Bug 451960 - mod_nss no longer starts
mod_nss no longer starts
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: mod_nss (Show other bugs)
8
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-18 08:31 EDT by Thomas Sailer
Modified: 2011-01-17 09:35 EST (History)
2 users (show)

See Also:
Fixed In Version: mod_nss-1.0.7-4.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-18 22:51:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Sailer 2008-06-18 08:31:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9

Description of problem:
SSL with my apache httpd (configured to use mod_nss) no longer works since this
update. It worked before. The certificate database was created by the IPA
installation script roughly half a year ago. It seems to be ok:

# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,C
Server-Cert                                                  u,u,u
Signing-Cert                                                 u,u,u

# certutil -V -d /etc/httpd/alias/ -n "Server-Cert" -u V
certutil: certificate is valid

I can still connect using plain http. However, when I try to connect the
webserver with https, I get the following in /var/log/httpd/error_log:

[Wed Jun 18 14:19:57 2008] [error] SSL Library Error: -12215 MD5 digest function
failed

On the client side:
$ curl -v https://xx.com/fedora/
* About to connect() to xx.com port 443 (#0)
*   Trying 192.168.1.2... connected
* Connected to xx.com (192.168.1.2) port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error


Version-Release number of selected component (if applicable):
nss-3.12.0.3-0.8.1.fc8

How reproducible:
Always


Steps to Reproduce:
1.Install IPA server
2.Try to connect it using https


Actual Results:
SSL connect error

Expected Results:
IPA GUI should be displayed.

Additional info:
Comment 1 Thomas Sailer 2008-06-18 08:38:02 EDT
And yes, downgrading to nss-3.11.7-10.fc8, nss-devel-3.11.7-10.fc8, and nss-
functionality.
Comment 2 Kai Engert (:kaie) 2008-06-18 17:34:54 EDT
changing component to mod_nss
Comment 3 Rob Crittenden 2008-06-18 18:04:04 EDT
Thomas, can you try this build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=669540
Comment 4 Thomas Sailer 2008-06-18 18:54:01 EDT
with:
mod_nss-1.0.7-3.fc8
nss-3.12.0.3-0.8.1.fc8
I get the following in /var/log/httpd/error_log:
[Thu Jun 19 00:47:40 2008] [error] NSS_Initialize failed. Certificate
database:/etc/httpd/alias.
[Thu Jun 19 00:47:40 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
i.e. does not work.

nss-3.11.7-10.fc8 & mod_nss-1.0.7-3.fc8 does not work either.

mod_nss-1.0.7-2.fc8 & nss-3.11.7-10.fc8 works.
Comment 5 Rob Crittenden 2008-06-18 22:29:50 EDT
This is probably a permissions issue.

The NSS database now needs to be readable by the user apache (the default user
of httpd).

/etc/httpd/alias/*.db should be owned by root:apache and mode 0640

I missed updating that in the .spec file. A new spin will be coming soon but
chmod and chgrp should get you going again.
Comment 6 Rob Crittenden 2008-06-18 22:51:17 EDT
Checking in mod_nss.spec;
/cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v  <--  mod_nss.spec
new revision: 1.9; previous revision: 1.8
done
Comment 7 Fedora Update System 2008-06-18 22:58:59 EDT
mod_nss-1.0.7-4.fc8 has been submitted as an update for Fedora 8
Comment 8 Thomas Sailer 2008-06-19 02:09:20 EDT
Indeed, it was the permissions issue. It now works, thanks.
Comment 9 Fedora Update System 2008-06-20 15:09:03 EDT
mod_nss-1.0.7-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Scott Weigand 2011-01-17 09:26:35 EST
FYI: I applied Release 6 of RHEL5 this morning and had the permissions error happen.
Comment 11 Rob Crittenden 2011-01-17 09:35:12 EST
You might want to either watch bug 669963 or file a new bug.

Note You need to log in before you can comment on or make changes to this bug.