#3974 FreeIPA server should not conflict with mod_ssl
Closed: Fixed None Opened 6 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1018172

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

FreeIPA still conflicts with mod_ssl. However, it should now be able to live next to that, as per https://bugzilla.redhat.com/show_bug.cgi?id=761574.

I tried to just remove the Conflict, but receive an error:

# yum install ipa-server
# yum install mod_ssl
# ipa-server-install
...
  [11/15]: clean up any existing httpd ccache
  [12/15]: configuring SELinux for httpd
  [13/15]: configure httpd ccache
  [14/15]: restarting httpd
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1

/var/log/httpd/error_log:
[Mon Oct 14 12:48:47.668131 2013] [mpm_prefork:notice] [pid 15003] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Oct 15 07:19:56.813513 2013] [core:notice] [pid 4757] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Oct 15 07:19:56.815305 2013] [suexec:notice] [pid 4757] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Oct 15 07:19:56.815573 2013] [ssl:emerg] [pid 4757] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Oct 15 07:19:56.815594 2013] [ssl:emerg] [pid 4757] AH02312: Fatal error initialising mod_ssl, exiting.

Rob's advice:

The call to disable_ssl is still done in httpinstance.py. It backs-up and removes ssl.conf which is probably why there is no SSLCertificateFile. Still, it is surprising that SSLEngine is even enabled.

I'd check to see if /etc/httpd/conf.d/ssl.conf exists. If not, uninstall IPA server which should restore it, then disable the mod_ssl disable call and see if the install succeeds then (we probably need to remove this call anyway).

Optionally, install mod_ssl post IPA-installation.

Fixing description formatting.

I have a candidate patch prepared during investigation.

Autotriaging to 3.3.x, it is a required fix for this release.

We have now all the bits in Fedora (http://koji.fedoraproject.org/koji/buildinfo?buildID=473624)

TO TEST:

  1. Install newest mod_nss
  2. Install patched freeipa
  3. Install mod_ssl
  4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on 10443 or others
  5. "setenforce 0" to allow httpd listen on that port
  6. ipa-server-install

The server should now listen on both 443 with mod_nss and 10443 with mod_ssl. CLI and Web UI should continue to work, as well as cert operations like "cert-show 1" - cert operations would not work if new mod_nss is not updated.

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)

3 years ago

Login to comment on this ticket.

Metadata