<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#ffffff" text="#000000"> <ul> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=716355">Bugzilla Bug #716355</a> - mod_revocator does not shut down httpd server if expired CRL is fetched</li> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=716361">Bugzilla Bug #716361</a> - mod_revocator does not bring down httpd server if CRLUpdate fails</li> </ul> Please review the attached patch (which should address both Bugzilla Bugs listed above): <ul> <li><a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/attachment.cgi?id=529578&action=diff&context=patch&collapsed=&headers=1&format=raw">https://bugzilla.redhat.com/attachment.cgi?id=529578&action=diff&context=patch&collapsed=&headers=1&format=raw</a></li> </ul> TESTING THIS PATCH ON A 32-bit RHEL 5 SYSTEM: # date Fri Oct 21 15:50:26 PDT 2011 # cd /var/log/httpd # /sbin/service httpd start # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 # date -s "Fri Sep 21 15:50:26 PDT 2012" Fri Sep 21 15:50:26 PDT 2012 # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL <a class="moz-txt-link-freetext" href="http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL">http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL</a> CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL <a class="moz-txt-link-freetext" href="http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL">http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL</a> CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL <a class="moz-txt-link-freetext" href="http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL">http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL</a> CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down # /sbin/service httpd status httpd dead but subsys locked # date -s "Fri Oct 21 15:50:26 PDT 2011" Fri Oct 21 15:50:26 PDT 2011 # /sbin/service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ] # tail -f error_log [Fri Oct 21 16:58:40 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 16:58:40 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 16:58:40 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 16:58:42 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 16:58:42 2011] [notice] Digest: done [Fri Oct 21 16:58:42 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 16:58:43 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 16:58:44 2011] [notice] Revocation subsystem initialized 2 [Fri Sep 21 15:50:28 2012] [error] CRL <a class="moz-txt-link-freetext" href="http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL">http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL</a> CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25012 [Fri Sep 21 15:50:29 2012] [notice] caught SIGTERM, shutting down [Fri Sep 21 15:54:30 2012] [notice] core dump file size limit raised to 4294967295 bytes [Fri Sep 21 15:54:30 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Sep 21 15:54:30 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 21 15:54:31 2012] [notice] Digest: generating secret for digest authentication ... [Fri Sep 21 15:54:31 2012] [notice] Digest: done [Fri Sep 21 15:54:31 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Sep 21 15:54:32 2012] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Sep 21 15:54:35 2012] [error] CRL <a class="moz-txt-link-freetext" href="http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL">http://meatpie.dsdev.sjc.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL</a> CN=Certificate Authority,OU=pki-ca,O=DsdevSjcRedhat Domain is outdated. Shutting down server pid 25059 [Fri Sep 21 15:54:39 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:41 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:43 2012] [warn] child process 25065 still did not exit, sending a SIGTERM [Fri Sep 21 15:54:45 2012] [error] child process 25065 still did not exit, sending a SIGKILL [Fri Sep 21 15:54:46 2012] [notice] caught SIGTERM, shutting down [Fri Oct 21 15:51:01 2011] [notice] core dump file size limit raised to 4294967295 bytes [Fri Oct 21 15:51:01 2011] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Fri Oct 21 15:51:01 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Oct 21 15:51:03 2011] [notice] Digest: generating secret for digest authentication ... [Fri Oct 21 15:51:03 2011] [notice] Digest: done [Fri Oct 21 15:51:03 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Fri Oct 21 15:51:04 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 [Fri Oct 21 15:51:06 2011] [notice] Revocation subsystem initialized 2 NOTE: PATCH WAS ALSO TESTED ON A 64-BIT PLATFORM TO DETERMINE THAT NO REGRESSION OCCURRED. </body> </html>