Forum OpenACS Q&A: getting nsssl and nssock errors when starting service

1: getting nsssl and nssock errors when starting service

Posted by Cesar Dominguez on 10/02/19 11:00 PM

[02/Oct/2019:15:32:09][4508.7f34880b5740][-main-] Notice: QD=Postload files to load from tcl: 
[02/Oct/2019:15:32:10][4508.7f34880b5740][-main-] Notice: update interpreter to epoch 1, trace deallocate, time 0.098263 secs
[02/Oct/2019:15:32:10][4508.7f34880b5740][-main-] Notice: update interpreter to epoch 1, trace none, time 0.135398 secs
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Notice: starting
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Notice: bind operation on sock 19 lead to error: Address already in use
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Warning: bind on: SockAddr family AF_INET, ip 104.251.214.8, port 8443
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Address already in use'
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Error: nsssl_v4:0: failed to listen on [104.251.214.8]:8443: Address already in use
[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Notice: exiting
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Notice: starting
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Notice: bind operation on sock 19 lead to error: Address already in use
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Warning: bind on: SockAddr family AF_INET, ip 104.251.214.8, port 8000
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Address already in use'
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Error: nssock_v4:0: failed to listen on [104.251.214.8]:8000: Address already in use
[02/Oct/2019:15:32:10][4508.7f34880b5740][-main-] Notice: nsmain: NaviServer/4.99.18 (tar-4.99.18) running
[02/Oct/2019:15:32:10][4508.7f34880b5740][-main-] Notice: nsmain: security info: uid=1000, euid=1000, gid=1000, egid=1000
[02/Oct/2019:15:32:10][4508.7f34880b5740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed)
[02/Oct/2019:15:32:10][4508.7f3484cf2700][-sched-] Notice: sched: starting
[02/Oct/2019:15:32:24][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: ... sockAccept accepted 2 connections

Also the ssl certificate seems to be failing, i create my self-signed ssl certificate with openssl and modify the config.tcl of my installation and im getting this

[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:25][27392.7f2b1662a700][-conn:oacs-5-9-1:0:236-] Notice: checking entry <104.251.214.8> from host_node_map -> 
[02/Oct/2019:15:32:25][27392.7f2b1662a700][-conn:oacs-5-9-1:0:236-] Warning: ignore untrusted host header field: '104.251.214.8:8443'
[02/Oct/2019:15:32:25][27392.7f2b1662a700][-conn:oacs-5-9-1:0:236-] Notice: ignore non-existing or untrusted host header, fall back to <localhost>
[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: ... sockAccept accepted 2 connections
[02/Oct/2019:15:32:25][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:26][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:26][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:26][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[02/Oct/2019:15:32:31][27392.7f2b15e29700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

i will appreciate your support

2: Re: getting nsssl and nssock errors when starting service (response to 1)

Posted by Gustaf Neumann on 10/03/19 09:56 AM

It seems as if you have an other instance of NaviServer (of of some other server like apache?) running already on the same IP address and port.

The important lines of the posted snippet are:

[02/Oct/2019:15:32:10][4508.7f347d230700][-driver:nsssl_v4:0-] Error: nsssl_v4:0: failed to listen on [104.251.214.8]:8443: Address already in use
...
[02/Oct/2019:15:32:10][4508.7f347ca2f700][-driver:nssock_v4:0-] Error: nssock_v4:0: failed to listen on [104.251.214.8]:8000: Address already in use

Normally service files of systemd take care of starting/stopping the server. You can call all running instances on most Unix systems via "sudo killall nsd". For soft shutdowns, NaviServer tries to perform a graceful shutdown, terminating background services, waiting for running jobs etc., so shutdown might take a few seconds.

3: Re: getting nsdsl and nssock errors when starting service (response to 1)

Posted by Cesar Dominguez on 10/03/19 11:41 PM

Thanks Gustaf, it worked, now regarding the ssl, im still having these errors.

[03/Oct/2019:16:37:37][5189.7fdb0a900700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[03/Oct/2019:16:37:37][5189.7fdb0a900700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[03/Oct/2019:16:37:37][5189.7fdb0a900700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[03/Oct/2019:16:37:37][5189.7fdb0a900700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
[03/Oct/2019:16:37:42][5189.7fdb0a900700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

you know what could be happening there? i created my self signed certificate

4: Re: getting nsssl and nssock errors when starting service (response to 3)

Posted by Gustaf Neumann on 10/04/19 10:09 AM

The error message "certificate unknown" is generated by OpenSSL in cases, where a client refuses to work with this certificate. I would not be surprised, if you get this error just from requests of certain clients (browser).

if you want to know what's going on, use a command like the following (replace https://openacs.org with your site)

curl -v https://openacs.org 2>&1|less

Probably, curl allows the self-signed certificate.

The better approach is to get a real certificate, since newer browser are getting increasingly unhappy with insufficient secured certificates. We use on openacs.org a Let's Encrypt certificate, installed via the letsencrypt module of NaviServer.