#7528 Upon ipa-server-install on Ubuntu 18.04, Apache unable to use encrypted httpd.key
Closed: fixed 7 months ago Opened a year ago by stanr.

Issue

Trying to install on Ubuntu 18.04 LTS Bionic Beaver. Applied the fix to Bug #1765616 -- installed tomcat8 (8.5.30-1ubuntu1.2) from ppa:freeipa/ppa to proceed further with the installation.

Still unable to complete the installation, as Apache dies on startup during install.

Steps to Reproduce

$ ipa-server-install --setup-dns

^ Install fails on starting Apache

$ cat /var/log/apache2/error.log

Exerpt:
... AH02580: Init: Pass phrase incorrect for key ...

Full text:
[Thu May 03 18:25:24.301795 2018] [mpm_event:notice] [pid 1591:tid 140073085791168] AH00491: caught SIGTERM, shutting down
[Thu May 03 18:25:30.948992 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02580: Init: Pass phrase incorrect for key hostfqdn:443:0
[Thu May 03 18:25:30.949087 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu May 03 18:25:30.949105 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Thu May 03 18:25:30.949119 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu May 03 18:25:30.949134 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
[Thu May 03 18:25:30.949148 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Thu May 03 18:25:30.949182 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu May 03 18:25:30.949196 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Thu May 03 18:25:30.949207 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Thu May 03 18:25:30.949215 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02564: Failed to configure encrypted (?) private key hostfqdn:443:0, check /var/lib/ipa/private/httpd.key
AH00016: Configuration Failed

Additional info:

After the installation fails, tried the following:

$ service apache2 start
^ Apache fails to start again with the same error

$ cat /var/lib/ipa/passwds/hostnamefqdn-443-RSA
^ Here, copy the displayed password string.

Paste the displayed password string from the above file when prompted:
$ openssl -in /var/lib/ipa/private/httpd.key -out /tmp/httpd.key.nopass

Backup and replace the httpd key file with one without password:
$ mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.pass
$ mv /tmp/http.key.nopass /var/lib/ipa/private/httpd.key

Try starting Apache again:
$ service apache2 start

^^^ This succeeds, meaning that Apache starts up fine when the key is not encrypted

Actual behavior

The install process fails and terminates

Expected behavior

The install process completes successfully

Version/Release/Distribution

$ apt-cache madison freeipa-server freeipa-client 389-ds-base pki-ca apache2
freeipa-server | 4.7.0~pre1+git20180411-2ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
freeipa-client | 4.7.0~pre1+git20180411-2ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
389-ds-base | 1.3.7.10-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
pki-ca | 10.6.0-1ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
pki-ca | 10.6.0-1ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
apache2 | 2.4.29-1ubuntu4.1 | http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
apache2 | 2.4.29-1ubuntu4.1 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
apache2 | 2.4.29-1ubuntu4 | http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


Do you have SSLPassPhraseDialog exec:/usr/libexec/ipa/ipa-httpd-pwdreader in ssl.conf?

Is it executable? What happens if you run it manually like:

bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA

Thanks for getting back to us on this issue.

The bug was reproducible all day on multiple install attempts on the day of the bug submission.
Sadly, I performed an ipa-server-install --uninstall after submitting the bug.

I was just able to reinstall freeipa again three times without an incident with no other changes to the environment. To me, this suggests that the issue is perhaps related to the contents of the randomly generated file /var/lib/ipa/passwds/hostnamefqdn-443-RSA and the way they are handled/passed on to Apache.

Apologies for not having preserved the specifics, this might be a hard bug to trace.

Metadata Update from @slaykovsky:
- Issue set to the milestone: FreeIPA 4.7

a year ago

Metadata Update from @slaykovsky:
- Issue set to the milestone: FreeIPA 4.7 backlog (was: FreeIPA 4.7)

a year ago

The bug here is that ipa-httpd-pwdreader assumes $HOSTNAME is FQDN

Hello, I am hitting the same problem on Fedora 28 (and Rawhide).

  • error_log:
    [Thu Jun 14 16:07:20.327806 2018] [core:notice] [pid 8725:tid 139880532003072] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
    [Thu Jun 14 16:07:20.328588 2018] [suexec:notice] [pid 8725:tid 139880532003072] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Thu Jun 14 16:07:20.331535 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02580: Init: Pass phrase incorrect for key ipa.example.com:443:0
    [Thu Jun 14 16:07:20.331559 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Thu Jun 14 16:07:20.331568 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
    [Thu Jun 14 16:07:20.331573 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Thu Jun 14 16:07:20.331580 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
    [Thu Jun 14 16:07:20.331586 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
    [Thu Jun 14 16:07:20.331592 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Thu Jun 14 16:07:20.331597 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
    [Thu Jun 14 16:07:20.331603 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/error_log for more information
    [Thu Jun 14 16:07:20.331606 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02564: Failed to configure encrypted (?) private key ipa.example.com:443:0, check /var/lib/ipa/private/httpd.key
    AH00016: Configuration Failed

  • ipaserver_install.log:
    2018-06-14T14:07:20Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
    2018-06-14T14:07:20Z ERROR CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
    2018-06-14T14:07:20Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The issue was also seen on Fedora 28: [BZ 1591703] (https://bugzilla.redhat.com/show_bug.cgi?id=1591703) and happened because of the host name which was not FQDN.
Is /etc/hosts containing an entry for the host?
Is /etc/hosname containing the fully qualified domain name?
Is hostname returning the FQDN?

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1591703

9 months ago

Metadata Update from @rcritten:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7 backlog)

9 months ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

8 months ago

master:

  • e382068 Try to resolve the name passed into the password reader to a file

ipa-4-7:

  • 3b226d8 Try to resolve the name passed into the password reader to a file

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.

Metadata