Bug 2155961
Summary: | httpd-init fails to create localhost.crt, localhost.key due to "sscg" default now creates a /dhparams.pem and is not idempotent if the file /dhparams.pem already exists. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Dasharath Masirkar <dmasirka> | |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> | |
Status: | CLOSED ERRATA | QA Contact: | icesalov | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 8.7 | CC: | jorton, luhliari, peter.vreman | |
Target Milestone: | rc | Keywords: | AutoVerified, Regression, Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | httpd-2.4-8080020230126164620.fd72936b | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2165967 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-16 08:28:23 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2165967 |
Description
Dasharath Masirkar
2022-12-23 03:13:20 UTC
Workaround: rm -f /etc/pki/tls/private/localhost.key rm -f /etc/pki/tls/certs/localhost.crt rm -f /dhparams.pem systemctl restart httpd # systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: reloading (reload) since Fri 2022-12-23 13:50:05 IST; 8s ago Docs: man:httpd.service(8) Main PID: 2807 (httpd) Status: "Reading configuration..." Tasks: 1 (limit: 49428) Memory: 8.2M CGroup: /system.slice/httpd.service └─2807 /usr/sbin/httpd -DFOREGROUND Dec 23 13:49:54 rhel87 systemd[1]: Starting The Apache HTTP Server... Dec 23 13:50:05 rhel87 httpd[2807]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::5054:ff:fef5:e9f3. Set the 'ServerName' directive globally to suppress this> Dec 23 13:50:05 rhel87 systemd[1]: Started The Apache HTTP Server. ]# openssl s_client 127.0.0.1:443 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 verify return:1 depth=0 C = US, O = Unspecified, CN = rhel87, emailAddress = root@rhel87 verify return:1 --- Certificate chain 0 s:C = US, O = Unspecified, CN = rhel87, emailAddress = root@rhel87 i:C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 1 s:C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 i:C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 --- Server certificate -----BEGIN CERTIFICATE----- MIIEqTCCApGgAwIBAgIIYCri+rwc7kgwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE BhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMR8wHQYDVQQLDBZjYS0xNDI3NjIz MTkwNDc5MTI4MTM3MQ8wDQYDVQQDDAZyaGVsODcxGjAYBgkqhkiG9w0BCQEWC3Jv b3RAcmhlbDg3MB4XDTIyMTIyMzA3NDQzNFoXDTIzMTIyMzA3NDQzNFowUDELMAkG A1UEBhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMQ8wDQYDVQQDDAZyaGVsODcx GjAYBgkqhkiG9w0BCQEWC3Jvb3RAcmhlbDg3MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA4U4AXSxaV32WUN+0rQeD1b6AY+ovNWaOMHOOBrchGy1IErdh lcLPris8HICR+bAjr6n6cHLpxmvy6PcYw/7y/3LeK0kemTdzy8ag5F8lLCM+AFLV RK0wHfOK28sUVj4BZuVu8a7kRm5sVZFovuP+q/Zj9mvoa+huTifFzp8fAJqO3g4Y AmUaF1SOlB2WO1I9H09CFLfJy3SWeuuIZxOH1VwGnBGHuGMsFT+cRqleINjn71BZ HjAt/TvARmMNJRojdNCr7aNrkr5a1nYbRZL0v2VKHYDBLhk4hEYfKzMNJXigrKpF U8CMMfgndAzHgz0NV/Wg7rADzfXyDdFnWQYAIQIDAQABo2YwZDAOBgNVHQ8BAf8E BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCQYDVR0TBAIwADARBgNVHREECjAI ggZyaGVsODcwHwYDVR0jBBgwFoAUadCiKRVS/WHiEUaOw9nQD+54ioEwDQYJKoZI hvcNAQELBQADggIBAAyZPgNvT/NoEBufU9mQGqovUcP2OBmJGoezosBOIkKg8W0O 31e8bD2auNHIXhTsLquxGU5MfqEZjiz1F0pd50MqIv/Y5zxjk+7KiLEeNuKyaT5H C1xJGy+RCx2l0aZywuAVRcZNGrkWwkVkEMPRpPDuAgEpCkDUurEYwupDTXVPG4bS yBWTgB1wK546MVKH4ydys/sH8A2TVWv4KCXxuBZMaICZRZbrOV+tf5amUu89E/JL MhDm5QmfhyKdTkE5DIsDypM4Wjzdv2XGoaLXf4/7jsfkDTQHMGGMnKGMPzdbPIc9 0HbTQX59DokxUbYLtuJ7RQrj8jQUMJ4z+Bb0E1qwlaRs0hNNQjDPiGdM/P/f2kVX 1QqnixBVa2AL1Fr4DWWXKFBqE0pKSUbuOgEy9lie89gkr2RqWBMaG/a1WurghGif SKjkqO/i4g07ll06ekqoGh3Y/v+bhfEJYpSqKbBziCq/GwBrtNuY3ou5yYVOptey 1wJPRZ+HaAis+4PBKLjUkPKLVDjdD63KSlqNoIBZ9tIzZ9D7LHI4zioo013IW6Vc 6cjiNZAksZLdGXvXYojNuGi25m/wyUjHBS1ZUxW6VcSKi3lLvqTYuaoyECxqiipy Tvr7+kOKIpHCDBtfLIGosKAfnnP4i0s5E3P7NhO922ScGBggW5SqMZje2ZAB -----END CERTIFICATE----- subject=C = US, O = Unspecified, CN = rhel87, emailAddress = root@rhel87 issuer=C = US, O = Unspecified, OU = ca-1427623190479128137, CN = rhel87, emailAddress = root@rhel87 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3247 bytes and written 369 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain) Copied from the attached case a a quick fix to call sscg with a custom dhparams file to have it craeted in a temporary directory that is also cleaned at the end ~~~ --- /usr/libexec/httpd-ssl-gencerts.221220-1 2022-07-29 03:44:13.000000000 +0000 +++ /usr/libexec/httpd-ssl-gencerts 2022-12-20 16:21:20.074712388 +0000 @@ -29,11 +29,18 @@ exit 0 fi +dhparamstmpdir=$(mktemp -d) + sscg -q \ + --dhparams-file $dhparamstmpdir/dhparams.pem \ --cert-file /etc/pki/tls/certs/localhost.crt \ --cert-key-file /etc/pki/tls/private/localhost.key \ --ca-file /etc/pki/tls/certs/localhost.crt \ --lifetime 365 \ --hostname $FQDN \ --email root@$FQDN +res=$? + +rm -rf $dhparamstmpdir +exit $res ~~~ Thanks for the report. I think we need to work around this in httpd by adjusting httpd-ssl-gencerts something like as suggested in comment 4, so I'm adjusting the component. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (httpd:2.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2789 |