From sven.indie at gmail.com Thu May 2 13:26:54 2013 From: sven.indie at gmail.com (Sven Indie) Date: Thu, 2 May 2013 15:26:54 +0200 Subject: [Mod_nss-list] "Unable to read from pin store for slot: internal APR err: 11" In-Reply-To: <5171551B.9050505@redhat.com> References: <5171551B.9050505@redhat.com> Message-ID: Hello again! Turns out that using NSS database PINs broke our init script - restart generates the error, whereas doing a stop and a start prompts me for the PIN. Best, // Mjau On Fri, Apr 19, 2013 at 4:30 PM, Rob Crittenden wrote: > Sven Indie wrote: > >> Hi! >> >> I get "Unable to read from pin store for slot: internal APR err: 11" in >> my apache error log. >> >> Would anyone here happen to know what this is about, and what I can do >> about it? >> (I'm on SLES 11 SP2..) >> >> Did some googling but didn't really find much of interest except for >> this bug report: >> https://bugzilla.redhat.com/**show_bug.cgi?id=690158which in turn points >> to a nonaccessible bug report. >> > > What version of mod_nss? > > See if nss_pcache is running. This error comes when Apache can't > communicate with this process. This process securely stores the NSS > database PINs between Apache restarts. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sven.indie at gmail.com Thu May 2 13:37:17 2013 From: sven.indie at gmail.com (Sven Indie) Date: Thu, 2 May 2013 15:37:17 +0200 Subject: [Mod_nss-list] OCSP trouble Message-ID: Hello again! I'm trying to turn on the OCSP function. Turned off, everything works as intended. When I try to turn it on however, I get these two lines in my apache error log: Unable to set OCSP default responder nickname signchain. SSL Library Error: -8174 Problem using certificate or key database" Anyone have a clue what's going wrong here? (Seems like I'm running into every possible problem.. =) Best regards, // Mjau -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 2 14:07:16 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 May 2013 10:07:16 -0400 Subject: [Mod_nss-list] OCSP trouble In-Reply-To: References: Message-ID: <51827314.6040000@redhat.com> Sven Indie wrote: > Hello again! > > I'm trying to turn on the OCSP function. Turned off, everything works as > intended. When I try to turn it on however, I get these two lines in my > apache error log: > > Unable to set OCSP default responder nickname signchain. > SSL Library Error: -8174 Problem using certificate or key database" > > Anyone have a clue what's going wrong here? > (Seems like I'm running into every possible problem.. =) Does the certificate signchain exist in the mod_nss NSS database? Is that database readable by Apache? rob From rcritten at redhat.com Thu May 2 14:08:37 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 May 2013 10:08:37 -0400 Subject: [Mod_nss-list] "Unable to read from pin store for slot: internal APR err: 11" In-Reply-To: References: <5171551B.9050505@redhat.com> Message-ID: <51827365.5000701@redhat.com> Sven Indie wrote: > Hello again! > > Turns out that using NSS database PINs broke our init script - restart > generates the error, whereas doing a stop and a start prompts me for the > PIN. Right, like I said nss_pcache is used to store PINs between restarts, so if it isn't working then Apache isn't going to survive a restart. After starting Apache, see if nss_pcache is running. It should be launched by mod_nss. rob > > Best, > // Mjau > > > On Fri, Apr 19, 2013 at 4:30 PM, Rob Crittenden > wrote: > > Sven Indie wrote: > > Hi! > > I get "Unable to read from pin store for slot: internal APR err: > 11" in > my apache error log. > > Would anyone here happen to know what this is about, and what I > can do > about it? > (I'm on SLES 11 SP2..) > > Did some googling but didn't really find much of interest except for > this bug report: > https://bugzilla.redhat.com/__show_bug.cgi?id=690158 > which in > turn points > to a nonaccessible bug report. > > > What version of mod_nss? > > See if nss_pcache is running. This error comes when Apache can't > communicate with this process. This process securely stores the NSS > database PINs between Apache restarts. > > rob > > From Albert.Smith.CTR at osd.mil Fri May 3 13:49:46 2013 From: Albert.Smith.CTR at osd.mil (Smith, Albert L CTR OSD ATL) Date: