RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1169957 - curl unable to download url when url is https and environment is dracut
Summary: curl unable to download url when url is https and environment is dracut
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss-softokn
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Alicja Kario
URL:
Whiteboard:
Depends On:
Blocks: 717789 1112660 1116858 1187501
TreeView+ depends on / blocked
 
Reported: 2014-12-02 20:55 UTC by mulhern
Modified: 2015-03-05 08:29 UTC (History)
12 users (show)

Fixed In Version: nss-softokn-3.16.2.3-9.el7
Doc Type: Bug Fix
Doc Text:
Cause: Changes to the nss-softokn.spec file to were implemented ussing RHEL-6 dracut configuration syntax by mistake instead of the RHEL-7 that was called for. Consequence: curl users were unable to download url when url was https and environment was dracut Fix: The nss-softokn.spec file now to uses the correct RHEL-7 syntax. Result: users using dracut can now use curl to download https URL's.
Clone Of:
Environment:
Last Closed: 2015-03-05 08:29:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0364 0 normal SHIPPED_LIVE nss, nss-softokn, nss-util, and nspr bug fix and enhancement update 2015-03-05 12:51:43 UTC

Description mulhern 2014-12-02 20:55:58 UTC 
Description of problem:

In dracut, either when running dracut or in dracut shell, curl has error when url specified is https. Error is:
(77) Problem with the SSL CA cert (path? access rights?)
Specifically, dracut can not download updates.img from fedorapeople.org location when that is specified on kernel command line.
The same error when calling curl directly from the dracut shell.
The same error when passing curl the -k, --insecure option.

This all occurs when booting a virtual machine using current and second most recent RHEL7 isos. The problem is absent in iso from September 30.

Using curl not from dracut shell or not within dracut allows downloading https url.

Version-Release number of selected component (if applicable):


How reproducible:

Always



Steps to Reproduce:

boot from December 2 RHEL7 iso. At kernel command line, specify inst.updates=https:<something>. See failure to obtain updates img in dracut and eventual timeout. Also try w/ rd.noverifyssl, same problem.

At dracut prompt, try:
curl https://....
curl -k https://...
with same failure.

Try

curl http://...

with success.

THEN

boot as before but do not specify updates img.
Connect to network on anaconda network spoke.
Switch to terminal.
curl https://...
curl -k https://...
seem to both work.

Actual results:

Failure to download anything at https URL when in dracut environment.

Expected results:

Not failure to download when in dracut environment.

Additional info:
Comment 2 Harald Hoyer 2014-12-03 14:25:53 UTC 
I don't have any of these problems with 

http://download.devel.redhat.com/nightly/RHEL-7.1-20141118.n.2/compose/Server/x86_64/os/images/pxeboot/initrd.img

Can you point me to a pxeboot/initrd.img which has the problem?
Comment 3 mulhern 2014-12-03 16:02:56 UTC 
The problems occurred when I tried booting from the iso at:
http://download.devel.redhat.com/nightly/RHEL-7.1-20141201.n.0/compose/Server/x86_64/iso/
and
http://download.devel.redhat.com/nightly/RHEL-7.1-20141128.n.0/compose/Server/x86_64/iso/.
Comment 4 mulhern 2014-12-03 16:08:00 UTC 
strace reports curl is trying to open libfreeblpriv3.so which does not exist in most recent initrd.
Comment 5 Brian Lane 2014-12-03 16:14:42 UTC 
And I've independently reproduced it with the 11/30 nightly and my local self-signed cert setup so something in the initrd has clearly changed in recent builds.
Comment 6 Harald Hoyer 2014-12-03 16:20:10 UTC 
So, it's not only in fips mode as described in bug 1165603
Comment 7 Brian Lane 2014-12-04 22:09:01 UTC 
correct, no FIPS involved in my tests.
Comment 8 Tomas Mraz 2014-12-05 11:30:17 UTC 
I think the best way is to undo bug 1165603 and ship the module install as part of nss-softokn as in the RHEL-6.6.z package.

(And of course the same needs to be done in Fedora when the nss change gets there.)
Comment 9 Bob Relyea 2014-12-05 19:23:27 UTC 
Yes, clearly libfreeblpriv3.so needs to be added to dracut, and softokn is the right place to do it. Adding blocker flag, as soon as both blocker and qa_ack gets set I can check in the patch.

bob
Comment 11 mulhern 2014-12-09 13:33:18 UTC 
Yes.
Comment 13 Bob Relyea 2014-12-10 23:45:57 UTC 
nss-softokn-3.16.2.3-4.el7
Comment 15 mulhern 2014-12-17 14:55:09 UTC 
I'm encountering the identical problem as before with image from 2014 December 12 which has nss-softokn-3.15.2.3-4.el7 package.
Comment 16 mulhern 2015-01-05 15:45:09 UTC 
Still failing with nss-softokn-3.16.2.3-4.
Comment 17 Elio Maldonado Batiz 2015-01-13 19:51:47 UTC 
The Description states "The problem is absent in iso from September 30"

Looking at nss-softokn.spec file %changelog history the release closest and before that date would be 
* Wed Nov 05 2014 Robert Relyea <rrelyea> 3.16.2-12

The brew build still available is nss-softokn-3.16.2-6.sa1.4 whose .srpm I download and extracted to compare with current. I want to test the suspicion that the problem could be caused by a patch being dropped or stop being by applied mistake. Things like that have happened before. My steps

Compare nss-softokn.spec from old that works to current that doesn't.

