Red Hat Bugzilla – Bug 676449
Latest update breaks mod_nss and SSL sites.
Last modified: 2015-01-04 18:46:18 EST
Description of problem: Patched a public web server and reloaded httpd resulting in httpd writing nss errors to error_log and CA warnings to ssl_error_log
Version-Release number of selected component (if applicable):
Feb 08 22:51:45 Updated: httpd-2.2.3-45.el5.x86_64
Feb 08 22:52:24 Updated: mod_nss-1.0.8-3.el5.x86_64
How reproducible: Patch to latest update level
Steps to Reproduce:
1. yum -y update
2. service httpd reload
3. observe log files and Apache's inability to serve content.
CPU spike and the following messages repeating in the logs:
[Tue Feb 08 23:12:51 2011] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Tue Feb 08 23:12:51 2011] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Tue Feb 08 23:12:52 2011] [notice] child pid 19005 exit signal Segmentation fault (11)
[Tue Feb 08 23:12:52 2011] [notice] child pid 19040 exit signal Segmentation fault (11)
[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
Apache starts up and serves non SSL content as well as SSL content
For non-SSL content, removing the nss.conf file from /etc/httpd/conf.d as well as any SSL vhosts allows for serving unencrypted traffic. Simply removing nss.conf does not fix the SSL vhost issue.
I expect this is potentially impacting a number of customers.
sosreport to be attached shortly.
Created attachment 477917 [details]
sosreport with nss.conf moved out of httpd/conf.d and SSL vhosts temporarily removed.
Can you determine whether the regression was caused by the httpd upgrade or the mod_nss upgrade? (i.e. if you downgrade httpd does it still break?)
I rolled back the following packages:
The mod_nss issues persist but when I move httpd/conf.d/mod_nss out of the way my SSL sites now work.
This solves the most immediate issue as the server can now serve SSL traffic.
Would you like me to roll back mod_nss or any of the core NSS libraries and test?
Re-assigning to mod_nss.
This may be related to https://bugzilla.redhat.com/show_bug.cgi?id=669963
Can you check the permissions on the .db files in /etc/httpd/alias? They should be mode 0640 root:apache.
Current perms after update:
-rw------- 1 root root 65536 Jun 8 2010 cert8.db
-rw------- 1 root root 4395 Jun 8 2010 install.log
-rw------- 1 root root 16384 Jun 8 2010 key3.db
lrwxrwxrwx 1 root root 33 Feb 8 22:52 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw------- 1 root root 16384 Jun 8 2010 secmod.db
after changing ownership and perms I was able to move the nss.conf file back into place, update the httpd and mod_ssl RPMs to latest and bounce Apache w/out any errors.
Did the latest mod_nss RPM fail to set perms after update?
Yes, there is a bug in the %post script in mod_nss that misses fixing permissions on existing databases.
mod_nss 1.0.3 opened the NSS databases only as root. mod_nss 1.0.8 needs to open it as the apache user. The difference is opening in prefork vs in each child.
Marking as a duplicate of 669963.
*** This bug has been marked as a duplicate of bug 669963 ***