From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9 Description of problem: SSL with my apache httpd (configured to use mod_nss) no longer works since this update. It worked before. The certificate database was created by the IPA installation script roughly half a year ago. It seems to be ok: # certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,,C Server-Cert u,u,u Signing-Cert u,u,u # certutil -V -d /etc/httpd/alias/ -n "Server-Cert" -u V certutil: certificate is valid I can still connect using plain http. However, when I try to connect the webserver with https, I get the following in /var/log/httpd/error_log: [Wed Jun 18 14:19:57 2008] [error] SSL Library Error: -12215 MD5 digest function failed On the client side: $ curl -v https://xx.com/fedora/ * About to connect() to xx.com port 443 (#0) * Trying 192.168.1.2... connected * Connected to xx.com (192.168.1.2) port 443 (#0) * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5938 * Closing connection #0 * SSL connect error curl: (35) SSL connect error Version-Release number of selected component (if applicable): nss-3.12.0.3-0.8.1.fc8 How reproducible: Always Steps to Reproduce: 1.Install IPA server 2.Try to connect it using https Actual Results: SSL connect error Expected Results: IPA GUI should be displayed. Additional info:
And yes, downgrading to nss-3.11.7-10.fc8, nss-devel-3.11.7-10.fc8, and nss- functionality.
changing component to mod_nss
Thomas, can you try this build: http://koji.fedoraproject.org/koji/taskinfo?taskID=669540
with: mod_nss-1.0.7-3.fc8 nss-3.12.0.3-0.8.1.fc8 I get the following in /var/log/httpd/error_log: [Thu Jun 19 00:47:40 2008] [error] NSS_Initialize failed. Certificate database:/etc/httpd/alias. [Thu Jun 19 00:47:40 2008] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED i.e. does not work. nss-3.11.7-10.fc8 & mod_nss-1.0.7-3.fc8 does not work either. mod_nss-1.0.7-2.fc8 & nss-3.11.7-10.fc8 works.
This is probably a permissions issue. The NSS database now needs to be readable by the user apache (the default user of httpd). /etc/httpd/alias/*.db should be owned by root:apache and mode 0640 I missed updating that in the .spec file. A new spin will be coming soon but chmod and chgrp should get you going again.
Checking in mod_nss.spec; /cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v <-- mod_nss.spec new revision: 1.9; previous revision: 1.8 done
mod_nss-1.0.7-4.fc8 has been submitted as an update for Fedora 8
Indeed, it was the permissions issue. It now works, thanks.
mod_nss-1.0.7-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
FYI: I applied Release 6 of RHEL5 this morning and had the permissions error happen.
You might want to either watch bug 669963 or file a new bug.