$ diff -u nss-softokn-3.16.2-6.sa1.4.src/nss-softokn.spec rhel-7.1/nss-softokn.spec > softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch

My analysis in two parts is this:

$ grep Patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch 
 Patch1:            build-nss-softoken-only.patch
 Patch10:           iquote.patch
 Patch11:           nss-softokn-allow-level1.patch
-Patch12: cve-2014-1568-softokn.patch  -- obsoleted by rebase to 3.16.2.3
+Patch12:           additional-covscan-fixes.patch  -- is now  Patch200
 Patch82:	nss-softokn-3.16-fips-rem-old-test.patch
 Patch83:	nss-softokn-3.16-lowhash-test.patch
 Patch90:	nss-softokn-3.16-addG.patch
-Patch100:	nss-softokn-3.16-fipstest.patch
+Patch94:	nss-softokn-3.16-rsa-fips-186.patch
+Patch95:	nss-softokn-3.16-ppc-no-init_support.patch
+Patch97:	nss-softokn-3.16-add_encrypt_derive.patch
+Patch98:	nss-softokn-3.16.allow_level1_init.patch
+Patch99:	nss-softokn-3.16-fips_user_slots.patch
+Patch100:	nss-softokn-3.16-block-sigchld.patch
+Patch200:	nss-softokn-3.16-fipstest.patch
+Patch201:	nss-softokn-3.16-fipstest-186-4.patch
+Patch202:	nss-softokn-fix-error-handling.patch
+Patch203:	nss-softokn-3.16-freebl_dyload.patch
+Patch204:	limit-create-fipscheck.patch        

grep patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch
 %patch1 -p0 -b .softokenonly
 %patch8 -p0 -b .crypto
-%patch10 -p0 -b .iquote       -- enabled only when rebase brings new APIS
+#%patch10 -p0 -b .iquote      -- this not currently the case
 %patch11 -p0 -b .allow_level1
-%patch12 -p1 -b .cve_2014-1568
 %patch80 -p0 -b .fips-post
 %patch82 -p0 -b .rm-old-test
 %patch83 -p0 -b .lowhash-test
 %patch90 -p0 -b .addG
-%patch100 -p0 -b .fipstest     -- moved to patch200, see below
+%patch94 -p1 -b .fips-186-4
+%patch95 -p0 -b .ppc_no_init_support
+%patch97 -p0 -b .add_encrypt_derive
+%patch98 -p0 -b .allow_level1_init
+%patch99 -p0 -b .fips_user_slots
+%patch100 -p0 -b .block_sigchld
+%patch200 -p0 -b .fipstest      -- used to be patch100, see above
+%patch201 -p0 -b .fipstest-186-4
+%patch202 -p0 -b .1154764
+%patch203 -p0 -b .freebl-dyload
+%patch204 -p0 -b .limit_create_fips_check
+%patch12 -p0 -b .1154764extras

To summarize:
Patch12: removed on account of the rebase to nss-3.16.2.3
Patch10 became unapplied for reasons stated above for iquote
Patch100 moved to Patch200 after the reorording of patches

I don't see any patch whose removal I cannot justify.
Comment 18 Bob Relyea 2015-01-20 17:04:06 UTC 
The 'patch' I meant would have been a patch to the .spec file. I see that it's still there.

The problem turned out to be a RHEL-6/RHEL-7 issue. The patch uses RHEL-6 dracut config syntax rather than RHEL-7 dracut config syntax. It was working on my machine because I had hacked the fips dracut config earlier.

nss-softokn-3.15.2.3-7.el7 should have the updated nss-softokn dracut config file (stored in the correct place) once it completes.

A quick check if dracut has the right config is to do lsinitrd | grep libfreebl.

You should see libfreebl3.so libfreebl3.chk libfreeblpriv3.so and libfreeblpriv3.chk. If you only see libfreebl3.so, then the config isn't correct yet.

bob
Comment 24 Martin Banas 2015-01-29 10:39:15 UTC 
switch_root:/# find -name libfreebl*
./sysroot/usr/lib64/libfreebl3.chk
./sysroot/usr/lib64/libfreeblpriv3.so
./sysroot/usr/lib64/libfreebl3.so
./sysroot/usr/lib64/libfreeblpriv3.chk
./usr/lib64/libfreebl3.so
Comment 25 Martin Banas 2015-01-29 10:42:05 UTC 
so libfreeblpriv3.so is not available, should be in /usr/lib64/ to work.
Comment 43 errata-xmlrpc 2015-03-05 08:29:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0364.html
Note You need to log in before you can comment on or make changes to this bug.