I'm trying to build and install FreeIPA 4.8.5 on ALTLinux.
The master installation fails with:
master
[2020-03-18 05:19:29] [17/30]: adding RA agent as a trusted user [2020-03-18 05:19:29] [18/30]: authorizing RA to modify profiles [2020-03-18 05:19:29] [19/30]: authorizing RA to manage lightweight CAs [2020-03-18 05:19:29] [20/30]: Ensure lightweight CAs container exists [2020-03-18 05:19:29] [21/30]: configure certificate renewals [2020-03-18 05:19:33] [22/30]: Configure HTTP to proxy connections [2020-03-18 05:19:40] [error] CalledProcessError: CalledProcessError(Command ['/sbin/systemctl', 'restart', 'httpd2.service'] returned non-zero exit status 1: 'Job for httpd2.service failed because the control process exited with error code.\nSee "systemctl status httpd2.service" and "journalctl -xe" for details.\n') [2020-03-18 05:19:40] CalledProcessError(Command ['/sbin/systemctl', 'restart', 'httpd2.service'] returned non-zero exit status 1: 'Job for httpd2.service failed because the control process exited with error code.\nSee "systemctl status httpd2.service" and "journalctl -xe" for details.\n') [2020-03-18 05:19:40] The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Mar 18 05:19:34 master1.ipa.test httpd2[2145]: AH00526: Syntax error on line 3 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf: Mar 18 05:19:34 master1.ipa.test httpd2[2145]: Invalid command 'ProxyRequests', perhaps misspelled or defined by a module not included in the server configuration Mar 18 05:19:34 master1.ipa.test apachectl2[2145]: AH00526: Syntax error on line 3 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf: Mar 18 05:19:34 master1.ipa.test apachectl2[2145]: Invalid command 'ProxyRequests', perhaps misspelled or defined by a module not included in the server configuration
The error comes with the recent AJP changes https://github.com/freeipa/freeipa/pull/4337/commits/bf137c233385b127b22a4173ab3acc32d9786a5b, where apache is going to be restarted by the installer, but is not ready for that. The httpd is configured later on its own phase. So, I think nobody should rely on running apache until its configuration will be done.
httpd
Note: apache configuration process for ALT is similar to Debian's one. https://www.altlinux.org/Apache2/Configs (Russian version). That's why it is not caught by upstream CI.
After the removing of apache restart I have an error on 'http' phase:
Mar 18 08:52:51 master1.ipa.test httpd2[3640]: AH00526: Syntax error on line 9 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf: Mar 18 08:52:51 master1.ipa.test httpd2[3640]: ProxyPass unknown Worker parameter Mar 18 08:52:51 master1.ipa.test apachectl2[3640]: AH00526: Syntax error on line 9 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf: Mar 18 08:52:51 master1.ipa.test apachectl2[3640]: ProxyPass unknown Worker parameter Mar 18 08:52:56 master1.ipa.test systemd[1]: httpd2.service: Control process exited, code=exited, status=3/NOTIMPLEMENTED Mar 18 08:52:56 master1.ipa.test systemd[1]: httpd2.service: Failed with result 'exit-code'. Mar 18 08:52:56 master1.ipa.test systemd[1]: Failed to start The Apache2 HTTP Server.
# httpd2 -v Server version: Apache/2.4.41 (Unix) Server built: Aug 14 2019 04:53:18
I tried to remove the 'secret' attribute from 'ipa-pki-proxy.conf' and 'httpd' has started. So, 'secret' attribute is not supported by mod_proxy_ajp for bare 'httpd'.
mod_proxy_ajp
Fedora applies https://src.fedoraproject.org/rpms/httpd/blob/master/f/httpd-2.4.34-r1738878.patch to bring support for "secret" attribute of mod_proxy_ajp. This patch is the backport of upstream's one for apache-2.5. RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1397243
ALTLinux's apache is not patched for the same. May be Debian too? I didn't check.
Fortunately, as we can see from upstream tracker: Upstream BZ: https://bz.apache.org/bugzilla/show_bug.cgi?id=53098 the original patch has been backported to 2.4 branch and will be part of 2.4.42.
So, for ALT I'll backport that patch until 2.4.42. But I don't know about RHEL.
I checked that RHEL 8.2 beta has this patch as well.
I checked even more and it is fixed since RHEL 8.0.
master:
ipa-4-7:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed.
Login to comment on this ticket.