Re: Web server breaks after nss/nspr update

Fri, 13 Dec 2013 13:28:33 -0800

That's a TLS error you need to reinstall your SSL cert and or properly set the host name on the host. Furthermore ensure that full forward and reverse lookup of the host works and matches the FQDN you set for the hostname.



-- Sent from my HP Pre3

On Dec 13, 2013 13:17, P. Larry Nelson <lnel...@illinois.edu> wrote:

Wondering if anyone else has seen this...

I have a web server with following details:
- 2.6.18-371.3.1.el5 #1 SMP Thu Dec 5 11:39:02 CST 2013 x86_64 x86_64 x86_64
GNU/Linux
- Scientific Linux SL release 5.5 (Boron)
- httpd-2.2.3-82.sl5.x86_64

The server has been running fine for years. I am not the author of the
website, I just maintain the box (security and kernel updates).

On Dec 10, yum updated to the following (among others):
- nspr-4.10.2-2.el5_10.i386
- nspr-4.10.2-2.el5_10.x86_64
- nss-3.15.3-3.el5_10.i386
- nss-3.15.3-3.el5_10.x86_64
- nss-tools-3.15.3-3.el5_10.x86_64
- nspr-devel-4.10.2-2.el5_10.x86_64
- nss-devel-3.15.3-3.el5_10.x86_64
- mod_nss-1.0.8-8.el5_10.x86_64

The httpd daemon was not restarted at that point (because I
missed the instructions in the errata email).
Then on Dec 11, with the php security update, I *did* restart httpd.

But now when httpd starts, I see in /var/log/httpd/error_log
lots and lots of:

[error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED

And httpd daemons start and then fail with:

[notice] child pid 9784 exit signal Segmentation fault (11)

And in /var/log/httpd/ssl_error_log I see:

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA ==
TRUE !?)
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!?


As a temp workaround, I've moved /etc/httpd/conf.d/nss.conf to nss.conf.BAK
and restarted httpd, which works, and it's up and running, but I'm assuming
the nss/nspr was there to provide encryption for a login mechanism.
The P.I. (principal investigator) of the site says logins still work,
but, as I said, they won't be encrypted (if that was the norm before).

Not knowing much about nss/nspr for a web site, I'm also guessing that
the ssl_error_log message about:

`localhost.localdomain' does NOT match server name!?

is the clue to the problem, but why all of a sudden with the latest nss/nspr
update? Perhaps more to the point, how to fix?

Thanks!
- Larry
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:lnel...@illinois.edu | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson

Reply via email to