Bug 1240495

Summary: mod_ssl install fails with a long hostname
Product: Red Hat Enterprise Linux 7 Reporter: Ian Wienand <iwienand>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: isenfeld, jkaluza, jorton, mfrodl, ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.6-41.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1356938 (view as bug list) Environment:
Last Closed: 2016-11-04 08:08:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Wienand 2015-07-07 06:18:36 UTC 
upstream openstack CI is occasionally [1] failing; e.g.

---
2015-07-04 15:20:33.078 | + sudo /sbin/service httpd start
2015-07-04 15:20:33.095 | Redirecting to /bin/systemctl start  httpd.service
2015-07-04 15:20:33.196 | Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
2015-07-04 15:20:33.197 | + exit_trap
---

---
Jul 04 15:20:33 devstack-... systemd[1]: Starting The Apache HTTP Server...
Jul 04 15:20:33 devstack-... httpd[6407]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jul 04 15:20:33 devstack-... httpd[6407]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Jul 04 15:20:33 devstack-... systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
---

However when we trace backwards, we see

---
2015-07-04 15:07:24.037 |   Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64                       56/77 
2015-07-04 15:07:24.037 | warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
2015-07-04 15:07:24.039 | Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

The mod_ssl post script [1] doesn't do a lot -- it generates /etc/pki/tls/private/localhost.key and then /etc/pki/tls/certs/localhost.crt

Really, the only place this could cause the script to exit with "1" is if the final call to "openssl req" fails.

The way it is written, the error output of "openssl gen" gets sent to /dev/null so we don't get a smoking gun.  But after a bunch of testing I believe the issue is with the length of the hostname
---
# hostname devstack-centos7-1435932846.template.openstack.org.novalocal
# rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key 
# yum remove -y mod_ssl

# yum install -y mod_ssl
...
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-31.el7.centos will be installed
Running transaction
  Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64
warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

(if you run it on the command-line by hand, it complains the hostname is too long)

I don't know what the right thing to do is : pki/tls/openssl.cnf sets commonName_max to 64 characters so that's where the limit comes from; chopping it off seems easy but maybe wrong, and failing silently in this way is definitely wrong -- any failure output would have helped track this down a lot faster.

[1] search for "Job for httpd.service failed" at logstash.openstack.org
[2] http://logs.openstack.org/96/198496/1/check/check-tempest-dsvm-centos7/5a0897e/logs/devstacklog.txt.gz
[3] http://pkgs.fedoraproject.org/cgit/httpd.git/tree/httpd.spec#n501
Comment 2 Joe Orton 2015-07-07 08:26:29 UTC 
That's fun, I've not seen this before.

RFC 5280 says that the maximum length of a common name is 64 characters, so this seems to be a restriction of the spec rather than the software.  I'm not sure what we can or should do about this.  I guess we could force the %post script to use "localhost" in the case where the length is > 64.

The FQDN you're using there is only 60 characters, I'm not sure why that should exceed the 64 char limit.  Weird.
Comment 3 Joe Orton 2015-07-07 08:35:45 UTC 
Ah we're hitting the 64 char maximum of emailAddress, which is "root@" + FQDN, hence the maximum FQDN we can handle is exactly 59.
Comment 4 Joe Orton 2015-07-07 08:50:13 UTC 
Pushed this to Fedora. http://pkgs.fedoraproject.org/cgit/httpd.git/diff/?id=db205dad277f6b7712dc2fd57d9e3b056b637c14
Comment 11 errata-xmlrpc 2016-11-04 08:08:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2534.html