Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
upstream openstack CI is occasionally [1] failing; e.g.
---
2015-07-04 15:20:33.078 | + sudo /sbin/service httpd start
2015-07-04 15:20:33.095 | Redirecting to /bin/systemctl start httpd.service
2015-07-04 15:20:33.196 | Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
2015-07-04 15:20:33.197 | + exit_trap
---
---
Jul 04 15:20:33 devstack-... systemd[1]: Starting The Apache HTTP Server...
Jul 04 15:20:33 devstack-... httpd[6407]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jul 04 15:20:33 devstack-... httpd[6407]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Jul 04 15:20:33 devstack-... systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
---
However when we trace backwards, we see
---
2015-07-04 15:07:24.037 | Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64 56/77
2015-07-04 15:07:24.037 | warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
2015-07-04 15:07:24.039 | Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---
The mod_ssl post script [1] doesn't do a lot -- it generates /etc/pki/tls/private/localhost.key and then /etc/pki/tls/certs/localhost.crt
Really, the only place this could cause the script to exit with "1" is if the final call to "openssl req" fails.
The way it is written, the error output of "openssl gen" gets sent to /dev/null so we don't get a smoking gun. But after a bunch of testing I believe the issue is with the length of the hostname
---
# hostname devstack-centos7-1435932846.template.openstack.org.novalocal
# rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
# yum remove -y mod_ssl
# yum install -y mod_ssl
...
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-31.el7.centos will be installed
Running transaction
Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64
warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---
(if you run it on the command-line by hand, it complains the hostname is too long)
I don't know what the right thing to do is : pki/tls/openssl.cnf sets commonName_max to 64 characters so that's where the limit comes from; chopping it off seems easy but maybe wrong, and failing silently in this way is definitely wrong -- any failure output would have helped track this down a lot faster.
[1] search for "Job for httpd.service failed" at logstash.openstack.org
[2] http://logs.openstack.org/96/198496/1/check/check-tempest-dsvm-centos7/5a0897e/logs/devstacklog.txt.gz
[3] http://pkgs.fedoraproject.org/cgit/httpd.git/tree/httpd.spec#n501
That's fun, I've not seen this before.
RFC 5280 says that the maximum length of a common name is 64 characters, so this seems to be a restriction of the spec rather than the software. I'm not sure what we can or should do about this. I guess we could force the %post script to use "localhost" in the case where the length is > 64.
The FQDN you're using there is only 60 characters, I'm not sure why that should exceed the 64 char limit. Weird.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-2534.html