Description of problem: Certificates created when mod_nss was installed (cacert, Server-Cert and alpha) (over four years ago) have expired preventing the restarting of httpd (apache) with certificate expired errors in /var/log/httpd/error_log Version-Release number of selected component (if applicable): mod_nss-1.0.8-4.el5_6.1 How reproducible: Always Steps to Reproduce: 1. rpm -e mod_nss 2. rm /etc/httpd/alias/* 3. service ntpd stop 3. date 060614332006 # set date back over four years 4. yum install mod_nss 5. ntpdate ntp0 # set time back to current time - using our local timeserver in this instance 6. service httpd restart Actual results: httpd fails to start: Starting httpd: [FAILED] /var/log/httpd/error_log contains: [Mon Jun 06 14:36:45 2011] [error] SSL Library Error: -8181 Certificate has expired [Mon Jun 06 14:36:45 2011] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. Expected results: httpd start successfully, or better error messages. Should 'NSSEnforceValidCerts off' be the default? Having a service just stop working after a number of years service because a certificate it isn't actually using has expired seems very strange behaviour. Additional info: httpd was set up and running ok using a properly signed certificate for https traffic (ssl.conf:SSLCertificateFile /etc/pki/tls/certs/mycert.crt), one day when the system restarted httpd for some reason, it failed to restart with the rather cryptic error message. A quick fix was to add 'NSSEnforceValidCerts off' as suggested, but figuring out what caused the problem took a fair bit of work. Removing mod_nss and the certificates it created, and reinstalling allows httpd to start: rpm -e mod_nss rm /etc/httpd/alias/* yum install mod_nss service httpd restart
Enforcing valid certificates is a sanity and security feature. What is unclear about the message, the fact that it is being genreated from mod_nss? If you aren't using mod_nss you can simply remove the package and avoid this altogether.
(In reply to comment #1) > Enforcing valid certificates is a sanity and security feature. What is unclear > about the message, the fact that it is being genreated from mod_nss? > > If you aren't using mod_nss you can simply remove the package and avoid this > altogether. Yes the fact the problem is generated in mod_nss - will result in admins who can't figure it out to just add 'NSSEnforceValidCerts off' resulting in reduced security. Anyway by creating this bug entry here hopefully users who have the same problem can do a search here and get to this page to see a better solution. Thanks.
The issue will be addressed in the later RHEL releases.
The issue will not be addressed in RHEL 5.x.
John, Questions about the mod_nss reinstall solution. Will this process in any way compromise existing ssl cert + key installations? I've tested this procedure on my dev machine and it works great! However, I want to make sure that if I follow this procedure on my production machine, the keys and installed 3rd party certs will not have to be re-gen'ed. For instance, I have an SSL cert provided from goDaddy for which I gen'ed the key via openssl on my RH server. Thanks! -ryan
There is no re-install solution. The reported problem was that mod_nss generates a certificate upon first installation. This certificate, like all SSL certificates, eventually expires. mod_nss requires a valid cert for Apache to start. The concern was that for an admin that had installed but never actually ever used the mod_nss package this could be confusing. One solution is to uninstall mod_nss if you aren't using it.
Rob, Thanks for the quick reply! The scenario you describe exactly happened to me... one day Apache went down and couldn't restart... error logs + google got me to this thread. I tested John's reinstall procedure from above on a dev server, and it re-created the mod_ssl cert as needed for Apache to restart. What I need to know is if mod_ssl is necessary for use of SSL certs in Apache (particularly ones which use a locally gen'd openssl key and a 3rd party cert, e.g. Starfield Technologies)? I just want to make sure that if I uninstall mod_nss, I won't break existing SSL certs I have in use in Apache. -ryan
The mod_nss and mod_ssl certificate stores are completely separate. Both are SSL engines, they just use different crypto libraries. One does not rely on the other. If you aren't using mod_nss then your best bet is to simply uninstall the package.
Thank Rob Crittenden as per your suggestion i have just uninstalled mos_ss and restarted the services it workig.I am using centos 5.8 . Thank you very much