NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)

[Stefan Kirchner]

Hello NSS community,

I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on
RHEL 5.2). I want to use SSL over NSS
and I always get following error messages while starting the webserver:

[Tue Dec 02 11:02:02 2008] [info] Configuring server for SSL protocol
[Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(594): Enabling SSL3
[Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(599): Enabling TLS
[Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Tue Dec 02 11:02:02 2008] [info] Using nickname Server-Cert.
[Tue Dec 02 11:02:02 2008] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10
NSS/3.12.0.3 configured -- resuming normal operations
[Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
database: /usr/local/apache2/nss.
[Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
database: /usr/local/apache2/nss.
[Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
database: /usr/local/apache2/nss.
[Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
database: /usr/local/apache2/nss.
[Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED
[Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
database: /usr/local/apache2/nss.
[Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
SEC_ERROR_NOT_INITIALIZED

What I did:
- Compiled and installed NSS and httpd (both successfully tested)
- Compiled and installed mod_nss
- I ran the gencert script to create the NSS databases and the certificates
(it uses certutil)
-> the certificates are validated (with certutil -V -u V)

- httpd.conf (changes):
-> Set LogLevel debug):
-> Added Include conf/nss.conf

-nss.conf (changes):
-> Set LogLevel debug
-> Set correct path to the database
-> Added NSSEnforceValidCerts off
(NSSNickname Server-Cert as it is created by the gencert script of mod_nss)

# ./modutil -dbdir /usr/local/apache2/nss/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------

# ./certutil -d /usr/local/apache2/nss/ -L

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

cacert CTu,Cu,Cu
Server-Cert u,u,u
alpha u,pu,u,

Can someone help me? Any ideas?
Thanks in advance.

Stefan Kirchner

[Stefan Kirchner]

Ok, I am sorry. It was just a small mistake.

The gencert script did not change the access rights of the databases. After
chmod everything works fine.

Stefan
Kirchner/Germany/
IBM@IBMDE To
Sent by: dev-tec...@lists.mozilla.org
dev-tech-crypto-b cc
ounces
+stefankirchner=d Subject
e.ibm.com@lists.m NSS_Initialize failed. NSS with
ozilla.org apache 2.2.10 (mod_nss 1.0.8)


02.12.2008 11:11


Please respond to
"mozilla's crypto
code discussion
list"
<dev-tech-crypto@
lists.mozilla.org
>

Hello NSS community,

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Stefan Kirchner

_______________________________________________
dev-tech-crypto mailing list
dev-tec...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[Nelson B Bolyard]

Stefan Kirchner wrote, On 2008-12-02 02:11:
> Hello NSS community,
>
> I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on
> RHEL 5.2). I want to use SSL over NSS
> and I always get following error messages while starting the webserver:

> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate

> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED

I believe there's probably something wrong with the code that output those
lines into the log file. NSS_Initialize does not set the error code
SEC_ERROR_NOT_INITIALIZED. I suspect that an inspection of the code in
mod_nss will show that it called NSS_Initialize, which failed, but then
it did not check the error code until after it had called some other NSS
function which set error code SEC_ERROR_NOT_INITIALIZED, such as
NSS_Shutdown or SECOID_AddEntry. If my suspicion is correct, then that
code (presumably in mod_nss) will never output a meaningful error code.
That would be a problem to be fixed by the maintainers of mod_nss.

[Robert Relyea]

Stefan Kirchner wrote:
> Ok, I am sorry. It was just a small mistake.
>
> The gencert script did not change the access rights of the databases. After
> chmod everything works fine.
>

Both this and the error code should probably get feed back to mod_nss.

I believe you can create a bug in bugzilla.redhat.com
Classification: Fedora
Product: Fedora
Component: mod_nss

>
>
>
> Stefan
> Kirchner/Germany/
> IBM@IBMDE To
> Sent by: dev-tec...@lists.mozilla.org
> dev-tech-crypto-b cc
> ounces
> +stefankirchner=d Subject
> e.ibm.com@lists.m NSS_Initialize failed. NSS with
> ozilla.org apache 2.2.10 (mod_nss 1.0.8)
>
>
> 02.12.2008 11:11
>
>
> Please respond to
> "mozilla's crypto
> code discussion
> list"
> <dev-tech-crypto@
> lists.mozilla.org
> >
>
>
>
>
>
>
>

> Hello NSS community,
>
> I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on
> RHEL 5.2). I want to use SSL over NSS
> and I always get following error messages while starting the webserver:
>

> [Tue Dec 02 11:02:02 2008] [info] Configuring server for SSL protocol
> [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(594): Enabling SSL3
> [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(599): Enabling TLS
> [Tue Dec 02 11:02:02 2008] [debug] nss_engine_init.c(770): Configuring
> permitted SSL ciphers
> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
>
> [Tue Dec 02 11:02:02 2008] [info] Using nickname Server-Cert.
> [Tue Dec 02 11:02:02 2008] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10
> NSS/3.12.0.3 configured -- resuming normal operations

> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED
> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED
> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED
> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED
> [Tue Dec 02 11:02:02 2008] [error] NSS_Initialize failed. Certificate
> database: /usr/local/apache2/nss.
> [Tue Dec 02 11:02:02 2008] [error] SSL Library Error: -8038
> SEC_ERROR_NOT_INITIALIZED
>
>