1943779 – nginx.service wants wrong network target - causes race condition on boot

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1943779 - nginx.service wants wrong network target - causes race condition on boot

Summary: nginx.service wants wrong network target - causes race condition on boot

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nginx
Sub Component:
Version:	33
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Felix Kaechele
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-27 11:45 UTC by Linus
Modified:	2021-04-30 00:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:	nginx-1.20.0-2.fc33 nginx-1.20.0-2.fc32 nginx-1.20.0-2.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-29 00:57:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Linus 2021-03-27 11:45:02 UTC

Description of problem:
In my server I am running nginx binding to multiple IPs and using OCSP stapling for extra SSL security.
I noticed that the nginx service was failing on boot because it couldn't bind the second IP.
Upon further investigation, I also noticed that the ssl_stapling option was being ignored because of what I assume to be failure to resolve the hosts in the certificate chain.
I fixed the issue on my server by adding an override to make the service want network-online.target.

Version-Release number of selected component (if applicable):
nginx-1.18.0-3.fc33.x86_64

How reproducible:
Happened on every boot.

Steps to Reproduce:
1. Install nginx.
2. Use a configuration that either utilizes multiple IP addresses or OCSP stapling.
3. Reboot.

Actual results:
The nginx service will fail to start after a few errors in the log.

> nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/letsencrypt/live/.../fullchain.pem"
> nginx: [emerg] bind() to _._._._:80 failed (99: Unknown error)
> nginx.service: Failed with result 'exit-code'.
> Failed to start The nginx HTTP and reverse proxy server.

Expected results:
The nginx server should run as normal and with proper OCSP security enabled.

Additional info:
I am not sure on the severity of the issue.
In the best case, the server owner will notice that the nginx is failing to start on boot because it is trying to bind to an interface that may not be up yet.
In the worst case, the server will start but fail to load the OCSP settings, making it run with reduced SSL security with an easy to miss warning and possibly hard to find cause.

Comment 1 Felix Kaechele 2021-03-29 14:09:50 UTC

I was able to reproduce this bug and it will be fixed in the next nginx package update.

Comment 2 Fedora Update System 2021-04-21 02:45:48 UTC

FEDORA-2021-c0243589ee has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c0243589ee

Comment 3 Fedora Update System 2021-04-21 02:46:00 UTC

FEDORA-2021-0d3d0559f7 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0d3d0559f7

Comment 4 Fedora Update System 2021-04-21 02:46:12 UTC

FEDORA-2021-2cf5ad411d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2cf5ad411d

Comment 5 Fedora Update System 2021-04-21 15:01:26 UTC

FEDORA-2021-c0243589ee has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c0243589ee`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c0243589ee

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-04-21 17:02:47 UTC

FEDORA-2021-10c1cd4cba has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-10c1cd4cba

Comment 7 Fedora Update System 2021-04-21 17:03:05 UTC

FEDORA-2021-1556d440ba has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1556d440ba

Comment 8 Fedora Update System 2021-04-21 17:03:22 UTC

FEDORA-2021-3aa9ac7fd1 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3aa9ac7fd1

Comment 9 Fedora Update System 2021-04-21 21:51:52 UTC

FEDORA-2021-1556d440ba has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1556d440ba`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1556d440ba

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-04-21 22:02:04 UTC

FEDORA-2021-10c1cd4cba has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-10c1cd4cba`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-10c1cd4cba

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2021-04-22 18:24:35 UTC

FEDORA-2021-3aa9ac7fd1 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3aa9ac7fd1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3aa9ac7fd1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-04-29 00:57:30 UTC

FEDORA-2021-10c1cd4cba has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2021-04-29 01:22:11 UTC

FEDORA-2021-1556d440ba has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Fedora Update System 2021-04-30 00:55:01 UTC

FEDORA-2021-3aa9ac7fd1 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.