Subject: | |
From: | |
Reply To: | |
Date: | Fri, 13 Dec 2013 12:09:30 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Wondering if anyone else has seen this...
I have a web server with following details:
- 2.6.18-371.3.1.el5 #1 SMP Thu Dec 5 11:39:02 CST 2013 x86_64 x86_64 x86_64
GNU/Linux
- Scientific Linux SL release 5.5 (Boron)
- httpd-2.2.3-82.sl5.x86_64
The server has been running fine for years. I am not the author of the
website, I just maintain the box (security and kernel updates).
On Dec 10, yum updated to the following (among others):
- nspr-4.10.2-2.el5_10.i386
- nspr-4.10.2-2.el5_10.x86_64
- nss-3.15.3-3.el5_10.i386
- nss-3.15.3-3.el5_10.x86_64
- nss-tools-3.15.3-3.el5_10.x86_64
- nspr-devel-4.10.2-2.el5_10.x86_64
- nss-devel-3.15.3-3.el5_10.x86_64
- mod_nss-1.0.8-8.el5_10.x86_64
The httpd daemon was not restarted at that point (because I
missed the instructions in the errata email).
Then on Dec 11, with the php security update, I *did* restart httpd.
But now when httpd starts, I see in /var/log/httpd/error_log
lots and lots of:
[error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
And httpd daemons start and then fail with:
[notice] child pid 9784 exit signal Segmentation fault (11)
And in /var/log/httpd/ssl_error_log I see:
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA ==
TRUE !?)
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!?
As a temp workaround, I've moved /etc/httpd/conf.d/nss.conf to nss.conf.BAK
and restarted httpd, which works, and it's up and running, but I'm assuming
the nss/nspr was there to provide encryption for a login mechanism.
The P.I. (principal investigator) of the site says logins still work,
but, as I said, they won't be encrypted (if that was the norm before).
Not knowing much about nss/nspr for a web site, I'm also guessing that
the ssl_error_log message about:
`localhost.localdomain' does NOT match server name!?
is the clue to the problem, but why all of a sudden with the latest nss/nspr
update? Perhaps more to the point, how to fix?
Thanks!
- Larry
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
|
|
|