[Pkg-freeipa-devel] Bug#889526: Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2

Timo Aaltonen tjaalton at debian.org
Mon Feb 5 10:18:16 UTC 2018


On 04.02.2018 09:49, Michal Kaspar wrote:
> Package: pki-server
> Version: 10.5.3-4
> Severity: important
> 
> Dear Maintainer,
> After upgrade of libnss3 to 2:3.35-2 pki-server (used as part of freeipa installation) stoped working. The Tomcat with pki-server contexts starts, but all the Dogtag context crash with errors:
> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable (catalina.out)
> Failed to create jss service: java.lang.SecurityException: Unable to initialize security library (ca/debug)
> 
> I appears the Tomcat isn't able to load jss library because the previous error in catalina is:
> Feb 03, 2018 1:57:19 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom
> SEVERE: Exception initializing random number generator using provider [Mozilla-JSS]
> java.security.NoSuchProviderException: no such provider: Mozilla-JSS
> 
> and catalina.out contains warnings like:
> ARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a match
> ing property.
> 
> Downgrading libnss3 to 2:3.34.1-1 fixes the problem.

nss 3.35 apparently changed the default DB format to SQL..

https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

certmonger, dogtag, mod_nss and freeipa all need changes to
support/migrate to that, but that's not upstream yet.


-- 
t



More information about the Pkg-freeipa-devel mailing list