Fri, 3 May 2013 13:49:46 +0000 Subject: [Mod_nss-list] NSSVerifyClient Require - doesn't work in directive In-Reply-To: <502EA37D.9030703@redhat.com> References: <502EA37D.9030703@redhat.com> Message-ID: <6D5E7B1BD7120248ABBF94A4E219FCB2179AA0BC@RSRCNMEX2> The bugzilla id=749402 you referred to is was already included in the version of mod_nss I'm running: mod_nss-1.0.8-7.el5.x86_64 --changelog * Wed Nov 09 2011 Rob Crittenden - 1.0.8-6 - Bugzilla Bug #749401 - https://server.testrelm/ipa/xml: Bad Request intermittent errors - Bugzilla Bug #749402 - may be possible to spoof mod_nss FakeBasicAuth - Bugzilla Bug #749405 - mod_nss fails debug assertion - Bugzilla Bug #749406 - Add 'libnssckbi.so' runtime dependency . . When I try to view the bug I get: "You are not authorized to access bug #749402" so I can't tell if there is more to the bug than the "FakeBasicAuth" issue or not. Also, I've upgraded the OS to v5.9 and am fully patched. Is this the proper forum request Redhat support for this bug or should I open a case in the "customer portal" section of the Redhat website? -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, August 17, 2012 4:03 PM To: Smith, Albert L CTR OSD ATL Cc: 'mod_nss-list at redhat.com' Subject: Re: NSSVerifyClient Require - doesn't work in directive Smith, Albert L CTR OSD ATL wrote: > Hi Rob. > > I haven't yet heard anything regarding this question. I apologize if I'm sending it to you inappropriately; if that's the case then I would much appreciate it if you would guide me to the appropriate person/group. If you are the appropriate person/group then will you give me an idea of when I might get an answer? I believe this is BZ https://bugzilla.redhat.com/show_bug.cgi?id=749402 , it is targetted for the next RHEL 5 release. rob > > Much thanks. > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > > -----Original Message----- > From: Smith, Albert L CTR OSD ATL > Sent: Wednesday, August 01, 2012 10:01 AM > To: 'rcritten at redhat.com' > Cc: 'mod_nss-list at redhat.com' > Subject: NSSVerifyClient Require - doesn't work in directive > > Greetings. > > I got these two email addresses from the following thread (https://www.redhat.com/archives/mod_nss-list/2010-September/msg00004.html) so I hope that I'm reaching the appropriate person/group for my question. > > I'm running OEL-5 (Oracle Enterprise Linux, version 5), Apache 2.2.3, NSPR-4.8.9-1 and NSS-3.13.1-5.0.1 > > The server is used as a proxy server with a mix of 'Location's requiring client verification and not requiring verification. > > To support this I'm trying to use 'NSSVerifyClient Require' inside of the directive and it's not working correctly, it behaves the same as 'Optional'. > > However, 'NSSVerifyClient' works correctly inside of the directive using 'None' and 'Optional'. > > Is this a known issue? > Is there a way to get this working? > > This worked successfully using 'mod_ssl' using 'SSLVerifyClient Require'. > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5635 bytes Desc: not available URL: From rcritten at redhat.com Fri May 3 14:46:46 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 May 2013 10:46:46 -0400 Subject: [Mod_nss-list] NSSVerifyClient Require - doesn't work in directive In-Reply-To: <6D5E7B1BD7120248ABBF94A4E219FCB2179AA0BC@RSRCNMEX2> References: <502EA37D.9030703@redhat.com> <6D5E7B1BD7120248ABBF94A4E219FCB2179AA0BC@RSRCNMEX2> Message-ID: <5183CDD6.80306@redhat.com> Smith, Albert L CTR OSD ATL wrote: > The bugzilla id=749402 you referred to is was already included in the version of mod_nss I'm running: > mod_nss-1.0.8-7.el5.x86_64 --changelog > * Wed Nov 09 2011 Rob Crittenden - 1.0.8-6 > - Bugzilla Bug #749401 - https://server.testrelm/ipa/xml: Bad Request > intermittent errors > - Bugzilla Bug #749402 - may be possible to spoof mod_nss FakeBasicAuth > - Bugzilla Bug #749405 - mod_nss fails debug assertion > - Bugzilla Bug #749406 - Add 'libnssckbi.so' runtime dependency . . > > When I try to view the bug I get: "You are not authorized to access bug #749402" so I can't tell if there is more to the bug than the "FakeBasicAuth" issue or not. > > Also, I've upgraded the OS to v5.9 and am fully patched. One of the issues fixed was the way the client certificate was