Update...
Scratch the bit at the end about the [warn] messages in the ssl_error_log.
Looking way back into the logs, I get them all the time. So, that's not
a clue anymore.
- Larry
P. Larry Nelson wrote on 12/13/2013 12:09 PM:
> Wondering if anyone else has seen this...
>
> I have a web server with following details:
> - 2.6.18-371.3.1.el5 #1 SMP Thu Dec 5 11:39:02 CST 2013 x86_64 x86_64 x86_64
> GNU/Linux
> - Scientific Linux SL release 5.5 (Boron)
> - httpd-2.2.3-82.sl5.x86_64
>
> The server has been running fine for years. I am not the author of the
> website, I just maintain the box (security and kernel updates).
>
> On Dec 10, yum updated to the following (among others):
> - nspr-4.10.2-2.el5_10.i386
> - nspr-4.10.2-2.el5_10.x86_64
> - nss-3.15.3-3.el5_10.i386
> - nss-3.15.3-3.el5_10.x86_64
> - nss-tools-3.15.3-3.el5_10.x86_64
> - nspr-devel-4.10.2-2.el5_10.x86_64
> - nss-devel-3.15.3-3.el5_10.x86_64
> - mod_nss-1.0.8-8.el5_10.x86_64
>
> The httpd daemon was not restarted at that point (because I
> missed the instructions in the errata email).
> Then on Dec 11, with the php security update, I *did* restart httpd.
>
> But now when httpd starts, I see in /var/log/httpd/error_log
> lots and lots of:
>
> [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
> [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
>
> And httpd daemons start and then fail with:
>
> [notice] child pid 9784 exit signal Segmentation fault (11)
>
> And in /var/log/httpd/ssl_error_log I see:
>
> [warn] RSA server certificate is a CA certificate (BasicConstraints: CA ==
> TRUE !?)
> [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
> NOT match server name!?
>
>
> As a temp workaround, I've moved /etc/httpd/conf.d/nss.conf to nss.conf.BAK
> and restarted httpd, which works, and it's up and running, but I'm assuming
> the nss/nspr was there to provide encryption for a login mechanism.
> The P.I. (principal investigator) of the site says logins still work,
> but, as I said, they won't be encrypted (if that was the norm before).
>
> Not knowing much about nss/nspr for a web site, I'm also guessing that
> the ssl_error_log message about:
>
> `localhost.localdomain' does NOT match server name!?
>
> is the clue to the problem, but why all of a sudden with the latest nss/nspr
> update? Perhaps more to the point, how to fix?
>
> Thanks!
> - Larry
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
|