Hide Forgot
+++ This bug was initially created as a clone of Bug #1023168 +++ Description of problem: This is a follow up for Bug 1018172. As Joe Orton commented, "Listen X https" or simply "Listen 443" now means an implicit "SSLEngine on" for the vhost. This does not play well when the HTTPS vhost is processed with mod_ssl and httpd won't start: [Tue Oct 15 07:19:56.815573 2013] [ssl:emerg] [pid 4757] AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0) [Tue Oct 15 07:19:56.815594 2013] [ssl:emerg] [pid 4757] AH02312: Fatal error initialising mod_ssl, exiting. We should be able to at least set "SSLEngine off" in the mod_nss config to avoid this error. Additional Note: Our current workaround is to use "Listen 443 http". +++++++++++++++++++++++++++ With httpd-2.4.6-6.fc20/httpd-2.4.6-7.el7, mod_nss can add <IfModule mod_ssl.c> SSLEngine off </IfModule> to vhosts in the default mod_nss.conf to avoid the "Listen X http" hack. See Bug 1029042 and Bug 1029043 filed for mod_nss. When this is fixed in mod_nss, IPA should remove the "Listen 443 http" hack.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4021
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/f20577ddc4ab40c2365c8abaa703d96019ec4eef/ ipa-3-3: https://fedorahosted.org/freeipa/changeset/3a11044664341257a3929da2db1c493659515eec/
The change was removed from ipa-3-3 due to missing dependencies in Fedora 19. RHEL will need to carry it as a patch.
Verified. SSLEngine is off in mod_nss default install and also nss.conf only contains now "Listen 443" after install. [root@rhel70-master ~]# rpm -q ipa-server mod_nss mod_ssl ipa-server-3.3.3-15.el7.x86_64 mod_nss-1.0.8-32.el7.x86_64 mod_ssl-2.4.6-14.el7.x86_64 [root@rhel70-master ~]# Steps perfomed for verification: ================================ (1)SSLEngine is off in nss.conf [root@rhel70-master ~]# grep -r "SSLEngine off" /etc/httpd/conf.d/nss.conf SSLEngine off [root@rhel70-master ~]# (2)Changed port 443 to 9000 in ssl.conf so that it does not conflicts with mod_nss configuration for ipa-server-install [root@rhel70-master ~]# sed -i 's/443/9000/g' /etc/httpd/conf.d/ssl.conf [root@rhel70-master ~]# grep -r 9000 /etc/httpd/conf.d/ssl.conf Listen 9000 https <VirtualHost _default_:9000> #ServerName www.example.com:9000 [root@rhel70-master ~]# (3)Ran ipa-server-install [root@rhel70-master ~]# ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=rhel70-master.testrelm.com -r TESTRELM.COM -n testrelm.com -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. .. ... .... ..... 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@rhel70-master ~]# (4)No "Listen 443 http" in nss.conf after ipa-server-install. [root@rhel70-master ~]# grep -r "Listen 443" /etc/httpd/conf.d/nss.conf Listen 443 [root@rhel70-master ~]#
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.