Description of problem: mod_revocator is not able to bring down the httpd server if an CRLUpdate is failed. Version-Release number of selected component (if applicable): mod_revocator-1.0.3-5.el5 How reproducible: Always Steps to Reproduce: 1.Install mod_revocator 2.Install CA signing, Server and OCSP signing cert into httpd NSS db.Also set the trust for CA signing and OCSP signing certs. a.importing CA's certs into httpd NSS db [root@ks mod_revocator]# pk12util -i servercert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# pk12util -i casigningcert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# pk12util -i ocspsigningcert.p12 -d /etc/httpd/alias/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@ks mod_revocator]# b.Modifying trust settings [root@ks mod_revocator]# certutil -M -n "ocspSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/ [root@ks mod_revocator]# certutil -M -n "caSigningCert cert-pki-ca" -t "CTu,Cu,Cu" -d /etc/httpd/alias/ [root@ks mod_revocator]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu Server-Cert u,u,u ocspSigningCert cert-pki-ca CTu,Cu,Cu alpha u,pu,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu 3.Install MasterCRL.bin into httpd NSS db (/etc/httpd/alias) a. [root@ks mod_revocator]# wget -O 'MasterCRL.bin' -d 'http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL' 2011-06-24 11:21:19 (57.9 MB/s) - `MasterCRL.bin' saved [425/425] b.[root@ks mod_revocator]# crlutil -I -i MasterCRL.bin -d /etc/httpd/alias/ [root@ks mod_revocator]# crlutil -L -d /etc/httpd/alias/ CRL names CRL Type caSigningCert cert-pki-ca CRL 4.Enable CRLEngine and CRLUpdateCritical in revocator.conf.Also set CRLFile parameter. CRLEngine on CRLUpdateCritical on CRLFile "http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;1;1" 5.start httpd service and make sure that crl download works fine. 6.Now bring down the CA server so that CRL is not downloaded and restart httpd server and observe Actual results: mod_revocator is not able to shut down the httpd server. Expected results: mod_revocator should shut down the httpd server. Additional info: This is only on i386 arch. on x86_64 mod_revocator brings down the httpd server if CRL update fails.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
Created attachment 529579 [details] Fix mod_revocator shutdown on 32-bit platforms . . . TESTING THIS PATCH ON A 32-bit RHEL 5 SYSTEM: # date Fri Oct 21 15:50:26 PDT 2011 # cd /var/log/httpd # /sbin/service httpd start # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 # date -s "Fri Sep 21 15:50:26 PDT 2012" Fri Sep 21 15:50:26 PDT 2012 # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # date -s "Fri Oct 21 15:50:26 PDT 2011" Fri Oct 21 15:50:26 PDT 2011 # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down [Fri Oct 21 15:51:01 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 15:51:01 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 15:51:01 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 15:51:03 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 15:51:03 2011] [notice] Digest: done [Fri Oct 21 15:51:03 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 15:51:04 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 NOTE: PATCH WAS ALSO TESTED ON A 64-BIT PLATFORM TO DETERMINE THAT NO REGRESSION OCCURRED.
Created attachment 529580 [details] Fix mod_revocator shutdown on 32-bit platforms . . . TESTING THIS PATCH ON A 32-bit RHEL 5 SYSTEM: # date Fri Oct 21 15:50:26 PDT 2011 # cd /var/log/httpd # /sbin/service httpd start # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 # date -s "Fri Sep 21 15:50:26 PDT 2012" Fri Sep 21 15:50:26 PDT 2012 # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # date -s "Fri Oct 21 15:50:26 PDT 2011" Fri Oct 21 15:50:26 PDT 2011 # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down [Fri Oct 21 15:51:01 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 15:51:01 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 15:51:01 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 15:51:03 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 15:51:03 2011] [notice] Digest: done [Fri Oct 21 15:51:03 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 15:51:04 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 NOTE: PATCH WAS ALSO TESTED ON A 64-BIT PLATFORM TO DETERMINE THAT NO REGRESSION OCCURRED.
See source code check-in at https://bugzilla.redhat.com/show_bug.cgi?id=716355#c5
See release-engineering request at https://bugzilla.redhat.com/show_bug.cgi?id=716355#c6
Verified. RHEL Version: [root@dhcp201-178 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga) [root@dhcp201-178 ~]# Mod_revocator Version: [root@dhcp201-178 ~]# rpm -q mod_revocator mod_revocator-1.0.3-9.el5 [root@dhcp201-178 ~]# Arch: [root@dhcp201-178 ~]# arch i686 [root@dhcp201-178 ~]# Steps used for verification are same as given in description of this bug. Now when CRLupdate fails, httpd server is down. [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:02:34 2012] [info] Successfully downloaded CRL at URL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL, subject = CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain, lastupdate = Thu Jan 12 13:00:00 2012, nextupdate = Thu Jan 12 17:00:00 2012 [Thu Jan 12 16:02:34 2012] [notice] Revocation subsystem initialized 2 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : Unable to connect to remote host [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : No CRL data found on server [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : No CRL data found on server [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : No CRL data found on server [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : No CRL data found on server [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : No CRL data found on server [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : Unable to connect to remote host [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [error] Error updating CRL http://cs81box.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain : Unable to connect to remote host [Thu Jan 12 16:04:36 2012] [error] Critical CRL update failure. Shutting down server pid 16904 [Thu Jan 12 16:04:36 2012] [info] removed PID file /etc/httpd/run/httpd.pid (pid=16904) [Thu Jan 12 16:04:36 2012] [notice] caught SIGTERM, shutting down
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0247.html