Bug 1029046
| Summary: | Implicit SSLEngine for 443 port breaks mod_nss configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dpal, jkaluza, jorton, ksiddiqu, pviktori, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.3.3-6.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1023168 | Environment: | |
| Last Closed: | 2014-06-13 10:47:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1023168, 1061016 | ||
| Bug Blocks: | 1029042, 1029043 | ||
|
Description
Martin Kosek
2013-11-11 14:34:59 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4021 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/f20577ddc4ab40c2365c8abaa703d96019ec4eef/ ipa-3-3: https://fedorahosted.org/freeipa/changeset/3a11044664341257a3929da2db1c493659515eec/ The change was removed from ipa-3-3 due to missing dependencies in Fedora 19. RHEL will need to carry it as a patch. Verified.
SSLEngine is off in mod_nss default install and also nss.conf only contains now "Listen 443" after install.
[root@rhel70-master ~]# rpm -q ipa-server mod_nss mod_ssl
ipa-server-3.3.3-15.el7.x86_64
mod_nss-1.0.8-32.el7.x86_64
mod_ssl-2.4.6-14.el7.x86_64
[root@rhel70-master ~]#
Steps perfomed for verification:
================================
(1)SSLEngine is off in nss.conf
[root@rhel70-master ~]# grep -r "SSLEngine off" /etc/httpd/conf.d/nss.conf
SSLEngine off
[root@rhel70-master ~]#
(2)Changed port 443 to 9000 in ssl.conf so that it does not conflicts with mod_nss configuration for ipa-server-install
[root@rhel70-master ~]# sed -i 's/443/9000/g' /etc/httpd/conf.d/ssl.conf
[root@rhel70-master ~]# grep -r 9000 /etc/httpd/conf.d/ssl.conf
Listen 9000 https
<VirtualHost _default_:9000>
#ServerName www.example.com:9000
[root@rhel70-master ~]#
(3)Ran ipa-server-install
[root@rhel70-master ~]# ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=rhel70-master.testrelm.com -r TESTRELM.COM -n testrelm.com -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
..
...
....
.....
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@rhel70-master ~]#
(4)No "Listen 443 http" in nss.conf after ipa-server-install.
[root@rhel70-master ~]# grep -r "Listen 443" /etc/httpd/conf.d/nss.conf
Listen 443
[root@rhel70-master ~]#
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |