Bug 676449 - Latest update breaks mod_nss and SSL sites.
Latest update breaks mod_nss and SSL sites.
Status: CLOSED DUPLICATE of bug 669963
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_nss (Show other bugs)
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
  Show dependency treegraph
Reported: 2011-02-09 17:03 EST by Arthur Enright
Modified: 2015-01-04 18:46 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-02-11 10:18:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sosreport (6.95 MB, application/x-bzip2)
2011-02-09 17:19 EST, Arthur Enright
no flags Details

  None (edit)
Description Arthur Enright 2011-02-09 17:03:40 EST
Description of problem: Patched a public web server and reloaded httpd resulting in httpd writing nss errors to error_log and CA warnings to ssl_error_log

Version-Release number of selected component (if applicable):
Feb 08 22:51:45 Updated: httpd-2.2.3-45.el5.x86_64
Feb 08 22:52:24 Updated: mod_nss-1.0.8-3.el5.x86_64

How reproducible: Patch to latest update level

Steps to Reproduce:
1. yum -y update
2. service httpd reload
3. observe log files and Apache's inability to serve content.
Actual results:

CPU spike and the following messages repeating in the logs:


[Tue Feb 08 23:12:51 2011] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Tue Feb 08 23:12:51 2011] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Tue Feb 08 23:12:52 2011] [notice] child pid 19005 exit signal Segmentation fault (11)
[Tue Feb 08 23:12:52 2011] [notice] child pid 19040 exit signal Segmentation fault (11)


[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 04:02:13 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 08 23:10:18 2011] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

Expected results:

Apache starts up and serves non SSL content as well as SSL content

Additional info:

For non-SSL content, removing the nss.conf file from /etc/httpd/conf.d as well as any SSL vhosts allows for serving unencrypted traffic.  Simply removing nss.conf does not fix the SSL vhost issue.

I expect this is potentially impacting a number of customers.

sosreport to be attached shortly.
Comment 1 Arthur Enright 2011-02-09 17:19:15 EST
Created attachment 477917 [details]

sosreport with nss.conf moved out of httpd/conf.d and SSL vhosts temporarily removed.
Comment 2 Joe Orton 2011-02-10 03:48:01 EST
Can you determine whether the regression was caused by the httpd upgrade or the mod_nss upgrade?  (i.e. if you downgrade httpd does it still break?)
Comment 3 Arthur Enright 2011-02-10 15:11:32 EST
I rolled back the following packages:


The mod_nss issues persist but when I move httpd/conf.d/mod_nss out of the way my SSL sites now work.

This solves the most immediate issue as the server can now serve SSL traffic.

Would you like me to roll back mod_nss or any of the core NSS libraries and test?

Comment 4 Joe Orton 2011-02-11 03:34:00 EST
Re-assigning to mod_nss.
Comment 5 Rob Crittenden 2011-02-11 09:45:07 EST
This may be related to https://bugzilla.redhat.com/show_bug.cgi?id=669963

Can you check the permissions on the .db files in /etc/httpd/alias?  They should be mode 0640 root:apache.
Comment 6 Arthur Enright 2011-02-11 10:03:06 EST
Current perms after update:

# pwd
# ll
total 128
-rw------- 1 root root 65536 Jun  8  2010 cert8.db
-rw------- 1 root root  4395 Jun  8  2010 install.log
-rw------- 1 root root 16384 Jun  8  2010 key3.db
lrwxrwxrwx 1 root root    33 Feb  8 22:52 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw------- 1 root root 16384 Jun  8  2010 secmod.db

after changing ownership and perms I was able to move the nss.conf file back into place, update the httpd and mod_ssl RPMs to latest and bounce Apache w/out any errors.

Did the latest mod_nss RPM fail to set perms after update?
Comment 7 Rob Crittenden 2011-02-11 10:18:27 EST
Yes, there is a bug in the %post script in mod_nss that misses fixing permissions on existing databases.

mod_nss 1.0.3 opened the NSS databases only as root. mod_nss 1.0.8 needs to open it as the apache user. The difference is opening in prefork vs in each child.

Marking as a duplicate of 669963.

*** This bug has been marked as a duplicate of bug 669963 ***

Note You need to log in before you can comment on or make changes to this bug.