Bug 65567 - mod_md OCSP stapling not updated, log md_curl.c:551: md_curl_multi_perform: Assertion `running == requests->nelts' failed.
Summary: mod_md OCSP stapling not updated, log md_curl.c:551: md_curl_multi_perform: A...
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_md (show other bugs)
Version: 2.4.48
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2021-09-10 08:15 UTC by hanno
Modified: 2021-09-15 13:42 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description hanno 2021-09-10 08:15:22 UTC
I noticed that some of the Staples sent by my server are out of date, noticed by a monitoring with gnutls (running "gnutls-cli --ocsp [server]:443" as a check). I'm using MDStapling on that server.

In the server error log I find this which may be is the underlying issue:

md_curl.c:551: md_curl_multi_perform: Assertion `running == requests->nelts' failed.
Comment 1 Stefan Eissing 2021-09-10 08:58:46 UTC
Is it reported in the log/crash what the numbers were? It would be interesting to know if "running == 0", for example.

Failing any way to reproduce this so far, I think the hard assert() should be replaced by an "ap_assert()" that is only available in our maintainer builds. And the log level in line 543 should be increased to see mismatches on a production server.
Comment 2 hanno 2021-09-10 11:33:05 UTC
There's no further info, sorry. Only another message that some process aborted. Full log entry

apache2: md_curl.c:551: md_curl_multi_perform: Assertion `running == requests->nelts' failed.
[Fri Sep 10 13:31:04.798340 2021] [core:notice] [pid 31009:tid 140098992729216] [client anon] AH00052: child pid 28357 exit signal Abort (6)

Interestingly on a different server with a very similar setup I don't see this...
Comment 3 hanno 2021-09-10 16:53:58 UTC
After turning on more verbose logging I got this which could be related:

[Fri Sep 10 18:51:53.704984 2021] [md:debug] [pid 23413:tid 127535707190848] mod_md.c(177): [client anon] AH10267: other: rate limiting notification about 'ocsp-renewed'

Some form of ratelimiting that would only show up on servers with many certs?
Comment 4 hanno 2021-09-10 17:03:17 UTC
I added some extra-logging so I could see the values of the two variables when it fails::
running=3, requests->nelts=5

Hope this helps.
Comment 5 Stefan Eissing 2021-09-15 13:42:56 UTC
Fixed in github mod_md v2.4.6, added in trunk r1893359 and branches/2.4.x for next release.