Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451960 - mod_nss no longer starts
Summary: mod_nss no longer starts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_nss
Version: 8
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-18 12:31 UTC by Thomas Sailer
Modified: 2011-01-17 14:35 UTC (History)
2 users (show)

Fixed In Version: mod_nss-1.0.7-4.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-19 02:51:17 UTC


Attachments (Terms of Use)

Description Thomas Sailer 2008-06-18 12:31:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9

Description of problem:
SSL with my apache httpd (configured to use mod_nss) no longer works since this
update. It worked before. The certificate database was created by the IPA
installation script roughly half a year ago. It seems to be ok:

# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,C
Server-Cert                                                  u,u,u
Signing-Cert                                                 u,u,u

# certutil -V -d /etc/httpd/alias/ -n "Server-Cert" -u V
certutil: certificate is valid

I can still connect using plain http. However, when I try to connect the
webserver with https, I get the following in /var/log/httpd/error_log:

[Wed Jun 18 14:19:57 2008] [error] SSL Library Error: -12215 MD5 digest function
failed

On the client side:
$ curl -v https://xx.com/fedora/
* About to connect() to xx.com port 443 (#0)
*   Trying 192.168.1.2... connected
* Connected to xx.com (192.168.1.2) port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error


Version-Release number of selected component (if applicable):
nss-3.12.0.3-0.8.1.fc8

How reproducible:
Always


Steps to Reproduce:
1.Install IPA server
2.Try to connect it using https


Actual Results:
SSL connect error

Expected Results:
IPA GUI should be displayed.

Additional info:

Comment 1 Thomas Sailer 2008-06-18 12:38:02 UTC
And yes, downgrading to nss-3.11.7-10.fc8, nss-devel-3.11.7-10.fc8, and nss-
functionality.

Comment 2 Kai Engert (:kaie) (inactive account) 2008-06-18 21:34:54 UTC
changing component to mod_nss

Comment 3 Rob Crittenden 2008-06-18 22:04:04 UTC
Thomas, can you try this build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=669540

Comment 4 Thomas Sailer 2008-06-18 22:54:01 UTC
with:
mod_nss-1.0.7-3.fc8
nss-3.12.0.3-0.8.1.fc8
I get the following in /var/log/httpd/error_log:
[Thu Jun 19 00:47:40 2008] [error] NSS_Initialize failed. Certificate
database:/etc/httpd/alias.
[Thu Jun 19 00:47:40 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
i.e. does not work.

nss-3.11.7-10.fc8 & mod_nss-1.0.7-3.fc8 does not work either.

mod_nss-1.0.7-2.fc8 & nss-3.11.7-10.fc8 works.

Comment 5 Rob Crittenden 2008-06-19 02:29:50 UTC
This is probably a permissions issue.

The NSS database now needs to be readable by the user apache (the default user
of httpd).

/etc/httpd/alias/*.db should be owned by root:apache and mode 0640

I missed updating that in the .spec file. A new spin will be coming soon but
chmod and chgrp should get you going again.

Comment 6 Rob Crittenden 2008-06-19 02:51:17 UTC
Checking in mod_nss.spec;
/cvs/extras/rpms/mod_nss/F-8/mod_nss.spec,v  <--  mod_nss.spec
new revision: 1.9; previous revision: 1.8
done


Comment 7 Fedora Update System 2008-06-19 02:58:59 UTC
mod_nss-1.0.7-4.fc8 has been submitted as an update for Fedora 8

Comment 8 Thomas Sailer 2008-06-19 06:09:20 UTC
Indeed, it was the permissions issue. It now works, thanks.

Comment 9 Fedora Update System 2008-06-20 19:09:03 UTC
mod_nss-1.0.7-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Scott Weigand 2011-01-17 14:26:35 UTC
FYI: I applied Release 6 of RHEL5 this morning and had the permissions error happen.

Comment 11 Rob Crittenden 2011-01-17 14:35:12 UTC
You might want to either watch bug 669963 or file a new bug.


Note You need to log in before you can comment on or make changes to this bug.