Description of problem: mod_revocator is not able to bring down the httpd server if an expired CRL is downloaded. Version-Release number of selected component (if applicable): mod_revocator-1.0.3-5.el5 [root@dhcp201-155 ~]# file /usr/lib/httpd/modules/mod_rev.so /usr/lib/httpd/modules/mod_rev.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped How reproducible: Always Steps to Reproduce: 1.Install mod_revocator 2.Install CA signing, Server and OCSP signing cert of CA into httpd NSS db.Also set the trust for CA signing and OCSP signing certs. a.importing CA's certs into httpd NSS db [root@ks mod_revocator]# pk12util -i servercert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# pk12util -i casigningcert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# pk12util -i ocspsigningcert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# b.Modifying trust settings [root@ks mod_revocator]# certutil -M -n "ocspSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/ [root@ks mod_revocator]# certutil -M -n "caSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/ [root@ks mod_revocator]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu Server-Cert u,u,u ocspSigningCert cert-pki-ca CTu,Cu,Cu alpha u,pu,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu 3.Install MasterCRL.bin into httpd NSS db (/etc/httpd/alias) a. [root@ks mod_revocator]# wget -O 'MasterCRL.bin' -d 'http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL' 2011-06-24 11:21:19 (57.9 MB/s) - `MasterCRL.bin' saved [425/425] b.[root@ks mod_revocator]# crlutil -I -i MasterCRL.bin -d /etc/httpd/alias/ [root@ks mod_revocator]# crlutil -L -d /etc/httpd/alias/ CRL names CRL Type caSigningCert cert-pki-ca CRL 4.Enable CRLEngine and CRLAgeCheck in revocator.conf.Also set CRLFile parameter. CRLEngine on CRLAgeCheck on CRLFile "http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;1;1" 5.start httpd service and make sure that crl download works fine. 6.Now change the system date to 20 days ahead so that downloaded crl appears expired to system. 7.Now restart httpd serivce. Actual results: httpd server is not down and following log message is generated infinitely in error_log file. [root@dhcp201-155 ~]# service httpd status httpd (pid 20685) is running... [Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011 [Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621 [Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011 [Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621 [Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011 [Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621 [Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Jul 14 11:47:02 2011] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Fri Jun 24 11:18:17 2011, nextupdate = Fri Jun 24 13:00:00 2011 [Thu Jul 14 11:47:02 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 20621 [Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Jul 14 11:47:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Jul 14 11:47:02 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Thu Jul 14 11:47:02 2011] [info] Server built: Jun 16 2011 11:28:25 [Thu Jul 14 11:47:02 2011] [notice] child pid 20625 exit signal Segmentation fault (11) [Thu Jul 14 11:47:02 2011] [notice] child pid 20626 exit signal Segmentation fault (11) [Thu Jul 14 11:47:02 2011] [notice] child pid 20627 exit signal Segmentation fault (11) [Thu Jul 14 11:47:02 2011] [notice] child pid 20628 exit signal Segmentation fault (11) Expected results: httpd server should have been down by mod_revocator. [root@ks mod_revocator]# service httpd status httpd dead but subsys locked Also following error message should have been displayed in error_log. [Thu Jul 14 11:23:57 2011] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 30993 [Thu Jul 14 11:23:57 2011] [info] removed PID file /etc/httpd/run/httpd.pid (pid=30993) [Thu Jul 14 11:23:57 2011] [notice] caught SIGTERM, shutting down Additional info: on Arch x86_64, it is working fine.
I can also confirm the above behavior of segfault on i386 only.
Created attachment 529578 [details] Fix mod_revocator shutdown on 32-bit platforms . . . TESTING THIS PATCH ON A 32-bit RHEL 5 SYSTEM: # date Fri Oct 21 15:50:26 PDT 2011 # cd /var/log/httpd # /sbin/service httpd start # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 # date -s "Fri Sep 21 15:50:26 PDT 2012" Fri Sep 21 15:50:26 PDT 2012 # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # date -s "Fri Oct 21 15:50:26 PDT 2011" Fri Oct 21 15:50:26 PDT 2011 # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down [Fri Oct 21 15:51:01 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 15:51:01 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 15:51:01 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 15:51:03 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 15:51:03 2011] [notice] Digest: done [Fri Oct 21 15:51:03 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 15:51:04 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 NOTE: PATCH WAS ALSO TESTED ON A 64-BIT PLATFORM TO DETERMINE THAT NO REGRESSION OCCURRED.
Applying patch for this bug to 'mod_revocator' master branch: # cd mod_revocator # git branch * master # git diff diff --git a/mod_rev.c b/mod_rev.c index 5be5a7e..f6b1bdd 100644 --- a/mod_rev.c +++ b/mod_rev.c @@ -74,7 +74,7 @@ apr_status_t rev_module_kill(void *data) static void kill_apache(void) { char buffer[1024]; - PR_snprintf(buffer, sizeof(buffer), "%lld %s", 0, "kill"); + PR_snprintf(buffer, sizeof(buffer), "%ld %s", 0, "kill"); write(outfd, buffer, strlen(buffer)); } # git pull Already up-to-date. # cat ~/message Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails # git commit -a -F ~/message [master 81be4ad] Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails Committer: Matthew Harmsen <mharmsen.redhat.com> Your name and email address were configured automatically based on your username and hostname. Please check that they are accurate. You can suppress this message by setting them explicitly: git config --global user.name "Your Name" git config --global user.email you If the identity used for this commit is wrong, you can fix it with: git commit --amend --author='Your Name <you>' 1 files changed, 1 insertions(+), 1 deletions(-) # git push Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 396 bytes, done. Total 3 (delta 2), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/mod_revocator.git 45b6ce8..81be4ad master -> master
The following request was sent to release-engineering: Subject: Request to build 'mod_revocator-1.0.3-7.%{dist}' on Fedora 14, 15, 16, 17 and RHEL 5 . . . Content: We would like to request official builds of 'mod_revocator-1.0.3-7.fc14' on 'Fedora 14', 'mod_revocator-1.0.3-7.fc15' on 'Fedora 15', 'mod_revocator-1.0.3-7.fc16' on 'Fedora 16', and 'mod_revocator-1.0.3-7.fc17' on 'Fedora 17' in Koji and 'mod_revocator-1.0.3-7.el5' in Brew per the following bugs: * Bugzilla Bug #716355 - mod_revocator does not shut down httpd server if expired CRL is fetched * Bugzilla Bug #716361 - mod_revocator does not bring down httpd server if CRLUpdate fails The official source tarball is located here: * http://directory.fedoraproject.org/sources/mod_revocator-1.0.3.tar.gz The revised spec file and four required patches for Fedora 14, 15, 16, and 17 are located here: * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator.spec * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-libpath.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-kill.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-segfault-fix.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/mod_revocator-32-bit-semaphore-fix.patch While the revised spec file and four required patches for RHEL 5 are located here: * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator.spec * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-libpath.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-kill.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-segfault-fix.patch * https://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/RHEL5/mod_revocator-32-bit-semaphore-fix.patch Thanks, -- Matt
Verified. RHEL Version: [root@dhcp201-136 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga) [root@dhcp201-136 ~]# Mod_revocator Version: [root@dhcp201-136 ~]# rpm -q mod_revocator mod_revocator-1.0.3-9.el5 [root@dhcp201-136 ~]# Now when expired CRL is fetched ,then mod_revocator brings down httpd and shown in error_log. [Wed Feb 01 14:01:21 2012] [debug] mod_rev.c(289): Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Wed Feb 01 14:01:21 2012] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 3131 [Wed Feb 01 14:01:21 2012] [debug] mod_rev.c(289): Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Wed Feb 01 14:01:21 2012] [error] CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain is outdated. Shutting down server pid 3131 [Wed Feb 01 14:01:21 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : Unable to write data to remote server [Wed Feb 01 14:01:21 2012] [info] removed PID file /etc/httpd/run/httpd.pid (pid=3131) [Wed Feb 01 14:01:21 2012] [notice] caught SIGTERM, shutting down
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0247.html