LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Web server breaks after nss/nspr update
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Fri, 13 Dec 2013 12:16:30 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (78 lines)

Update...

Scratch the bit at the end about the [warn] messages in the ssl_error_log.
Looking way back into the logs, I get them all the time.  So, that's not
a clue anymore.

- Larry

P. Larry Nelson wrote on 12/13/2013 12:09 PM:
> Wondering if anyone else has seen this...
>
> I have a web server with following details:
>   - 2.6.18-371.3.1.el5 #1 SMP Thu Dec 5 11:39:02 CST 2013 x86_64 x86_64 x86_64
> GNU/Linux
>   - Scientific Linux SL release 5.5 (Boron)
>   - httpd-2.2.3-82.sl5.x86_64
>
> The server has been running fine for years.  I am not the author of the
> website, I just maintain the box (security and kernel updates).
>
> On Dec 10, yum updated to the following (among others):
>   - nspr-4.10.2-2.el5_10.i386
>   - nspr-4.10.2-2.el5_10.x86_64
>   - nss-3.15.3-3.el5_10.i386
>   - nss-3.15.3-3.el5_10.x86_64
>   - nss-tools-3.15.3-3.el5_10.x86_64
>   - nspr-devel-4.10.2-2.el5_10.x86_64
>   - nss-devel-3.15.3-3.el5_10.x86_64
>   - mod_nss-1.0.8-8.el5_10.x86_64
>
> The httpd daemon was not restarted at that point (because I
> missed the instructions in the errata email).
> Then on Dec 11, with the php security update, I *did* restart httpd.
>
> But now when httpd starts, I see in /var/log/httpd/error_log
> lots and lots of:
>
>     [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
>     [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
>
> And httpd daemons start and then fail with:
>
>   [notice] child pid 9784 exit signal Segmentation fault (11)
>
> And in /var/log/httpd/ssl_error_log I see:
>
>     [warn] RSA server certificate is a CA certificate (BasicConstraints: CA ==
> TRUE !?)
>     [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
> NOT match server name!?
>
>
> As a temp workaround, I've moved /etc/httpd/conf.d/nss.conf to nss.conf.BAK
> and restarted httpd, which works, and it's up and running, but I'm assuming
> the nss/nspr was there to provide encryption for a login mechanism.
> The P.I. (principal investigator) of the site says logins still work,
> but, as I said, they won't be encrypted (if that was the norm before).
>
> Not knowing much about nss/nspr for a web site, I'm also guessing that
> the ssl_error_log message about:
>
>     `localhost.localdomain' does NOT match server name!?
>
> is the clue to the problem, but why all of a sudden with the latest nss/nspr
> update?  Perhaps more to the point, how to fix?
>
> Thanks!
> - Larry


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]    | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV