Large CRL file crashing nginx on reload

Igor A. Ippolitov iippolitov at nginx.com
Thu Jul 26 21:45:52 UTC 2018


Shaun,

Can you post a snippet on how you include crl into your configuration 
and 'ps aux | grep nginx' output, please?

The wild guess is that you include the crl several times. And on reload 
you get twice as many workers as there are usually.
You can try moving ssl_crl statement into http{} context.

On 26.07.2018 23:16, Shaun Tarves wrote:
> Hi,
>
> We are trying to use nginx to support the DoD PKI infrastructure, 
> which includes many DoD and contractor CRLs. The combined CRL file is 
> over 350MB in size, which seems to crash nginx during a reload (at 
> least on Red Hat 6). Our cert/key/crl set up is valid and working, and 
> when only including a subset of the CRL files we have, reloads work fine.
>
> When we concatenate all the CRLs we need to support, the config reload 
> request causes worker threads to become defunct and messages in the 
> error log indicate the following:
>
> 2018/07/26 16:05:25 [alert] 30624#30624: fork() failed while spawning 
> "worker process" (12: Cannot allocate memory)
>
> 2018/07/26 16:05:25 [alert] 30624#30624: sendmsg() failed (9: Bad file 
> descriptor)
>
> 2018/07/26 16:08:42 [alert] 30624#30624: worker process 1611 exited on 
> signal 9
>
>
> Is there any way we can get nginx to support such a large volume of CRLs?
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180727/6ab348cd/attachment.html>


More information about the nginx mailing list