RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1356938 - mod_ssl install fails with a long hostname
Summary: mod_ssl install fails with a long hostname
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-15 10:22 UTC by Martin Frodl
Modified: 2021-01-14 09:36 UTC (History)
3 users (show)

Fixed In Version: httpd-2.2.15-57.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1240495
Environment:
Last Closed: 2017-03-21 11:50:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0784 0 normal SHIPPED_LIVE httpd bug fix update 2017-03-21 12:49:39 UTC

Description Martin Frodl 2016-07-15 10:22:49 UTC 
Same problem present in httpd-2.2.15-54.el6_8.

+++ This bug was initially created as a clone of Bug #1240495 +++

upstream openstack CI is occasionally [1] failing; e.g.

---
2015-07-04 15:20:33.078 | + sudo /sbin/service httpd start
2015-07-04 15:20:33.095 | Redirecting to /bin/systemctl start  httpd.service
2015-07-04 15:20:33.196 | Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
2015-07-04 15:20:33.197 | + exit_trap
---

---
Jul 04 15:20:33 devstack-... systemd[1]: Starting The Apache HTTP Server...
Jul 04 15:20:33 devstack-... httpd[6407]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Jul 04 15:20:33 devstack-... httpd[6407]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Jul 04 15:20:33 devstack-... systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
---

However when we trace backwards, we see

---
2015-07-04 15:07:24.037 |   Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64                       56/77 
2015-07-04 15:07:24.037 | warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
2015-07-04 15:07:24.039 | Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

The mod_ssl post script [1] doesn't do a lot -- it generates /etc/pki/tls/private/localhost.key and then /etc/pki/tls/certs/localhost.crt

Really, the only place this could cause the script to exit with "1" is if the final call to "openssl req" fails.

The way it is written, the error output of "openssl gen" gets sent to /dev/null so we don't get a smoking gun.  But after a bunch of testing I believe the issue is with the length of the hostname
---
# hostname devstack-centos7-1435932846.template.openstack.org.novalocal
# rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key 
# yum remove -y mod_ssl

# yum install -y mod_ssl
...
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-31.el7.centos will be installed
Running transaction
  Installing : 1:mod_ssl-2.4.6-31.el7.centos.x86_64
warning: %post(mod_ssl-1:2.4.6-31.el7.centos.x86_64) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package 1:mod_ssl-2.4.6-31.el7.centos.x86_64
---

(if you run it on the command-line by hand, it complains the hostname is too long)

I don't know what the right thing to do is : pki/tls/openssl.cnf sets commonName_max to 64 characters so that's where the limit comes from; chopping it off seems easy but maybe wrong, and failing silently in this way is definitely wrong -- any failure output would have helped track this down a lot faster.

[1] search for "Job for httpd.service failed" at logstash.openstack.org
[2] http://logs.openstack.org/96/198496/1/check/check-tempest-dsvm-centos7/5a0897e/logs/devstacklog.txt.gz
[3] http://pkgs.fedoraproject.org/cgit/httpd.git/tree/httpd.spec#n501
Comment 9 errata-xmlrpc 2017-03-21 11:50:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0784.html
Note You need to log in before you can comment on or make changes to this bug.