Bug #23021
closed
Tomcat curl fails if certs are in /etc/pki/nssdb
Description
katello-service restart fails to start Tomcat on Satellite that has certificates defined in /etc/pki/nssdb due to the error:
...
NSS error -12224 SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT
...
ssl peer had some unspecified issue with the cert it received.
closing connection
curl: (35) ssl peer had some unspecified issue with the cert it received.
This seems to be due to the service-wait functionality here:
cat `which service-wait`
...
wait_for_url() {
RETVAL=5
tries=0
while [[ $RETVAL -ne 0 && $tries -lt $WAIT_MAX ]]; do
tries=$((tries + 1))
/usr/bin/curl -ks --noproxy '*' $1 > /dev/null
RETVAL=$?
sleep $RETRY_INTERVAL
done
}
...
before_stop() {
case "$SERVICE" in
tomcat6|tomcat)
# RHBZ 789288 - wait until service port is avaiable
for i in {1..$WAIT_MAX}; do netstat -ln | grep -q ":$TOMCAT_SERV_PORT\s" && break; sleep 1; done
;;
esacThe customer can workaround this and start the service by passing the following, rather than simply curl -ks:
curl -vk --cert /dev/null https://localhost:8443/candlepin/status
On a default Satellite installation:
- # certutil -L -d /etc/pki/nssdb/
<no certs listed>
In this case:
- # certutil -L -d /etc/pki/nssdb/
<51 certs listed>
Updated by 
Updated by