Red Hat Bugzilla – Bug 1169957
curl unable to download url when url is https and environment is dracut
Last modified: 2015-03-05 03:29:17 EST
Description of problem: In dracut, either when running dracut or in dracut shell, curl has error when url specified is https. Error is: (77) Problem with the SSL CA cert (path? access rights?) Specifically, dracut can not download updates.img from fedorapeople.org location when that is specified on kernel command line. The same error when calling curl directly from the dracut shell. The same error when passing curl the -k, --insecure option. This all occurs when booting a virtual machine using current and second most recent RHEL7 isos. The problem is absent in iso from September 30. Using curl not from dracut shell or not within dracut allows downloading https url. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: boot from December 2 RHEL7 iso. At kernel command line, specify inst.updates=https:<something>. See failure to obtain updates img in dracut and eventual timeout. Also try w/ rd.noverifyssl, same problem. At dracut prompt, try: curl https://.... curl -k https://... with same failure. Try curl http://... with success. THEN boot as before but do not specify updates img. Connect to network on anaconda network spoke. Switch to terminal. curl https://... curl -k https://... seem to both work. Actual results: Failure to download anything at https URL when in dracut environment. Expected results: Not failure to download when in dracut environment. Additional info:
I don't have any of these problems with http://download.devel.redhat.com/nightly/RHEL-7.1-20141118.n.2/compose/Server/x86_64/os/images/pxeboot/initrd.img Can you point me to a pxeboot/initrd.img which has the problem?
The problems occurred when I tried booting from the iso at: http://download.devel.redhat.com/nightly/RHEL-7.1-20141201.n.0/compose/Server/x86_64/iso/ and http://download.devel.redhat.com/nightly/RHEL-7.1-20141128.n.0/compose/Server/x86_64/iso/.
strace reports curl is trying to open libfreeblpriv3.so which does not exist in most recent initrd.
And I've independently reproduced it with the 11/30 nightly and my local self-signed cert setup so something in the initrd has clearly changed in recent builds.
So, it's not only in fips mode as described in bug 1165603
correct, no FIPS involved in my tests.
I think the best way is to undo bug 1165603 and ship the module install as part of nss-softokn as in the RHEL-6.6.z package. (And of course the same needs to be done in Fedora when the nss change gets there.)
Yes, clearly libfreeblpriv3.so needs to be added to dracut, and softokn is the right place to do it. Adding blocker flag, as soon as both blocker and qa_ack gets set I can check in the patch. bob
Yes.
nss-softokn-3.16.2.3-4.el7
I'm encountering the identical problem as before with image from 2014 December 12 which has nss-softokn-3.15.2.3-4.el7 package.
Still failing with nss-softokn-3.16.2.3-4.
The Description states "The problem is absent in iso from September 30" Looking at nss-softokn.spec file %changelog history the release closest and before that date would be * Wed Nov 05 2014 Robert Relyea <rrelyea@redhat.com> 3.16.2-12 The brew build still available is nss-softokn-3.16.2-6.sa1.4 whose .srpm I download and extracted to compare with current. I want to test the suspicion that the problem could be caused by a patch being dropped or stop being by applied mistake. Things like that have happened before. My steps Compare nss-softokn.spec from old that works to current that doesn't. $ diff -u nss-softokn-3.16.2-6.sa1.4.src/nss-softokn.spec rhel-7.1/nss-softokn.spec > softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch My analysis in two parts is this: $ grep Patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch Patch1: build-nss-softoken-only.patch Patch10: iquote.patch Patch11: nss-softokn-allow-level1.patch -Patch12: cve-2014-1568-softokn.patch -- obsoleted by rebase to 3.16.2.3 +Patch12: additional-covscan-fixes.patch -- is now Patch200 Patch82: nss-softokn-3.16-fips-rem-old-test.patch Patch83: nss-softokn-3.16-lowhash-test.patch Patch90: nss-softokn-3.16-addG.patch -Patch100: nss-softokn-3.16-fipstest.patch +Patch94: nss-softokn-3.16-rsa-fips-186.patch +Patch95: nss-softokn-3.16-ppc-no-init_support.patch +Patch97: nss-softokn-3.16-add_encrypt_derive.patch +Patch98: nss-softokn-3.16.allow_level1_init.patch +Patch99: nss-softokn-3.16-fips_user_slots.patch +Patch100: nss-softokn-3.16-block-sigchld.patch +Patch200: nss-softokn-3.16-fipstest.patch +Patch201: nss-softokn-3.16-fipstest-186-4.patch +Patch202: nss-softokn-fix-error-handling.patch +Patch203: nss-softokn-3.16-freebl_dyload.patch +Patch204: limit-create-fipscheck.patch grep patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch %patch1 -p0 -b .softokenonly %patch8 -p0 -b .crypto -%patch10 -p0 -b .iquote -- enabled only when rebase brings new APIS +#%patch10 -p0 -b .iquote -- this not currently the case %patch11 -p0 -b .allow_level1 -%patch12 -p1 -b .cve_2014-1568 %patch80 -p0 -b .fips-post %patch82 -p0 -b .rm-old-test %patch83 -p0 -b .lowhash-test %patch90 -p0 -b .addG -%patch100 -p0 -b .fipstest -- moved to patch200, see below +%patch94 -p1 -b .fips-186-4 +%patch95 -p0 -b .ppc_no_init_support +%patch97 -p0 -b .add_encrypt_derive +%patch98 -p0 -b .allow_level1_init +%patch99 -p0 -b .fips_user_slots +%patch100 -p0 -b .block_sigchld +%patch200 -p0 -b .fipstest -- used to be patch100, see above +%patch201 -p0 -b .fipstest-186-4 +%patch202 -p0 -b .1154764 +%patch203 -p0 -b .freebl-dyload +%patch204 -p0 -b .limit_create_fips_check +%patch12 -p0 -b .1154764extras To summarize: Patch12: removed on account of the rebase to nss-3.16.2.3 Patch10 became unapplied for reasons stated above for iquote Patch100 moved to Patch200 after the reorording of patches I don't see any patch whose removal I cannot justify.
The 'patch' I meant would have been a patch to the .spec file. I see that it's still there. The problem turned out to be a RHEL-6/RHEL-7 issue. The patch uses RHEL-6 dracut config syntax rather than RHEL-7 dracut config syntax. It was working on my machine because I had hacked the fips dracut config earlier. nss-softokn-3.15.2.3-7.el7 should have the updated nss-softokn dracut config file (stored in the correct place) once it completes. A quick check if dracut has the right config is to do lsinitrd | grep libfreebl. You should see libfreebl3.so libfreebl3.chk libfreeblpriv3.so and libfreeblpriv3.chk. If you only see libfreebl3.so, then the config isn't correct yet. bob
switch_root:/# find -name libfreebl* ./sysroot/usr/lib64/libfreebl3.chk ./sysroot/usr/lib64/libfreeblpriv3.so ./sysroot/usr/lib64/libfreebl3.so ./sysroot/usr/lib64/libfreeblpriv3.chk ./usr/lib64/libfreebl3.so
so libfreeblpriv3.so is not available, should be in /usr/lib64/ to work.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0364.html