Red Hat Bugzilla – Bug 169620
Mismatch between htttpd config tool and ssl key Makefile
Last modified: 2015-03-04 20:15:11 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040616
Description of problem:
When ssl is turned on, system-config-httpd insists on a CA chain file (to be exact, httpd crashes if the field is left blank). I don't know enough about key systems to know if this is correct behaviour or not. What I _do_ know is that the Makefile in /etc/pki/tls/certs supports the creation of self-signed keys, but in the process, does _not_ create a CA chain file.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Follow the well-documented processes around the web to use /etc/pki/tls/certs/Makefile to create a self-signed certificate
2. Run system-config-httpd, turn on ssl, and fill the fields for which files have been created
3. save the configuration
4. restart httpd
Actual Results: httpd crashes
Expected Results: system-config-httpd should have created a valid httpd.conf file
I don't know what the correct behaviour should be here. I can think of at least four (not entirely mutually exclusive)
.system-config-httpd doesn't create a CA chain file directive if none is specified (I don't know if this is a reasonable behaviour or not)
.system-config-httpd _gives a helpful error message_ if a null CA chain file is specified
./etc/pki/tls/certs/Makefile creates a dummy CA chain file when it creates a self-signed certificate
.the documentation (should be both the Makefile and system-config-httpd) tells you what to do about the CA chain file when you create a self-signed certificate
I also don't know how serious this bug is; I seem to have gotten around it by pointing the CA chain file to the default CA-bundle file, but I have no idea whether this is a reasonable solution or if I have just opened up a huge security hole.
*** Bug 179768 has been marked as a duplicate of this bug. ***
Last week i've released system-config-httpd-1.4.1 for FC5, FC6 as testing and
put it in FC-devel as well.
Please give it a shot and let me know if this is working for you now.
Read ya, Phil
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present. Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.
Setting status to "INSUFFICIENT_DATA". If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested,
please feel free to reopen the bug report.
Thank you in advance.
The default key installation in F8 obviates the need to make a key.