Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354428 - RHEL6/7 ssl.conf and postinstall cert/key file location discrepancy
Summary: RHEL6/7 ssl.conf and postinstall cert/key file location discrepancy
Keywords:
Status: VERIFIED
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: openssl
Version: 2.1.1
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: CR01
: 2.1.1
Assignee: huwang
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 09:54 UTC by fgoldefu
Modified: 2018-03-05 15:35 UTC (History)
4 users (show)

Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description fgoldefu 2016-07-11 09:54:38 UTC
Description of problem:
The postinstall on RHEL6 and RHEL7 creates localhost.key and localhost.crt into relative directories: 
conf/openssl/pki/tls/private/localhost.key
conf/openssl/pki/tls/certs/localhost.crt
in ews install root. 
The ssl.conf uses localhost.key and localhost.crt from these locations:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Apache httpd won't start with this exception:
Syntax error on line 112 of /opt/ews/workspace/jboss-ews-2.1/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

How reproducible:
Unzip RHEL6/7 httpd and start using apachectl.

Actual results:
RHEL5 httpd starts because postinstall will generate key and cert into /etc/pki..., should be updated too.

* jboss-ews-httpd-2.1.1-DR4-RHEL5-i386.zip
.postinstall will create:
/etc/pki/tls/private/localhost.key
/etc/pki/tls/certs/localhost.crt

* jboss-ews-httpd-2.1.1-DR4-RHEL5-x86_64.zip
.postinstall will create:
/etc/pki/tls/private/localhost.key
/etc/pki/tls/certs/localhost.crt

* jboss-ews-httpd-2.1.1-DR4-RHEL6-i386.zip
.postinstall will create:
conf/openssl/pki/tls/private/localhost.key
conf/openssl/pki/tls/certs/localhost.crt

* jboss-ews-httpd-2.1.1-DR4-RHEL6-x86_64.zip
.postinstall will create:
conf/openssl/pki/tls/private/localhost.key
conf/openssl/pki/tls/certs/localhost.crt

* jboss-ews-httpd-2.1.1-DR4-RHEL7-ppc64.zip
.postinstall will create:
conf/openssl/pki/tls/private/localhost.key
conf/openssl/pki/tls/certs/localhost.crt

* jboss-ews-httpd-2.1.1-DR4-RHEL7-x86_64.zip
.postinstall will create:
conf/openssl/pki/tls/private/localhost.key
conf/openssl/pki/tls/certs/localhost.crt

ssl.conf contains on all systems:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Expected results:
ssl.conf file should contain correct directory based on ews installation directory and apache will start.

Comment 1 Weinan Li 2016-07-11 14:22:51 UTC
Patch:

[weli@localhost jboss-ews]$ git diff
diff --git a/postinstall b/postinstall
index 81b2441..26ef671 100644
--- a/postinstall
+++ b/postinstall
@@ -2,7 +2,7 @@
 #
 umask 077
 
-if [ ! -f /etc/pki/tls/private/localhost.key ] ; then
+if [ ! -f conf/openssl/pki/tls/private/localhost.key ] ; then
 sbin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > conf/openssl/pki/tls/private/localhost.key 2> /dev/null
 fi
 
@@ -54,3 +54,7 @@ sed -i -e "s:/var/www:jboss-ews-2.1/httpd/www:g" -e "s:/etc/httpd:jboss-ews-2.1/
 
 #JBPAPP-9446
 sed -i -e "s:LoadModule proxy_balancer_module:#LoadModule proxy_balancer_module:" conf/httpd.conf
+
+#BZ1354428
+sed -i -e "s:/etc/pki/tls:$currentDir/conf/openssl/pki/tls:" conf.d/ssl.conf
+

Comment 2 fgoldefu 2016-07-11 14:31:42 UTC
I've checked the rpms for RHEL6/7 from Errata [1,2] and the ssl.conf contains
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

and postinstallation script of mod_ssl generates key and cert on these locations, but I assume it should be generated in:

/opt/rh/jbcs-httpd24/root/etc/pki...

and ssl.conf configuration updated to this location. What do you think?

[1] https://errata.devel.redhat.com/advisory/23628
[2] https://errata.devel.redhat.com/advisory/23629

Comment 3 Weinan Li 2016-07-11 16:34:53 UTC
part 2:

[weli@localhost jboss-ews]$ git diff
diff --git a/postinstall b/postinstall
index 26ef671..5528179 100644
--- a/postinstall
+++ b/postinstall
@@ -12,7 +12,7 @@ if [ "x${FQDN}" = "x" ]; then
 fi
 
 if [ ! -f conf/openssl/pki/tls/certs/localhost.crt ] ; then
-cat << EOF | sbin/openssl req -new -key conf/openssl/pki/tls/private/localhost.key \
+cat << EOF | OPENSSL_CONF=conf/openssl/pki/tls/openssl.cnf sbin/openssl req -new -key conf/openssl/pki/tls/private/localhost.key \
          -x509 -days 365 -set_serial $RANDOM \
          -out conf/openssl/pki/tls/certs/localhost.crt 2>/dev/null

Comment 4 PnT Account Manager 2017-12-08 00:03:31 UTC
Employee 'fgoldefu@redhat.com' has left the company.


Note You need to log in before you can comment on or make changes to this bug.