Red Hat Bugzilla – Bug 451960
mod_nss no longer starts
Last modified: 2011-01-17 09:35:12 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9
Description of problem:
SSL with my apache httpd (configured to use mod_nss) no longer works since this
update. It worked before. The certificate database was created by the IPA
installation script roughly half a year ago. It seems to be ok:
# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
CA certificate CT,,C
# certutil -V -d /etc/httpd/alias/ -n "Server-Cert" -u V
certutil: certificate is valid
I can still connect using plain http. However, when I try to connect the
webserver with https, I get the following in /var/log/httpd/error_log:
[Wed Jun 18 14:19:57 2008] [error] SSL Library Error: -12215 MD5 digest function
On the client side:
$ curl -v https://xx.com/fedora/
* About to connect() to xx.com port 443 (#0)
* Trying 192.168.1.2... connected
* Connected to xx.com (192.168.1.2) port 443 (#0)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Install IPA server
2.Try to connect it using https
SSL connect error
IPA GUI should be displayed.
And yes, downgrading to nss-3.11.7-10.fc8, nss-devel-3.11.7-10.fc8, and nss-
changing component to mod_nss
Thomas, can you try this build:
I get the following in /var/log/httpd/error_log:
[Thu Jun 19 00:47:40 2008] [error] NSS_Initialize failed. Certificate
[Thu Jun 19 00:47:40 2008] [error] SSL Library Error: -8038
i.e. does not work.
nss-3.11.7-10.fc8 & mod_nss-1.0.7-3.fc8 does not work either.
mod_nss-1.0.7-2.fc8 & nss-3.11.7-10.fc8 works.
This is probably a permissions issue.
The NSS database now needs to be readable by the user apache (the default user
/etc/httpd/alias/*.db should be owned by root:apache and mode 0640
I missed updating that in the .spec file. A new spin will be coming soon but
chmod and chgrp should get you going again.
Checking in mod_nss.spec;
/cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v <-- mod_nss.spec
new revision: 1.9; previous revision: 1.8
mod_nss-1.0.7-4.fc8 has been submitted as an update for Fedora 8
Indeed, it was the permissions issue. It now works, thanks.
mod_nss-1.0.7-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
FYI: I applied Release 6 of RHEL5 this morning and had the permissions error happen.
You might want to either watch bug 669963 or file a new bug.