Mark Price wrote: > Hello, > > I am having trouble getting mod_nss to work in FIPS mode. Summary of > the problem: mod_nss works fine before FIPS mode is enabled, then > cannot find the certificate after enabling it. Your configuration looks ok. > > This is using the /etc/httpd/alias cert database, that the mod_nss RPM > created with a default certificate named Server-Cert. > > Using that default configuration, the Apache server starts fine and > loads mod_nss. > > However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to > Apache config), I can't get it to find the same server certificate > > > [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library > [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Thu May 15 13:41:21 2008] [error] The server key database has not > been initialized. > [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL > [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I think part of the problem is "The server key database has not been initialized." I'm not sure what would cause this. > I also tried using modutil to enable FIPS mode on the cert database, > but that did not help: > > # modutil -fips true -dbdir /etc/httpd/alias > <snipped warning> > Using database directory /etc/httpd/alias... > FIPS mode enabled. > > > # modutil -chkfips true -dbdir /etc/httpd/alias > Using database directory /etc/httpd/alias... > FIPS mode enabled. You need to let mod_nss set FIPS mode for it to work properly. > Could someone please clue me in here. Is there some more extensive > process I need to go through in converting the certificate database to > FIPS mode? I have searched for more relevant info with certutil and > modutil but haven't been able to find anything. It should be as simple as setting NSSFIPS on. I'm not sure what the problem is. Let me try to duplicate this locally and see what I can find out. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080515/f90d8b86/attachment.bin