Bug 2356216
| Summary: | sscg fails with openssl 3.5+ | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florence Blanc-Renaud <frenaud> |
| Component: | sscg | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | sgallagh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sscg-3.0.6-1.fc43 sscg-3.0.6-2.fc40 sscg-3.0.6-2.fc41 sscg-3.0.6-2.fc42 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-03-31 17:14:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thanks for the ping. I forgot to do a minor upstream release and package that up. It's on it's way to Rawhide now. FEDORA-2025-e0a5b5357c (sscg-3.0.6-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-e0a5b5357c FEDORA-2025-cf95d15f1f (sscg-3.0.6-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-cf95d15f1f FEDORA-2025-91d5981247 (sscg-3.0.6-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-91d5981247 FEDORA-2025-e0a5b5357c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e0a5b5357c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e0a5b5357c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-91d5981247 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-91d5981247` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-91d5981247 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-cf95d15f1f has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cf95d15f1f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cf95d15f1f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-9f66a41214 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-9f66a41214` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-9f66a41214 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-c2b9f2de20 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c2b9f2de20` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c2b9f2de20 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-303cff376c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-303cff376c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-303cff376c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-9f66a41214 (sscg-3.0.6-2.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-303cff376c (sscg-3.0.6-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-c2b9f2de20 (sscg-3.0.6-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. |
When mod_ssl is installed, systemctl start httpd fails. At startup, httpd calls /usr/libexec/httpd-ssl-gencerts in order to create a key / certificate pair in /etc/pki/tls/private/localhost.key and /etc/pki/tls/certs/localhost.crt if they don't exist (the cert is configured by default in /etc/httpd/conf.d/ssl.conf). httpd-ssl-gencerts internally calls /usr/sbin/sscg but this CLI fails with: Error occurred in X509_REQ_set_version: [error:05880106:x509 certificate routines::passed invalid argument]. The version shipped in rawhide is sscg-3.0.5-8.fc42.x86_64 which fails with openssl-3.5.0-2.fc43.x86_64. It used to work with openssl-3.2.4-3.fc43.x86_64. Reproducible: Always Steps to Reproduce: 1. dnf install -y httpd mod_md mod_ssl 2. systemctl start httpd Actual Results: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details. Expected Results: Should succeed # systemctl start httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details. [root@vm-10-0-184-33 ~]# systemctl status httpd × httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf, 50-keep-warm.conf Active: failed (Result: exit-code) since Mon 2025-03-31 09:27:08 EDT; 5s ago Invocation: 2f62182f68cc4a80be79a299b8cd79f1 Docs: man:httpd.service(8) Process: 26471 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 26471 (code=exited, status=1/FAILURE) Status: "Reading configuration..." Mem peak: 4M CPU: 84ms Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd.service - The Apache HTTP Server... Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com (httpd)[26471]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'. Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd.service - The Apache HTTP Server. The journal also contains: Mar 31 09:27:07 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd-init.service - One-time temporary TLS key generation for httpd.service... Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd-ssl-gencerts[26467]: Error occurred in X509_REQ_set_version: [error:05880106:x509 certificate routines::passed invalid argument]. Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd-init.service: Main process exited, code=exited, status=5/NOTINSTALLED Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd-init.service: Failed with result 'exit-code'. Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd-init.service - One-time temporary TLS key generation for httpd.service. Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd-init comm="systemd" exe="/usr/lib/systemd/syste> Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com audit: BPF prog-id=158 op=LOAD Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd.service - The Apache HTTP Server... Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com (httpd)[26471]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'. Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd.service - The Apache HTTP Server. The upstream repo for sscg contains a patch that mentions an incompatibility with openssl 3.4 and above: Commit b63dd4d x509: Use proper version for CSR and the next patch: Commit 8b096dc Use magic number for X509_VERSION_1 I suspect that those patches should be added to the rawhide build.