Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1943779
Summary: | nginx.service wants wrong network target - causes race condition on boot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Linus <linusmosslesjogren+rhbugzilla> |
Component: | nginx | Assignee: | Felix Kaechele <felix> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 33 | CC: | felix, jeremy, jkaluza, jorton, luhliari, ollie.yeoh, pavel.lisy, peter.borsa, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nginx-1.20.0-2.fc33 nginx-1.20.0-2.fc32 nginx-1.20.0-2.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-29 00:57:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
I was able to reproduce this bug and it will be fixed in the next nginx package update. FEDORA-2021-c0243589ee has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c0243589ee FEDORA-2021-0d3d0559f7 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0d3d0559f7 FEDORA-2021-2cf5ad411d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2cf5ad411d FEDORA-2021-c0243589ee has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c0243589ee` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c0243589ee See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-10c1cd4cba has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-10c1cd4cba FEDORA-2021-1556d440ba has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1556d440ba FEDORA-2021-3aa9ac7fd1 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3aa9ac7fd1 FEDORA-2021-1556d440ba has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1556d440ba` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1556d440ba See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-10c1cd4cba has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-10c1cd4cba` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-10c1cd4cba See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-3aa9ac7fd1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3aa9ac7fd1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3aa9ac7fd1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-10c1cd4cba has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-1556d440ba has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-3aa9ac7fd1 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: In my server I am running nginx binding to multiple IPs and using OCSP stapling for extra SSL security. I noticed that the nginx service was failing on boot because it couldn't bind the second IP. Upon further investigation, I also noticed that the ssl_stapling option was being ignored because of what I assume to be failure to resolve the hosts in the certificate chain. I fixed the issue on my server by adding an override to make the service want network-online.target. Version-Release number of selected component (if applicable): nginx-1.18.0-3.fc33.x86_64 How reproducible: Happened on every boot. Steps to Reproduce: 1. Install nginx. 2. Use a configuration that either utilizes multiple IP addresses or OCSP stapling. 3. Reboot. Actual results: The nginx service will fail to start after a few errors in the log. > nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/letsencrypt/live/.../fullchain.pem" > nginx: [emerg] bind() to _._._._:80 failed (99: Unknown error) > nginx.service: Failed with result 'exit-code'. > Failed to start The nginx HTTP and reverse proxy server. Expected results: The nginx server should run as normal and with proper OCSP security enabled. Additional info: I am not sure on the severity of the issue. In the best case, the server owner will notice that the nginx is failing to start on boot because it is trying to bind to an interface that may not be up yet. In the worst case, the server will start but fail to load the OCSP settings, making it run with reduced SSL security with an easy to miss warning and possibly hard to find cause.