Bug 752618

Summary: mod_ssl post install script can cause failures
Product: Red Hat Enterprise Linux 5 Reporter: Steve <smithsg>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.7CC: amarecek, atodorov, jkaluza, prc
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.2.3-74.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 867745 (view as bug list) Environment:
Last Closed: 2013-01-08 05:03:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 867745    

Description Steve 2011-11-10 00:41:43 UTC 
Description of problem:
Upgrading httpd and mod_ssl when an invalid key is present in /etc/pki/tls/private/localhost.key could cause an upgrade failure in mod_ssl's post routine.  This will occur if /etc/pki/tls/certs/localhost.crt does not exist.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. make sure /etc/pki/tls/certs/localhost.crt does not exist
2. make sure /etc/pki/tls/private/localhost.key does exist but is not a proper key file (can be a zero length file)
3. upgrade httpd and mod_ssl from 2.2.3-43.el5 to 2.2.3-53.el5_7.3
  

Actual results:
[root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd
httpd-2.2.3-43.el5
mod_ssl-2.2.3-43.el5
[root@b1sp3-cm private]# ll /etc/pki/tls/private
total 0
-rw------- 1 root root   0 Nov  2  2010 localhost.key
[root@b1sp3-cm private]# ll /etc/pki/tls/certs
total 444
-rw-r--r-- 1 root root   2240 Mar 12  2010 Makefile
-rw-r--r-- 1 root root 441017 Mar 12  2010 ca-bundle.crt
-rwxr-xr-x 1 root root    610 Mar 12  2010 make-dummy-cert
[root@b1sp3-cm pub]# rpm -Uvh mod_ssl-2.2.3-53.el5_7.3.i386.rpm httpd-2.2.3-53.el5_7.3.i386.rpm
Preparing...                ########################################### [100%]
   1:httpd                  ########################################### [ 50%]
   2:mod_ssl                ########################################### [100%]
error: %post(mod_ssl-2.2.3-53.el5_7.3.i386) scriptlet failed, exit status 1
[root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd
httpd-2.2.3-53.el5_7.3
mod_ssl-2.2.3-43.el5
mod_ssl-2.2.3-53.el5_7.3


Expected results:
[root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd
httpd-2.2.3-43.el5
mod_ssl-2.2.3-43.el5
[root@b1sp3-cm pub]# rpm -Uvh mod_ssl-2.2.3-53.el5_7.3.i386.rpm httpd-2.2.3-53.el5_7.3.i386.rpm
Preparing...                ########################################### [100%]
   1:httpd                  ########################################### [ 50%]
   2:mod_ssl                ########################################### [100%]
[root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd
httpd-2.2.3-53.el5_7.3
mod_ssl-2.2.3-53.el5_7.3



Additional info:
Patch the spec like so?

build-2:/SPECS:30$ diff -u httpd.spec.orig httpd.spec
--- httpd.spec.orig     2011-11-09 19:29:15.708095000 -0500
+++ httpd.spec  2011-11-09 19:33:37.465072000 -0500
@@ -580,6 +580,8 @@
 fi

 if [ ! -f %{sslcert} ] ; then
+    openssl rsa -check -in /etc/pki/tls/private/localhost.key 2>/dev/null
+    if [ $? -eq 0 ]
 cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \
          -x509 -days 365 -set_serial $RANDOM \
          -out %{sslcert} 2>/dev/null
@@ -591,6 +593,7 @@
 ${FQDN}
 root@${FQDN}
 EOF
+    fi
 fi

 %check
Comment 1 Joe Orton 2012-03-23 09:14:54 UTC 
Thanks for the report.
Comment 3 RHEL Program Management 2012-04-19 11:51:17 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 10 Joe Orton 2012-10-18 16:07:45 UTC 
*** Bug 867736 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2013-01-08 05:03:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0130.html