SCIENTIFIC-LINUX-USERS Archives

September 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: MozNSS crash in apache? [SOLVED]
From:
Christopher Tooley <[log in to unmask]>
Reply To:
Christopher Tooley <[log in to unmask]>
Date:
Fri, 2 Sep 2011 15:20:59 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (63 lines) 
Hello all, solved this:

[root@host html]# cd /etc/openldap/cacerts/
[root@host cacerts]# certutil -A -n "<insert cert nick here>" -t PC -i /etc/openldap/cacerts/<certname>.pem -d .
[root@host cacerts]# chmod +r *.db
[root@host cacerts]# ls -la
total 108
drwxr-xr-x. 2 root root  4096 Sep  2 15:08 .
drwxr-xr-x. 5 root root  4096 Sep  2 14:00 ..
lrwxrwxrwx  1 root root    10 Sep  1 16:20 <certhash>.0 -> <certname>.pem
-rw-r--r--  1 root root 65536 Sep  2 15:08 cert8.db
-rw-r--r--  1 root root 16384 Sep  2 15:08 key3.db
-rw-r--r--  1 root root 16384 Sep  2 15:08 secmod.db
-rw-r--r--  1 root root  1155 Sep  1 11:34 <certname>.pem
[root@host cacerts]# /etc/init.d/httpd restart

This will add the missing dbs and should work.

This was also on a SL6.1 server.

Christopher Tooley
[log in to unmask]
Systems, HEP/Astronomy UVic

On 2011-09-02, at 2:18 PM, Christopher Tooley wrote:

> Hello all again,
> 
> So, looking through the source of the openldap TLS stuff, I've found where the message is happening:
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_m.c;h=c85d322014fa838341f3fefdea9a5f693fadc079;hb=f7a0fc9f8b7fa9cfecd6a075b2867abd149dd0de#l1669
> 
> according to a comment a couple of lines up:
> "/* no moznss db found, or not using moznss db */"
> 
> I have also done an strace on apache, here are the (I think) most relevant parts:
> --------------------------------------------------------------------------------
> stat("/etc/openldap/cacerts/secmod.db", 0x7fffe681c1c0) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/secmod.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> stat("/etc/openldap/cacerts/cert8.db", 0x7fffe681c580) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/cert8.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> stat("/etc/openldap/cacerts/cert7.db", 0x7fffe681c5b0) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/cert7.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> open("/pkcs11.txt", O_RDONLY)           = -1 ENOENT (No such file or directory)
> access("/secmod.db", F_OK)              = -1 ENOENT (No such file or directory)
> stat("/key3.db", 0x7fffe681c590)        = -1 ENOENT (No such file or directory)
> open("/key3.db", O_RDONLY)              = -1 ENOENT (No such file or directory)
> write(2, "TLS: could not initialize moznss"..., 68) = 68
> write(2, "TLS: could perform TLS system in"..., 46) = 46
> write(2, "TLS: error: could not initialize"..., 91) = 91
> write(2, "TLS: can't create ssl handle.\n", 30) = 30
> write(2, "ldap_err2string\n", 16)       = 16
> write(2, "[Fri Sep 02 13:57:00 2011] [erro"..., 175) = 175
> write(2, "ldap_err2string\n", 16)       = 16
> -----------------------------------------------------------------------------------
> 
> So, it's looking for certs but I don't have those installed - nor do I think I should, as I think moznss is *supposed* to be a drop in replacement for openssl afaik. How do I get apache/php to act like a proper ldap query agent and just use the .pem file located in /etc/openldap/cacerts/?
> 
> I have a .pem file located in /etc/openldap/cacerts/<certname>.pem that seems to work fine with like every other LDAPS query I do...?? :\
> 
> Thanks for any help!
> 
> -Chris

ATOM RSS1 RSS2