640 /etc/httpd/alias/*.db

# chgrp apache /etc/httpd/alias/*.db

# pwd
/etc/pki/pki-tomcat/alias

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-tomcat CA                             CTu,Cu,Cu
Server-Cert cert-pki-tomcat                                  u,u,u
auditSigningCert cert-pki-tomcat CA                          u,u,Pu
ocspSigningCert cert-pki-tomcat CA                           u,u,u
subsystemCert cert-pki-tomcat CA                             u,u,u

# cat ../password.conf
internal=571798645910
internaldb=XXXXXXXX
replicationdb=1961544682

# pk12util -o servercert.p12 -n "Server-Cert cert-pki-tomcat" -d .
Enter Password or Pin for "NSS Certificate DB":<use "internal" passwd>
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

# pk12util -o casigningcert.p12 -n "caSigningCert cert-pki-tomcat CA" -d .
Enter Password or Pin for "NSS Certificate DB":<use "internal" passwd>
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

# pk12util -o ocspsigningcert.p12 -n "ocspSigningCert cert-pki-tomcat CA" -d .
Enter Password or Pin for "NSS Certificate DB":<use "internal" passwd>
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

# certutil -d /etc/httpd/alias -L
certutil -d /etc/httpd/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

# pk12util -i servercert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# pk12util -i casigningcert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# pk12util -i ocspsigningcert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

# certutil -d /etc/httpd/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-tomcat                                  u,u,u
caSigningCert cert-pki-tomcat CA                             u,u,u
ocspSigningCert cert-pki-tomcat CA                           u,u,u

# certutil -M -n "ocspSigningCert cert-pki-tomcat CA" -t "CTu,Cu,Cu" -d /etc/httpd/alias/

# certutil -M -n "caSigningCert cert-pki-tomcat CA" -t "CTu,Cu,Cu" -d /etc/httpd/alias/

# certutil -d /etc/httpd/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-tomcat                                  u,u,u
caSigningCert cert-pki-tomcat CA                             CTu,Cu,Cu
ocspSigningCert cert-pki-tomcat CA                           CTu,Cu,Cu


#  wget -O 'MasterCRL.bin' -d 'http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL'

# crlutil -L -d /etc/httpd/alias


CRL names                                CRL Type

# crlutil -I -i MasterCRL.bin -d /etc/httpd/alias/

# crlutil -L -d /etc/httpd/alias

CRL names                                CRL Type

caSigningCert cert-pki-tomcat CA         CRL

===============================================================================

# cat /etc/httpd/conf.d/revocator.conf 

#   CRL Engine Switch:
#   Enable/Disable CRL retrieval

#CRLEngine off
CRLEngine on

#   CRL Age Check Switch:
#   Shut the server down if a CRL expires
#CRLAgeCheck off
CRLAgeCheck on

#   CRL Update Critical Switch:
#   Shut the server down if a CRL cannot be retrieved
CRLUpdateCritical off

#   CRL Helper:
#   This helper program does the actual CRL retrieval
#
#   NOTE:  Located at '/usr/bin/crlhelper' prior to 'mod_revocator-1.0.3-16'.
#
CRLHelper /usr/libexec/crlhelper

#   CRL URLs:
#   A space delimited list of URLs to retrieve and install.
#        protocol://urldata;update_interval;max_age
#CRLFile "ldap://ldap.example.com:5000/o=example.net?usercertificate%3binary?sub?(sn=Jensen)??;30;30"
#CRLFile "exec:///usr/sbin/ldapget|ldap://ldap.example.com:3389/o=example.com?userCertificate%3bbinary?sub?(uid=crl)??;30;30"
#CRLFile "https://ca.example.com:1025/getCRL?op=getCRL&issuepoint=MasterCRL;30;30"
CRLFile "http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;2;2"

# systemctl start httpd.service

# cat /var/log/httpd/error_log
. . .
[Wed Mar 26 11:59:17.088015 2014] [:info] [pid 23658] Using nickname Server-Cert cert-pki-tomcat.
[Wed Mar 26 11:59:17.098304 2014] [:info] [pid 23659] Configuring server for SSL protocol
[Wed Mar 26 11:59:17.098745 2014] [:debug] [pid 23659] nss_engine_init.c(684): NSSProtocol:  Enabling SSL3
[Wed Mar 26 11:59:17.098793 2014] [:debug] [pid 23659] nss_engine_init.c(697): NSSProtocol:  Enabling TLSv1.0
[Wed Mar 26 11:59:17.098801 2014] [:debug] [pid 23659] nss_engine_init.c(702): NSSProtocol:  Enabling TLSv1.1
[Wed Mar 26 11:59:17.098810 2014] [:debug] [pid 23659] nss_engine_init.c(751): NSSProtocol:  [SSL 3.0] (minimum)
[Wed Mar 26 11:59:17.098817 2014] [:debug] [pid 23659] nss_engine_init.c(778): NSSProtocol:  [TLS 1.1] (maximum)
[Wed Mar 26 11:59:17.098861 2014] [:debug] [pid 23659] nss_engine_init.c(983): NSSCipherSuite:  Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Mar 26 11:59:17.098954 2014] [:info] [pid 23659] Using nickname Server-Cert cert-pki-tomcat.
[Wed Mar 26 11:59:17.242709 2014] [:info] [pid 23657] Successfully downloaded CRL at URL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=CA Signing Certificate,O=example.com Security Domain, lastupdate = Wed Mar 26 11:56:20 2014, nextupdate = Wed Mar 26 13:00:00 2014
[Wed Mar 26 11:59:17.244699 2014] [:info] [pid 23655] Successfully downloaded CRL at URL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=CA Signing Certificate,O=example.com Security Domain, lastupdate = Wed Mar 26 11:56:20 2014, nextupdate = Wed Mar 26 13:00:00 2014
[Wed Mar 26 11:59:17.289130 2014] [:info] [pid 23659] Successfully downloaded CRL at URL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=CA Signing Certificate,O=example.com Security Domain, lastupdate = Wed Mar 26 11:56:20 2014, nextupdate = Wed Mar 26 13:00:00 2014
[Wed Mar 26 11:59:17.296997 2014] [:info] [pid 23656] Successfully downloaded CRL at URL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=CA Signing Certificate,O=example.com Security Domain, lastupdate = Wed Mar 26 11:56:20 2014, nextupdate = Wed Mar 26 13:00:00 2014
[Wed Mar 26 11:59:17.310850 2014] [:info] [pid 23658] Successfully downloaded CRL at URL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=CA Signing Certificate,O=example.com Security Domain, lastupdate = Wed Mar 26 11:56:20 2014, nextupdate = Wed Mar 26 13:00:00 2014
[Wed Mar 26 11:59:17.462193 2014] [:notice] [pid 23656] Revocation subsystem initialized 2
[Wed Mar 26 11:59:17.462201 2014] [:notice] [pid 23655] Revocation subsystem initialized 2
[Wed Mar 26 11:59:17.462458 2014] [:notice] [pid 23659] Revocation subsystem initialized 2
[Wed Mar 26 11:59:17.462841 2014] [:notice] [pid 23657] Revocation subsystem initialized 2
[Wed Mar 26 11:59:17.463012 2014] [:notice] [pid 23658] Revocation subsystem initialized 2

# date
Wed Mar 26 12:29:47 PDT 2014

# ps -ef | grep httpd
root     23652     1  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root     23653 23652  0 11:59 ?        00:00:00 /usr/libexec/nss_pcache 3276812 off /etc/httpd/alias
root     23654 23652  0 11:59 ?        00:00:00 /usr/libexec/crlhelper 3309581 23652 /etc/httpd/alias
apache   23655 23652  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache   23656 23652  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache   23657 23652  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache   23658 23652  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache   23659 23652  0 11:59 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root     24985 14384  0 12:37 pts/0    00:00:00 grep --color=auto httpd

# date
Wed Mar 26 13:00:01 PDT 2014

Since my MasterCRL was from a running Dogtag CA, I VERIFIED that my CRL had been updated at 13:00:

    Certificate Revocation List: 
            Data: 
                Signature Algorithm: SHA256withRSA
                Issuer: CN=CA Signing Certificate,O=example.com Security Domain
                This Update: Wednesday, March 26, 2014 1:00:00 PM PDT America/Los_Angeles
                Next Update: Wednesday, March 26, 2014 5:00:00 PM PDT America/Los_Angeles

# date
Wed Mar 26 13:08:28 PDT 2014

    I saw no change in the httpd error_log at this time
    (e. g. - no new CRL was fetched).

# date -s "+20 days"
Tue Apr 15 13:27:38 PDT 2014

# cat /var/log/httpd/error_log
[Tue Apr 15 13:27:38.296431 2014] [:error] [pid 23655] CRL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=CA Signing Certificate,O=example.com Security Domain is outdated. Shutting down server pid 23652
[Tue Apr 15 13:27:38.434729 2014] [:error] [pid 23659] Error updating CRL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=CA Signing Certificate,O=example.com Security Domain : Unable to decode DER CRL
[Tue Apr 15 13:27:38.436722 2014] [:error] [pid 23656] CRL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=CA Signing Certificate,O=example.com Security Domain is outdated. Shutting down server pid 23652
[Tue Apr 15 13:27:38.437273 2014] [:error] [pid 23657] Error updating CRL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=CA Signing Certificate,O=example.com Security Domain : Unable to decode DER CRL
[Tue Apr 15 13:27:38.444559 2014] [:error] [pid 23658] CRL http://pki-rhel7.example.com:8080/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=CA Signing Certificate,O=example.com Security Domain is outdated. Shutting down server pid 23652
[Tue Apr 15 13:27:38.527429 2014] [core:info] [pid 23652] AH00096: removed PID file /run/httpd/httpd.pid (pid=23652)
[Tue Apr 15 13:27:38.527546 2014] [mpm_prefork:notice] [pid 23652] AH00169: caught SIGTERM, shutting down
[Tue Apr 15 13:27:38.537851 2014] [:info] [pid 23652] Shutting down SSL Session ID Cache

# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)

Mar 26 10:46:57 pki-rhel7.example.com systemd[1]: Stopping The Apache ...
Mar 26 10:46:58 pki-rhel7.example.com systemd[1]: Stopped The Apache H...
Mar 26 10:52:33 pki-rhel7.example.com systemd[1]: Starting The Apache ...
Mar 26 10:52:33 pki-rhel7.example.com systemd[1]: Started The Apache H...
Mar 26 10:56:49 pki-rhel7.example.com systemd[1]: Stopping The Apache ...
Mar 26 10:56:50 pki-rhel7.example.com systemd[1]: Stopped The Apache H...
Mar 26 10:57:19 pki-rhel7.example.com systemd[1]: Starting The Apache ...
Mar 26 10:57:20 pki-rhel7.example.com systemd[1]: Started The Apache H...
Mar 26 11:59:15 pki-rhel7.example.com systemd[1]: Starting The Apache ...
Mar 26 11:59:16 pki-rhel7.example.com systemd[1]: Started The Apache H...
Hint: Some lines were ellipsized, use -l to show in full.

# ps -ef | grep httpd
root     27431 14384  0 13:49 pts/0    00:00:00 grep --color=auto httpd

Note that I witnessed correct operation, albeit I obtained my MasterCRL from a running Dogtag CA on RHEL 7 rather than an IPA installation.

Comment 8 Matthew Harmsen 2014-03-26 22:06:10 UTC

Kaleem,

Per comment #7 above, since this scenario actually worked for me, could you re-test verifying that you have the same versions of all of these components?

Thanks,
-- Matt

Comment 9 Kaleem 2014-03-27 08:03:35 UTC

Matthew,

I obatained CRL from a IPA based installation and still issue re-producible at my end.

[root@mclient ~]# rpm -q httpd nss mod_nss mod_revocator systemd kernel
httpd-2.4.6-17.el7.x86_64
nss-3.15.4-6.el7.x86_64
mod_nss-1.0.8-32.el7.x86_64
mod_revocator-1.0.3-19.el7.x86_64
systemd-208-9.el7.x86_64
kernel-3.10.0-113.el7.x86_64
kernel-3.10.0-114.el7.x86_64
[root@mclient ~]# 

[root@mclient ~]# tail /var/log/httpd/error_log
[Thu Mar 27 12:47:36.033148 2014] [:info] [pid 10129] Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Thu Mar 27 12:22:41 2014, nextupdate = Thu Mar 27 13:00:00 2014
[Thu Mar 27 12:47:36.033689 2014] [:notice] [pid 10129] Revocation subsystem initialized 2
[Wed Apr 16 12:48:11.059259 2014] [:debug] [pid 10128] mod_rev.c(289): Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Thu Mar 27 12:22:41 2014, nextupdate = Thu Mar 27 13:00:00 2014
[Wed Apr 16 12:48:11.059299 2014] [:error] [pid 10128] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 10124
[root@mclient ~]#

Comment 10 Kaleem 2014-03-27 08:55:29 UTC

I tried on a different VM where in first attempt, i got expected result (httpd down when expired CRL is fetched) but ssh connection got disconnected and ip of VM changed.

