Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1018172
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
FreeIPA still conflicts with mod_ssl. However, it should now be able to live next to that, as per https://bugzilla.redhat.com/show_bug.cgi?id=761574.
I tried to just remove the Conflict, but receive an error:
# yum install ipa-server
# yum install mod_ssl
[11/15]: clean up any existing httpd ccache
[12/15]: configuring SELinux for httpd
[13/15]: configure httpd ccache
[14/15]: restarting httpd
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1
[Mon Oct 14 12:48:47.668131 2013] [mpm_prefork:notice] [pid 15003] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Oct 15 07:19:56.813513 2013] [core:notice] [pid 4757] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Oct 15 07:19:56.815305 2013] [suexec:notice] [pid 4757] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Oct 15 07:19:56.815573 2013] [ssl:emerg] [pid 4757] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Oct 15 07:19:56.815594 2013] [ssl:emerg] [pid 4757] AH02312: Fatal error initialising mod_ssl, exiting.
The call to disable_ssl is still done in httpinstance.py. It backs-up and removes ssl.conf which is probably why there is no SSLCertificateFile. Still, it is surprising that SSLEngine is even enabled.
I'd check to see if /etc/httpd/conf.d/ssl.conf exists. If not, uninstall IPA server which should restore it, then disable the mod_ssl disable call and see if the install succeeds then (we probably need to remove this call anyway).
Optionally, install mod_ssl post IPA-installation.
Fixing description formatting.
I have a candidate patch prepared during investigation.
Autotriaging to 3.3.x, it is a required fix for this release.
We have now all the bits in Fedora (http://koji.fedoraproject.org/koji/buildinfo?buildID=473624)
The server should now listen on both 443 with mod_nss and 10443 with mod_ssl. CLI and Web UI should continue to work, as well as cert operations like "cert-show 1" - cert operations would not work if new mod_nss is not updated.
Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)
to comment on this ticket.