716355 – mod_revocator does not shut down httpd server if expired CRL is fetched

Bug 716355 - mod_revocator does not shut down httpd server if expired CRL is fetched

Summary: mod_revocator does not shut down httpd server if expired CRL is fetched

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	mod_revocator
Sub Component:
Version:	5.7
Hardware:	i386
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748577
TreeView+	depends on / blocked

Reported:	2011-06-24 06:13 UTC by Kaleem
Modified:	2012-02-21 06:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:	mod_revocator-1.0.3-8.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	748577 (view as bug list)
Environment:
Last Closed:	2012-02-21 06:17:40 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Fix mod_revocator shutdown on 32-bit platforms . . . (520 bytes, patch) 2011-10-22 02:04 UTC, Matthew Harmsen	rcritten: review+	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0247	0	normal	SHIPPED_LIVE	mod_revocator bug fix update	2012-02-20 15:07:16 UTC

Description Kaleem 2011-06-24 06:13:05 UTC

Description of problem:
mod_revocator is not able to bring down the httpd server if an expired CRL is downloaded.

Version-Release number of selected component (if applicable):
mod_revocator-1.0.3-5.el5
[root@dhcp201-155 ~]# file /usr/lib/httpd/modules/mod_rev.so
/usr/lib/httpd/modules/mod_rev.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped

How reproducible:
Always

Steps to Reproduce:
1.Install mod_revocator 

2.Install CA signing, Server and OCSP signing cert of CA into httpd NSS db.Also set the trust for CA signing and OCSP signing certs.

  a.importing CA's certs into httpd NSS db

  [root@ks mod_revocator]# pk12util -i servercert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@ks mod_revocator]# pk12util -i casigningcert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@ks mod_revocator]# pk12util -i ocspsigningcert.p12 -d /etc/httpd/alias/
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@ks mod_revocator]#
  
  b.Modifying trust settings

  [root@ks mod_revocator]# certutil -M -n "ocspSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/
[root@ks mod_revocator]# certutil -M -n "caSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/
 
 [root@ks mod_revocator]# certutil -L -d /etc/httpd/alias/
Certificate Nickname                                         Trust Attributes
                                                            SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
ocspSigningCert cert-pki-ca                                  CTu,Cu,Cu
alpha                                                        u,pu,u
Server-Cert cert-pki-ca                                      u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu

3.Install MasterCRL.bin into httpd NSS db (/etc/httpd/alias)
  a. [root@ks mod_revocator]# wget -O 'MasterCRL.bin' -d 'http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL'

2011-06-24 11:21:19 (57.9 MB/s) - `MasterCRL.bin' saved [425/425]
 
  b.[root@ks mod_revocator]# crlutil -I -i MasterCRL.bin -d /etc/httpd/alias/
[root@ks mod_revocator]# crlutil -L -d /etc/httpd/alias/

CRL names                                CRL Type
caSigningCert cert-pki-ca                CRL  

4.Enable CRLEngine and CRLAgeCheck in revocator.conf.Also set CRLFile parameter.
   CRLEngine on
   CRLAgeCheck on
   CRLFile "http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;1;1"

5.start httpd service and make sure that crl download works fine.

6.Now change the system date to 20 days ahead so that downloaded crl appears expired to system.

7.Now restart httpd serivce.
  
Actual results:
httpd server is not down and following log message is generated infinitely in error_log file. 

[root@dhcp201-155 ~]# service httpd status
httpd (pid  20685) is running...

[Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011
[Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621
[Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011
[Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621
[Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011
[Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621
[Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011
[Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621
[Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jul 14 11:47:02 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Jul 14 11:47:02 2011] [info] Server built: Jun 16 2011 11:28:25
[Thu Jul 14 11:47:02 2011] [notice] child pid 20625 exit signal Segmentation fault (11)
[Thu Jul 14 11:47:02 2011] [notice] child pid 20626 exit signal Segmentation fault (11)
[Thu Jul 14 11:47:02 2011] [notice] child pid 20627 exit signal Segmentation fault (11)
[Thu Jul 14 11:47:02 2011] [notice] child pid 20628 exit signal Segmentation fault (11)

Expected results:

httpd server should have been down by mod_revocator. 

[root@ks mod_revocator]# service httpd status
httpd dead but subsys locked

Also following error message should have been displayed in error_log.

[Thu Jul 14 11:23:57 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 30993
[Thu Jul 14 11:23:57 2011] [info] removed PID file /etc/httpd/run/httpd.pid (pid=30993)
[Thu Jul 14 11:23:57 2011] [notice] caught SIGTERM, shutting down


Additional info:
on Arch x86_64, it is working fine.

Comment 1 Kashyap Chamarthy 2011-06-24 06:31:33 UTC

I can also confirm the above behavior of segfault on i386 only.

Comment 4 Matthew Harmsen 2011-10-22 02:04:57 UTC

Created attachment 529578 [details]
Fix mod_revocator shutdown on 32-bit platforms . . .

