Bug 1029043

Summary: Implicit SSLEngine for 443 port breaks mod_nss configuration
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: mod_nssAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: jkaluza, jorton, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_nss-1.0.8-26.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1029042 Environment:
Last Closed: 2013-11-24 03:29:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1023168, 1029042, 1029046, 1061016    
Bug Blocks:    

Description Martin Kosek 2013-11-11 14:32:08 UTC 
+++ This bug was initially created as a clone of Bug #1029042 +++

+++ This bug was initially created as a clone of Bug #1023168 +++

Description of problem:

This is a follow up for Bug 1018172. As Joe Orton commented, "Listen X https" or simply "Listen 443" now means an implicit "SSLEngine on" for the vhost. This does not play well when the HTTPS vhost is processed with mod_ssl and httpd won't start:

[Tue Oct 15 07:19:56.815573 2013] [ssl:emerg] [pid 4757] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Oct 15 07:19:56.815594 2013] [ssl:emerg] [pid 4757] AH02312: Fatal error initialising mod_ssl, exiting.

We should be able to at least set "SSLEngine off" in the mod_nss config to avoid this error.


Additional Note:

Our current workaround is to use "Listen 443 http".

+++++++++++++++++++++++++++

With httpd-2.4.6-6.fc20/httpd-2.4.6-7.el7, mod_nss can add 

 <IfModule mod_ssl.c>
    SSLEngine off
 </IfModule>

to vhosts in the default mod_nss.conf to avoid the "Listen X http" hack
Comment 1 Fedora Update System 2013-11-12 23:53:52 UTC 
mod_nss-1.0.8-26.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-26.fc20
Comment 2 Fedora Update System 2013-11-14 03:35:02 UTC 
Package mod_nss-1.0.8-26.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mod_nss-1.0.8-26.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-21277/mod_nss-1.0.8-26.fc20
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2013-11-24 03:29:49 UTC 
mod_nss-1.0.8-26.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.