LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Web server breaks after nss/nspr update
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Fri, 13 Dec 2013 12:09:30 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

Wondering if anyone else has seen this...

I have a web server with following details:
  - 2.6.18-371.3.1.el5 #1 SMP Thu Dec 5 11:39:02 CST 2013 x86_64 x86_64 x86_64 
GNU/Linux
  - Scientific Linux SL release 5.5 (Boron)
  - httpd-2.2.3-82.sl5.x86_64

The server has been running fine for years.  I am not the author of the
website, I just maintain the box (security and kernel updates).

On Dec 10, yum updated to the following (among others):
  - nspr-4.10.2-2.el5_10.i386
  - nspr-4.10.2-2.el5_10.x86_64
  - nss-3.15.3-3.el5_10.i386
  - nss-3.15.3-3.el5_10.x86_64
  - nss-tools-3.15.3-3.el5_10.x86_64
  - nspr-devel-4.10.2-2.el5_10.x86_64
  - nss-devel-3.15.3-3.el5_10.x86_64
  - mod_nss-1.0.8-8.el5_10.x86_64

The httpd daemon was not restarted at that point (because I
missed the instructions in the errata email).
Then on Dec 11, with the php security update, I *did* restart httpd.

But now when httpd starts, I see in /var/log/httpd/error_log
lots and lots of:

    [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
    [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED

And httpd daemons start and then fail with:

  [notice] child pid 9784 exit signal Segmentation fault (11)

And in /var/log/httpd/ssl_error_log I see:

    [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == 
TRUE !?)
    [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does 
NOT match server name!?


As a temp workaround, I've moved /etc/httpd/conf.d/nss.conf to nss.conf.BAK
and restarted httpd, which works, and it's up and running, but I'm assuming
the nss/nspr was there to provide encryption for a login mechanism.
The P.I. (principal investigator) of the site says logins still work,
but, as I said, they won't be encrypted (if that was the norm before).

Not knowing much about nss/nspr for a web site, I'm also guessing that
the ssl_error_log message about:

    `localhost.localdomain' does NOT match server name!?

is the clue to the problem, but why all of a sudden with the latest nss/nspr
update?  Perhaps more to the point, how to fix?

Thanks!
- Larry
-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]    | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV