<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Shaun,<br>
<br>
Can you post a snippet on how you include crl into your
configuration and 'ps aux | grep nginx' output, please?<br>
<br>
The wild guess is that you include the crl several times. And on
reload you get twice as many workers as there are usually.<br>
You can try moving ssl_crl statement into http{} context.<br>
<br>
On 26.07.2018 23:16, Shaun Tarves wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANYxuWjNVCEE4uH+MZXrYY8y0cQ_yEf6Or4dPxcTRY9SZpuG6g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr"><span
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Hi,</span>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">We
are trying to use nginx to support the DoD PKI infrastructure,
which includes many DoD and contractor CRLs. The combined CRL
file is over 350MB in size, which seems to crash nginx during
a reload (at least on Red Hat 6). Our cert/key/crl set up is
valid and working, and when only including a subset of the CRL
files we have, reloads work fine.</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">When
we concatenate all the CRLs we need to support, the config
reload request causes worker threads to become defunct and
messages in the error log indicate the following:</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial"><span></span>
<p class="gmail-m_2419373206062243596gmail-p1"
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span
class="gmail-m_2419373206062243596gmail-s1"
style="font-variant-ligatures:no-common-ligatures">2018/07/26
16:05:25 [alert] 30624#30624: fork() failed while spawning
"worker process" (12: Cannot allocate memory)</span></p>
<p class="gmail-m_2419373206062243596gmail-p1"
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span
class="gmail-m_2419373206062243596gmail-s1"
style="font-variant-ligatures:no-common-ligatures">2018/07/26
16:05:25 [alert] 30624#30624: sendmsg() failed (9: Bad
file descriptor)</span></p>
<p class="gmail-m_2419373206062243596gmail-p1"
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-weight:normal;font-stretch:normal;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgba(0,0,0,0.85)"><span
class="gmail-m_2419373206062243596gmail-s1"
style="font-variant-ligatures:no-common-ligatures">2018/07/26
16:08:42 [alert] 30624#30624: worker process 1611 exited
on signal 9</span></p>
<br>
</div>
<div
style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">Is
there any way we can get nginx to support such a large volume
of CRLs?</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nginx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nginx@nginx.org">nginx@nginx.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>