TESTING THIS PATCH ON A 32-bit RHEL 5 SYSTEM:

# date
Fri Oct 21 15:50:26 PDT 2011

# cd /var/log/httpd

# /sbin/service httpd start

# tail -f error_log
[Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 16:58:42 2011] [notice] Digest: done
[Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2

# date -s "Fri Sep 21 15:50:26 PDT 2012"
Fri Sep 21 15:50:26 PDT 2012

# tail -f error_log
[Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 16:58:42 2011] [notice] Digest: done
[Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012
[Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down

# /sbin/service httpd status
httpd dead but subsys locked

# /sbin/service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

# tail -f error_log
[Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 16:58:42 2011] [notice] Digest: done
[Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012
[Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down
[Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ...
[Fri Sep 21 15:54:31 2012] [notice] Digest: done
[Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059
[Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL
[Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down

# /sbin/service httpd status
httpd dead but subsys locked

# date -s "Fri Oct 21 15:50:26 PDT 2011"
Fri Oct 21 15:50:26 PDT 2011

# /sbin/service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

# tail -f error_log
[Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 16:58:42 2011] [notice] Digest: done
[Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2
[Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012
[Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down
[Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ...
[Fri Sep 21 15:54:31 2012] [notice] Digest: done
[Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059
[Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM
[Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL
[Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down
[Fri Oct 21 15:51:01 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Fri Oct 21 15:51:01 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t
[Fri Oct 21 15:51:01 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 21 15:51:03 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Oct 21 15:51:03 2011] [notice] Digest: done
[Fri Oct 21 15:51:03 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri Oct 21 15:51:04 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2
[Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2

NOTE:  PATCH WAS ALSO TESTED ON A 64-BIT PLATFORM TO DETERMINE THAT NO
       REGRESSION OCCURRED.

Comment 5 Matthew Harmsen 2011-10-24 23:32:36 UTC

Applying patch for this bug to 'mod_revocator' master branch:

# cd mod_revocator

# git branch
* master

# git diff
diff --git a/mod_rev.c b/mod_rev.c
index 5be5a7e..f6b1bdd 100644
--- a/mod_rev.c
+++ b/mod_rev.c
@@ -74,7 +74,7 @@ apr_status_t rev_module_kill(void *data)
 
 static void kill_apache(void) {
     char buffer[1024];
-    PR_snprintf(buffer, sizeof(buffer), "%lld %s", 0, "kill");
+    PR_snprintf(buffer, sizeof(buffer), "%ld %s", 0, "kill");
     write(outfd, buffer, strlen(buffer));
 }

# git pull
Already up-to-date.

# cat ~/message
Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched
Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails

# git commit -a -F ~/message
[master 81be4ad] Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails
 Committer: Matthew Harmsen <mharmsen.redhat.com>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:

    git config --global user.name "Your Name"
    git config --global user.email you

If the identity used for this commit is wrong, you can fix it with:

    git commit --amend --author='Your Name <you>'

 1 files changed, 1 insertions(+), 1 deletions(-)

# git push
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 396 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/mod_revocator.git
   45b6ce8..81be4ad  master -> master

Comment 6 Matthew Harmsen 2011-10-24 23:45:32 UTC

The following request was sent to release-engineering:

Subject:  Request to build 'mod_revocator-1.0.3-7.%{dist}' on Fedora 14, 15, 16, 17 and RHEL 5 . . .

Content:

We would like to request official builds of 'mod_revocator-1.0.3-7.fc14' on 'Fedora 14', 'mod_revocator-1.0.3-7.fc15' on 'Fedora 15', 'mod_revocator-1.0.3-7.fc16' on 'Fedora 16', and 'mod_revocator-1.0.3-7.fc17' on 'Fedora 17' in Koji and 'mod_revocator-1.0.3-7.el5' in Brew per the following bugs:

    * Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched
    * Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails

The official source tarball is located here:

    * http://directory.fedoraproject.org/sources/mod_revocator-1.0.3.tar.gz

The revised spec file and four required patches for Fedora 14, 15, 16, and 17 are located here:

    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator.spec
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-libpath.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-kill.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-segfault-fix.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-32-bit-semaphore-fix.patch

While the revised spec file and four required patches for RHEL 5 are located here:

    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator.spec
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-libpath.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-kill.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-segfault-fix.patch
    * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-32-bit-semaphore-fix.patch


Thanks,
-- Matt

Comment 8 Kaleem 2012-01-12 08:15:18 UTC

Verified.

RHEL Version:
[root@dhcp201-136 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga)
[root@dhcp201-136 ~]#

Mod_revocator Version:
[root@dhcp201-136 ~]# rpm -q mod_revocator
mod_revocator-1.0.3-9.el5
[root@dhcp201-136 ~]#

Now when expired CRL is fetched ,then mod_revocator brings down httpd and shown
in error_log.

[Wed Feb 01 14:01:21 2012] [debug] mod_rev.c(289): Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012
[Wed Feb 01 14:01:21 2012] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 3131
[Wed Feb 01 14:01:21 2012] [debug] mod_rev.c(289): Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012
[Wed Feb 01 14:01:21 2012] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 3131
[Wed Feb 01 14:01:21 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : Unable to write data to remote server
[Wed Feb 01 14:01:21 2012] [info] removed PID file /etc/httpd/run/httpd.pid (pid=3131)
[Wed Feb 01 14:01:21 2012] [notice] caught SIGTERM, shutting down

Comment 9 errata-xmlrpc 2012-02-21 06:17:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0247.html

Note You need to log in before you can comment on or make changes to this bug.