retrieved. There were cases that it would only be requested during a full handhsake which is why I thought it applied to your problem. > > Is this the proper forum request Redhat support for this bug or should I open a case in the "customer portal" section of the Redhat website? For Red Hat support you'll need to open a case on the portal. rob > > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, August 17, 2012 4:03 PM > To: Smith, Albert L CTR OSD ATL > Cc: 'mod_nss-list at redhat.com' > Subject: Re: NSSVerifyClient Require - doesn't work in directive > > Smith, Albert L CTR OSD ATL wrote: >> Hi Rob. >> >> I haven't yet heard anything regarding this question. I apologize if I'm sending it to you inappropriately; if that's the case then I would much appreciate it if you would guide me to the appropriate person/group. If you are the appropriate person/group then will you give me an idea of when I might get an answer? > > I believe this is BZ https://bugzilla.redhat.com/show_bug.cgi?id=749402 > , it is targetted for the next RHEL 5 release. > > rob > >> >> Much thanks. >> >> -Albert Smith >> Infrastructure Team >> OUSD(AT&L) eBusiness Center >> 703 571-3015 >> >> >> -----Original Message----- >> From: Smith, Albert L CTR OSD ATL >> Sent: Wednesday, August 01, 2012 10:01 AM >> To: 'rcritten at redhat.com' >> Cc: 'mod_nss-list at redhat.com' >> Subject: NSSVerifyClient Require - doesn't work in directive >> >> Greetings. >> >> I got these two email addresses from the following thread (https://www.redhat.com/archives/mod_nss-list/2010-September/msg00004.html) so I hope that I'm reaching the appropriate person/group for my question. >> >> I'm running OEL-5 (Oracle Enterprise Linux, version 5), Apache 2.2.3, NSPR-4.8.9-1 and NSS-3.13.1-5.0.1 >> >> The server is used as a proxy server with a mix of 'Location's requiring client verification and not requiring verification. >> >> To support this I'm trying to use 'NSSVerifyClient Require' inside of the directive and it's not working correctly, it behaves the same as 'Optional'. >> >> However, 'NSSVerifyClient' works correctly inside of the directive using 'None' and 'Optional'. >> >> Is this a known issue? >> Is there a way to get this working? >> >> This worked successfully using 'mod_ssl' using 'SSLVerifyClient Require'. >> >> -Albert Smith >> Infrastructure Team >> OUSD(AT&L) eBusiness Center >> 703 571-3015 >> >> > > From sven.indie at gmail.com Mon May 6 14:41:39 2013 From: sven.indie at gmail.com (Sven Indie) Date: Mon, 6 May 2013 16:41:39 +0200 Subject: [Mod_nss-list] OCSP trouble In-Reply-To: References: Message-ID: Hi! It seems that this was because I had set the OCSP to on in one vhost, whereas it was set to off in another. Best, // Mjau On Thu, May 2, 2013 at 3:37 PM, Sven Indie wrote: > Hello again! > > I'm trying to turn on the OCSP function. Turned off, everything works as > intended. When I try to turn it on however, I get these two lines in my > apache error log: > > Unable to set OCSP default responder nickname signchain. > SSL Library Error: -8174 Problem using certificate or key database" > > Anyone have a clue what's going wrong here? > (Seems like I'm running into every possible problem.. =) > > Best regards, > // Mjau > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 6 17:25:57 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 May 2013 13:25:57 -0400 Subject: [Mod_nss-list] OCSP trouble In-Reply-To: References: Message-ID: <5187E7A5.8030307@redhat.com> Sven Indie wrote: > Hi! > > It seems that this was because I had set the OCSP to on in one vhost, > whereas it was set to off in another. Hmm, strange. Can you open a bugzilla on this? rob > > Best, > // Mjau > > > On Thu, May 2, 2013 at 3:37 PM, Sven Indie > wrote: > > Hello again! > > I'm trying to turn on the OCSP function. Turned off, everything > works as intended. When I try to turn it on however, I get these two > lines in my apache error log: > > Unable to set OCSP default responder nickname signchain. > SSL Library Error: -8174 Problem using certificate or key database" > > Anyone have a clue what's going wrong here? > (Seems like I'm running into every possible problem.. =) > > Best regards, > // Mjau > > > > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list >