RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1240495 - mod_ssl install fails with a long hostname
Summary: mod_ssl install fails with a long hostname
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Martin Frodl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-07 06:18 UTC by Ian Wienand
Modified: 2021-01-14 09:34 UTC (History)
5 users (show)

Fixed In Version: httpd-2.4.6-41.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1356938 (view as bug list)
Environment:
Last Closed: 2016-11-04 08:08:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2534 0 normal SHIPPED_LIVE httpd bug fix and enhancement update 2016-11-03 14:17:49 UTC

Description Ian Wienand 2015-07-07 06:18:36 UTC 
upstream openstack CI is occasionally [1] failing; e.g.

---
2015-07-04 15:20:33.078 | + sudo /sbin/service httpd start
2015-07-04 15:20:33.095 | Redirecting to /bin/systemctl start  httpd.service
2015-07-04 15:20:33.196 | Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
2015-07-04 15:20:33.197 | + exit_trap
---

---
Jul 04 15:20:33 devstack-... systemd[1]: Starting The Apache HTTP Server...
Jul 04 15:20:33 devstack-... httpd[6407]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jul 04 15:20:33 devstack-... httpd[6407]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Jul 04 15:20:33 devstack-... systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
---

However when we trace backwards, we see

---
2015-07-04 15:07:24.037 |   Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64                       56/77 
2015-07-04 15:07:24.037 | warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
2015-07-04 15:07:24.039 | Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

The mod_ssl post script [1] doesn't do a lot -- it generates /etc/pki/tls/private/localhost.key and then /etc/pki/tls/certs/localhost.crt

Really, the only place this could cause the script to exit with "1" is if the final call to "openssl req" fails.

The way it is written, the error output of "openssl gen" gets sent to /dev/null so we don't get a smoking gun.  But after a bunch of testing I believe the issue is with the length of the hostname
---
# hostname devstack-centos7-1435932846.template.openstack.org.novalocal
# rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key 
# yum remove -y mod_ssl

# yum install -y mod_ssl
...
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-31.el7.centos will be installed
Running transaction
  Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64
warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

(if you run it on the command-line by hand, it complains the hostname is too long)

I don't know what the right thing to do is : pki/tls/openssl.cnf sets commonName_max to 64 characters so that's where the limit comes from; chopping it off seems easy but maybe wrong, and failing silently in this way is definitely wrong -- any failure output would have helped track this down a lot faster.

[1] search for "Job for httpd.service failed" at logstash.openstack.org
[2] http://logs.openstack.org/96/198496/1/check/check-tempest-dsvm-centos7/5a0897e/logs/devstacklog.txt.gz
[3] http://pkgs.fedoraproject.org/cgit/httpd.git/tree/httpd.spec#n501
Comment 2 Joe Orton 2015-07-07 08:26:29 UTC 
That's fun, I've not seen this before.

RFC 5280 says that the maximum length of a common name is 64 characters, so this seems to be a restriction of the spec rather than the software.  I'm not sure what we can or should do about this.  I guess we could force the %post script to use "localhost" in the case where the length is > 64.

The FQDN you're using there is only 60 characters, I'm not sure why that should exceed the 64 char limit.  Weird.
Comment 3 Joe Orton 2015-07-07 08:35:45 UTC 
Ah we're hitting the 64 char maximum of emailAddress, which is "root@" + FQDN, hence the maximum FQDN we can handle is exactly 59.
Comment 4 Joe Orton 2015-07-07 08:50:13 UTC 
Pushed this to Fedora. http://pkgs.fedoraproject.org/cgit/httpd.git/diff/?id=db205dad277f6b7712dc2fd57d9e3b056b637c14
Comment 11 errata-xmlrpc 2016-11-04 08:08:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2534.html
Note You need to log in before you can comment on or make changes to this bug.