On 04.02.2018 09:49, Michal Kaspar wrote:
> Package: pki-server
> Version: 10.5.3-4
> Severity: important
>
> Dear Maintainer,
> After upgrade of libnss3 to 2:3.35-2 pki-server (used as part of freeipa
> installation) stoped working. The Tomcat with pki-server contexts starts, but
> all the Dogtag context crash with errors:
> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable (catalina.out)
> Failed to create jss service: java.lang.SecurityException: Unable to
> initialize security library (ca/debug)
>
> I appears the Tomcat isn't able to load jss library because the previous
> error in catalina is:
> Feb 03, 2018 1:57:19 PM org.apache.catalina.util.SessionIdGeneratorBase
> createSecureRandom
> SEVERE: Exception initializing random number generator using provider
> [Mozilla-JSS]
> java.security.NoSuchProviderException: no such provider: Mozilla-JSS
>
> and catalina.out contains warnings like:
> ARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'enableOCSP' to 'false' did not find a match
> ing property.
>
> Downgrading libnss3 to 2:3.34.1-1 fixes the problem.
nss 3.35 apparently changed the default DB format to SQL..
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3
certmonger, dogtag, mod_nss and freeipa all need changes to
support/migrate to that, but that's not upstream yet.
--
t