In second attempt, i am able to reproduce the issue.

[root@dhcp207-42 ~]# rpm -q httpd nss mod_nss mod_revocator systemd kernel
httpd-2.4.6-17.el7.x86_64
nss-3.15.4-6.el7.x86_64
mod_nss-1.0.8-32.el7.x86_64
mod_revocator-1.0.3-19.el7.x86_64
systemd-208-9.el7.x86_64
kernel-3.10.0-115.el7.x86_64
[root@dhcp207-42 ~]# 

1st attempt
===========

[Wed Apr 16 16:46:23.740458 2014] [:debug] [pid 10178] mod_rev.c(289): Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Thu Mar 27 13:00:00 2014, nextupdate = Thu Mar 27 17:00:00 2014
[Wed Apr 16 16:46:23.740477 2014] [:error] [pid 10178] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 10173
[Wed Apr 16 16:46:23.751469 2014] [:error] [pid 10177] Error updating CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST : No CRL data found on server
[Wed Apr 16 16:46:23.763377 2014] [:debug] [pid 10179] mod_rev.c(289): Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Thu Mar 27 13:00:00 2014, nextupdate = Thu Mar 27 17:00:00 2014
[Wed Apr 16 16:46:23.763397 2014] [:error] [pid 10179] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 10173
[Wed Apr 16 16:46:23.853083 2014] [core:info] [pid 10173] AH00096: removed PID file /run/httpd/httpd.pid (pid=10173)
[Wed Apr 16 16:46:23.853155 2014] [mpm_prefork:notice] [pid 10173] AH00169: caught SIGTERM, shutting down
[Wed Apr 16 16:46:23.863377 2014] [:info] [pid 10173] Shutting down SSL Session ID Cache

I tried on a different VM where i got expected result in 1st attempt but ssh connection got disconnected and ip of VM changed.


2nd attempt
===========

[root@dhcp207-42 ~]# tail /var/log/httpd/error_log 
...
[Wed Apr 16 16:50:28.752422 2014] [:debug] [pid 10341] mod_rev.c(289): Successfully downloaded CRL at URL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,O=TESTRELM.TEST, lastupdate = Thu Mar 27 13:00:00 2014, nextupdate = Thu Mar 27 17:00:00 2014
[Wed Apr 16 16:50:28.752473 2014] [:error] [pid 10341] CRL http://master.testrelm.test:80/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,O=TESTRELM.TEST is outdated. Shutting down server pid 10336
[root@dhcp207-42 ~]#


[root@dhcp207-42 ~]# date;service httpd status
Wed Apr 16 16:53:30 IST 2014
Redirecting to /bin/systemctl status  httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Thu 2014-03-27 16:50:17 IST; 2 weeks 6 days ago
 Main PID: 10336 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─10336 /usr/sbin/httpd -DFOREGROUND
           ├─10337 /usr/libexec/nss_pcache 425988 off /etc/httpd/alias
           ├─10338 /usr/libexec/crlhelper 458757 10336 /etc/httpd/alias
           ├─10339 /usr/sbin/httpd -DFOREGROUND
           ├─10340 /usr/sbin/httpd -DFOREGROUND
           ├─10341 /usr/sbin/httpd -DFOREGROUND
           ├─10342 /usr/sbin/httpd -DFOREGROUND
           └─10343 /usr/sbin/httpd -DFOREGROUND

Mar 27 16:50:16 dhcp207-42.lab.eng.pnq.redhat.com systemd[1]: Starting The Apache HTTP Server...
Mar 27 16:50:17 dhcp207-42.lab.eng.pnq.redhat.com httpd[10336]: AH00557: httpd: apr_sockaddr_info_get() failed for dhcp207-42.lab.eng.pnq.redhat.com
Mar 27 16:50:17 dhcp207-42.lab.eng.pnq.redhat.com httpd[10336]: AH00558: httpd: Could not reliably determine the server's fully qualified domain na...message
Mar 27 16:50:17 dhcp207-42.lab.eng.pnq.redhat.com systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
[root@dhcp207-42 ~]#

Comment 19 Matthew Harmsen 2018-04-16 20:43:07 UTC

Rob was unable to reproduce this issue.

As the mod_revocator component is being deprecated in the next major release of RHEL, and since there is simply not strong enough demand for fixing this issue in RHEL 7.x, it has been determined that this bug will be CLOSED WONTFIX at this point in time.

Note You need to log in before you can comment on or make changes to this bug.