Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451960 - mod_nss no longer starts
Summary: mod_nss no longer starts
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_nss
Version: 8
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-18 12:31 UTC by Thomas Sailer
Modified: 2011-01-17 14:35 UTC (History)
2 users (show)

Fixed In Version: mod_nss-1.0.7-4.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-06-19 02:51:17 UTC

Attachments (Terms of Use)

Description Thomas Sailer 2008-06-18 12:31:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9

Description of problem:
SSL with my apache httpd (configured to use mod_nss) no longer works since this
update. It worked before. The certificate database was created by the IPA
installation script roughly half a year ago. It seems to be ok:

# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes

CA certificate                                               CT,,C
Server-Cert                                                  u,u,u
Signing-Cert                                                 u,u,u

# certutil -V -d /etc/httpd/alias/ -n "Server-Cert" -u V
certutil: certificate is valid

I can still connect using plain http. However, when I try to connect the
webserver with https, I get the following in /var/log/httpd/error_log:

[Wed Jun 18 14:19:57 2008] [error] SSL Library Error: -12215 MD5 digest function

On the client side:
$ curl -v
* About to connect() to port 443 (#0)
*   Trying connected
* Connected to ( port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Install IPA server
2.Try to connect it using https

Actual Results:
SSL connect error

Expected Results:
IPA GUI should be displayed.

Additional info:

Comment 1 Thomas Sailer 2008-06-18 12:38:02 UTC
And yes, downgrading to nss-3.11.7-10.fc8, nss-devel-3.11.7-10.fc8, and nss-

Comment 2 Kai Engert (:kaie) (inactive account) 2008-06-18 21:34:54 UTC
changing component to mod_nss

Comment 3 Rob Crittenden 2008-06-18 22:04:04 UTC
Thomas, can you try this build:

Comment 4 Thomas Sailer 2008-06-18 22:54:01 UTC
I get the following in /var/log/httpd/error_log:
[Thu Jun 19 00:47:40 2008] [error] NSS_Initialize failed. Certificate
[Thu Jun 19 00:47:40 2008] [error] SSL Library Error: -8038
i.e. does not work.

nss-3.11.7-10.fc8 & mod_nss-1.0.7-3.fc8 does not work either.

mod_nss-1.0.7-2.fc8 & nss-3.11.7-10.fc8 works.

Comment 5 Rob Crittenden 2008-06-19 02:29:50 UTC
This is probably a permissions issue.

The NSS database now needs to be readable by the user apache (the default user
of httpd).

/etc/httpd/alias/*.db should be owned by root:apache and mode 0640

I missed updating that in the .spec file. A new spin will be coming soon but
chmod and chgrp should get you going again.

Comment 6 Rob Crittenden 2008-06-19 02:51:17 UTC
Checking in mod_nss.spec;
/cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v  <--  mod_nss.spec
new revision: 1.9; previous revision: 1.8

Comment 7 Fedora Update System 2008-06-19 02:58:59 UTC
mod_nss-1.0.7-4.fc8 has been submitted as an update for Fedora 8

Comment 8 Thomas Sailer 2008-06-19 06:09:20 UTC
Indeed, it was the permissions issue. It now works, thanks.

Comment 9 Fedora Update System 2008-06-20 19:09:03 UTC
mod_nss-1.0.7-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Scott Weigand 2011-01-17 14:26:35 UTC
FYI: I applied Release 6 of RHEL5 this morning and had the permissions error happen.

Comment 11 Rob Crittenden 2011-01-17 14:35:12 UTC
You might want to either watch bug 669963 or file a new bug.

Note You need to log in before you can comment on or make changes to this bug.