mod_nss ??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: mod_nss ??
From: J Lance Wilkinson <jlw12@xxxxxxx>
Date: Tue, 24 Feb 2015 09:32:22 -0500
Cc: jlw12@xxxxxxx
In-reply-to: <54EC883B.7060503@domblogger.net>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666

This morning a webserver that I'm responsible for (but didn't have aparticularly significant hand in setting up) was reporting as <defunct> in a

	$ ps -ef | grep httpd
display.  This is on RHEL6 and it's Apache HTTPD 2.2 patched up the way that
Red Hat does things.

When I explored the logs, and especially after I tried to restart it and got a

[FAILED] report on the start, I found several log entries suggesting SSLproblems and an unexpired certificate.


But the webserver in question doesn't supply ANY SSL encrypted services.

Turns out what appeared to be a legacy use of mod_nss was present in theconfiguration.

I was able to restore the services by simply commenting out the nss.conf filefrom the /etc/httpd/conf.d directory.

But I'd really like to confirm things by trying to identify just what thisexpired certificate was trying to secure. The only reference that I can findto a specific certificate complains about "Server-cert" and naturally there'sno such file anywhere in the perview of the server.

Skimming docs on mod_nss, I see that I shouldn't be able to find individualcertificates, because they're all in a database.


The docs I've found don't tell how to review the contents of the database
which appears to be in three files (cert8.db, key3.db and secmod.db) in a
directory cited in one of the NSS configuration directives, /etc/httpd/alias

The server is one of two that are load balanced. While the one that failedappears to have its database files all timestamped 4 years ago (Feb 23 2011),the one that did not has the same files but timestamped a little more recent(Dec 6 2011). So it's likely on or about December 6th I'll observe the sameissue on that other server.

While my brute force method of recovering the server that expired with itscertificates overnight seems to alleviated the issue, I'd love to be able todefinitively say what this was applying to before using the same brute forcemethod on the as yet unaffected server.



--
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead	Phone: (814) 865-4870
Information Technology Services 	FAX:   (814) 863-3560
Penn State University
ITS Services and Solutions (SaS), 6 Willard, University Park, PA 16802
http://ucs.psu.edu/home/jlw12@xxxxxxx?fmt=freebusy


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

References:
- Apache modifying headers from php
  - From: Michael A. Peters

Prev by Date: Apache modifying headers from php
Next by Date: Compiling Apache 2.4.10 with openssl 0.9.8j
Previous by thread: Apache modifying headers from php
Next by thread: Compiling Apache 2.4.10 with openssl 0.9.8j
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]