Hi,
Me again.. so I have the chroot stuff almost done. I ran into an
interesting problem today though.. when we try to use curl to make an
outbound https connection, we get an nss error. I've googled all over, and
found an an unanswered question on Stackoverflow

http://stackoverflow.com/questions/11394441/issue-with-curl-ssl-php-fcgi-chroot

The error we're getting specifically is as follows.. as you can see, it's
very similar to the one on SO.

About to connect() to api.twitter.com port 443 (#0)
* Trying 199.59.150.41... * connected
* Connected to api.twitter.com (199.59.150.41) port 443 (#0)
* Initializing NSS with certpath: none
* Unable to initialize NSS
* NSS error -5977
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)


In my chroot/lib64 I have the following


ls -al lib64/
total 568

libnss_compat-2.12.so
libnss_compat.so.2libnss_dns-2.12.so
libnss_dns.so.2libnss_files-2.12.so
libnss_files.so.2libnss_hesiod-2.12.so
libnss_hesiod.so.2libnss_nis-2.12.solibnss_nisplus-2.12.so
libnss_nisplus.so.2
libnss_nis.so.2


ls -1 usr/lib64/
libnss3.so
libnssckbi.so
libnss_compat_ossl.so.0
libnss_compat_ossl.so.0.0.0
libnss_compat.so
libnssdbm3.chk
libnssdbm3.so
libnss_dns.so
libnss_files.so
libnss_hesiod.so
libnss_nisplus.so
libnss_nis.so
libnsspem.so
libnsssysinit.so
libnssutil3.so

For CentOS 6 you need to copy

/usr/lib64/libnsspem.so
/usr/lib64/libsoftokn3.so

to your chroot lib64 dir.

For CentOS 6 you need to copy

/usr/lib64/libnsspem.so
/usr/lib64/libsoftokn3.so

to your chroot lib64 dir.

For CentIOS 6 you need to copy
/usr/lib64/libnsspem.so
/usr/lib64/libsoftokn3.so

to chroot/lib64 dir.

суббота, 8 сентября 2012 г., 2:24:59 UTC+4 пользователь Vid Luther написал:
>
> Hi,
> Me again.. so I have the chroot stuff almost done. I ran into an
> interesting problem today though.. when we try to use curl to make an
> outbound https connection, we get an nss error. I've googled all over, and
> found an an unanswered question on Stackoverflow
>
>
> http://stackoverflow.com/questions/11394441/issue-with-curl-ssl-php-fcgi-chroot
>
> The error we're getting specifically is as follows.. as you can see, it's
> very similar to the one on SO.
>
> About to connect() to api.twitter.com port 443 (#0)
> * Trying 199.59.150.41... * connected
> * Connected to api.twitter.com (199.59.150.41) port 443 (#0)
> * Initializing NSS with certpath: none
> * Unable to initialize NSS
> * NSS error -5977
> * Closing connection #0
> * Problem with the SSL CA cert (path? access rights?)
>
>
> In my chroot/lib64 I have the following
>
>
> ls -al lib64/
> total 568
>
> libnss_compat-2.12.so
> libnss_compat.so.2libnss_dns-2.12.so
> libnss_dns.so.2libnss_files-2.12.so
> libnss_files.so.2libnss_hesiod-2.12.so
> libnss_hesiod.so.2libnss_nis-2.12.solibnss_nisplus-2.12.so
> libnss_nisplus.so.2
> libnss_nis.so.2
>
>
> ls -1 usr/lib64/
> libnss3.so
> libnssckbi.so
> libnss_compat_ossl.so.0
> libnss_compat_ossl.so.0.0.0
> libnss_compat.so
> libnssdbm3.chk
> libnssdbm3.so
> libnss_dns.so
> libnss_files.so
> libnss_hesiod.so
> libnss_nisplus.so
> libnss_nis.so
> libnsspem.so
> libnsssysinit.so
> libnssutil3.so
>
>

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Have you a /dev/urandom path inside the chroot? Without this you WON’T connect using TLS/SSL.



From: highload-php-en@googlegroups.com [mailto:highload-php-en@googlegroups..com] On Behalf Of ?????? ????????
Sent: Thursday, March 13, 2014 2:53 PM
To: highload-php-en@googlegroups.com
Cc: vid@zippykid.com
Subject: Re: fpm chroot and curl/nss issue



For CentIOS 6 you need to copy

/usr/lib64/libnsspem.so

/usr/lib64/libsoftokn3.so



to chroot/lib64 dir.

суббота, 8 сентября 2012 г., 2:24:59 UTC+4 пользователь Vid Luther написал:

Hi,

Me again.. so I have the chroot stuff almost done. I ran into an interesting problem today though.. when we try to use curl to make an outbound https connection, we get an nss error. I've googled all over, and found an an unanswered question on Stackoverflow



http://stackoverflow.com/questions/11394441/issue-with-curl-ssl-php-fcgi-chroot



The error we're getting specifically is as follows.. as you can see, it's very similar to the one on SO.



About to connect() to api.twitter.com port 443 (#0)
* Trying 199.59.150.41... * connected
* Connected to api.twitter.com (199.59.150.41) port 443 (#0)
* Initializing NSS with certpath: none
* Unable to initialize NSS
* NSS error -5977
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)

In my chroot/lib64 I have the following

ls -al lib64/
total 568
libnss_compat-2.12.so
libnss_compat.so.2
libnss_dns-2.12.so
libnss_dns.so.2
libnss_files-2.12.so
libnss_files.so.2
libnss_hesiod-2.12.so
libnss_hesiod.so.2
libnss_nis-2.12.so
libnss_nisplus-2.12.so
libnss_nisplus.so.2
libnss_nis.so.2

ls -1 usr/lib64/
libnss3.so
libnssckbi.so
libnss_compat_ossl.so.0
libnss_compat_ossl.so.0.0.0
libnss_compat.so
libnssdbm3.chk
libnssdbm3.so
libnss_dns.so
libnss_files.so
libnss_hesiod.so
libnss_nisplus.so
libnss_nis.so
libnsspem.so
libnsssysinit.so
libnssutil3.so

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.