Bug 169620

Summary: Mismatch between htttpd config tool and ssl key Makefile
Product: [Fedora] Fedora Reporter: bob mckay <urilabob>
Component: system-config-httpdAssignee: Phil Knirsch <pknirsch>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: michael, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-29 04:31:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bob mckay 2005-09-30 11:04:30 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040616

Description of problem:
When ssl is turned on, system-config-httpd insists on a CA chain file (to be exact, httpd crashes if the field is left blank). I don't know enough about key systems to know if this is correct behaviour or not. What I _do_ know is that the Makefile in /etc/pki/tls/certs supports the creation of self-signed keys, but in the process, does _not_ create a CA chain file. 

Version-Release number of selected component (if applicable):
system-config-httpd-1.3.2-2

How reproducible:
Always

Steps to Reproduce:
1.Follow the well-documented processes around the web to use /etc/pki/tls/certs/Makefile to create a self-signed certificate
2. Run system-config-httpd, turn on ssl, and fill the fields for which files have been created
3. save the configuration
4. restart httpd
  

Actual Results:  httpd crashes

Expected Results:  system-config-httpd should have created a valid httpd.conf file

Additional info:

I don't know what the correct behaviour should be here. I can think of at least four (not entirely mutually exclusive)
.system-config-httpd doesn't create a CA chain file directive if none is specified (I don't know if this is a reasonable behaviour or not)
.system-config-httpd _gives a helpful error message_ if a null CA chain file is specified
./etc/pki/tls/certs/Makefile creates a dummy CA chain file when it creates a self-signed certificate
.the documentation (should be both the Makefile and system-config-httpd) tells you what to do about the CA chain file when you create a self-signed certificate

I also don't know how serious this bug is; I seem to have gotten around it by pointing the CA chain file to the default CA-bundle file, but I have no idea whether this is a reasonable solution or if I have just opened up a huge security hole.
Comment 1 Phil Knirsch 2006-06-28 09:20:36 UTC 
*** Bug 179768 has been marked as a duplicate of this bug. ***
Comment 2 Phil Knirsch 2006-11-20 12:56:50 UTC 
Last week i've released system-config-httpd-1.4.1 for FC5, FC6 as testing and
put it in FC-devel as well.

Please give it a shot and let me know if this is working for you now.

Thanks,

Read ya, Phil
Comment 3 petrosyan 2008-02-29 04:31:18 UTC 
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.
Comment 4 bob mckay 2008-02-29 11:48:25 UTC 
The default key installation in F8 obviates the need to make a key.