719408 – certificates supplied with mod_nss have expired and prevent httpd starting

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 719408 - certificates supplied with mod_nss have expired and prevent httpd starting

Summary: certificates supplied with mod_nss have expired and prevent httpd starting

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_nss
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:	711085
Blocks:	1205796
TreeView+	depends on / blocked

Reported:	2011-07-06 18:07 UTC by Dmitri Pal
Modified:	2016-01-05 22:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	711085
Environment:
Last Closed:	2016-01-05 22:26:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2011-07-06 18:07:45 UTC

+++ This bug was initially created as a clone of Bug #711085 +++

Description of problem:
Certificates created when mod_nss was installed (cacert, Server-Cert and alpha) (over four years ago) have expired preventing the restarting of httpd (apache) with certificate expired errors in /var/log/httpd/error_log

Version-Release number of selected component (if applicable): 
mod_nss-1.0.8-4.el5_6.1

How reproducible:
Always

Steps to Reproduce:
1. rpm -e mod_nss
2. rm /etc/httpd/alias/*
3. service ntpd stop
3. date 060614332006  # set date back over four years
4. yum install mod_nss
5. ntpdate ntp0   # set time back to current time - using our local timeserver in this instance
6. service httpd restart

  
Actual results:
httpd fails to start: 
Starting httpd:                                            [FAILED]
/var/log/httpd/error_log  contains:
[Mon Jun 06 14:36:45 2011] [error] SSL Library Error: -8181 Certificate has expired
[Mon Jun 06 14:36:45 2011] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Expected results:
httpd start successfully, or better error messages.  Should 'NSSEnforceValidCerts off' be the default?  Having a service just stop working after a number of years service because a certificate it isn't actually using has expired seems very strange behaviour.

Additional info:
httpd was set up and running ok using a properly signed certificate for https traffic (ssl.conf:SSLCertificateFile /etc/pki/tls/certs/mycert.crt), one day when the system restarted httpd for some reason, it failed to restart with the rather cryptic error message.

A quick fix was to add 'NSSEnforceValidCerts off' as suggested, but figuring out what caused the problem took a fair bit of work.  

Removing mod_nss and the certificates it created, and reinstalling allows httpd to start:
rpm -e mod_nss
rm /etc/httpd/alias/*
yum install mod_nss
service httpd restart

--- Additional comment from rcritten on 2011-06-06 10:39:14 EDT ---

Enforcing valid certificates is a sanity and security feature. What is unclear about the message, the fact that it is being genreated from mod_nss?

If you aren't using mod_nss you can simply remove the package and avoid this altogether.

--- Additional comment from jb60.uk on 2011-06-22 09:24:26 EDT ---

(In reply to comment #1)
> Enforcing valid certificates is a sanity and security feature. What is unclear
> about the message, the fact that it is being genreated from mod_nss?
> 
> If you aren't using mod_nss you can simply remove the package and avoid this
> altogether.

Yes the fact the problem is generated in mod_nss - will result in admins who can't figure it out to just add 'NSSEnforceValidCerts off' resulting in reduced security.

Anyway by creating this bug entry here hopefully users who have the same problem can do a search here and get to this page to see a better solution.

Thanks.

--- Additional comment from dpal on 2011-07-06 14:06:55 EDT ---

The issue will be addressed in the later RHEL releases.

Comment 4 Matthew Harmsen 2016-01-05 22:26:49 UTC

Per discussion with rcritten, this is an upstream bug -- closing as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.