Bug 169620 - Mismatch between htttpd config tool and ssl key Makefile
Summary: Mismatch between htttpd config tool and ssl key Makefile
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-httpd
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact:
: 179768 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-09-30 11:04 UTC by bob mckay
Modified: 2015-03-05 01:15 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2008-02-29 04:31:18 UTC

Attachments (Terms of Use)

Description bob mckay 2005-09-30 11:04:30 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040616

Description of problem:
When ssl is turned on, system-config-httpd insists on a CA chain file (to be exact, httpd crashes if the field is left blank). I don't know enough about key systems to know if this is correct behaviour or not. What I _do_ know is that the Makefile in /etc/pki/tls/certs supports the creation of self-signed keys, but in the process, does _not_ create a CA chain file. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Follow the well-documented processes around the web to use /etc/pki/tls/certs/Makefile to create a self-signed certificate
2. Run system-config-httpd, turn on ssl, and fill the fields for which files have been created
3. save the configuration
4. restart httpd

Actual Results:  httpd crashes

Expected Results:  system-config-httpd should have created a valid httpd.conf file

Additional info:

I don't know what the correct behaviour should be here. I can think of at least four (not entirely mutually exclusive)
.system-config-httpd doesn't create a CA chain file directive if none is specified (I don't know if this is a reasonable behaviour or not)
.system-config-httpd _gives a helpful error message_ if a null CA chain file is specified
./etc/pki/tls/certs/Makefile creates a dummy CA chain file when it creates a self-signed certificate
.the documentation (should be both the Makefile and system-config-httpd) tells you what to do about the CA chain file when you create a self-signed certificate

I also don't know how serious this bug is; I seem to have gotten around it by pointing the CA chain file to the default CA-bundle file, but I have no idea whether this is a reasonable solution or if I have just opened up a huge security hole.

Comment 1 Phil Knirsch 2006-06-28 09:20:36 UTC
*** Bug 179768 has been marked as a duplicate of this bug. ***

Comment 2 Phil Knirsch 2006-11-20 12:56:50 UTC
Last week i've released system-config-httpd-1.4.1 for FC5, FC6 as testing and
put it in FC-devel as well.

Please give it a shot and let me know if this is working for you now.


Read ya, Phil

Comment 3 petrosyan 2008-02-29 04:31:18 UTC
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Comment 4 bob mckay 2008-02-29 11:48:25 UTC
The default key installation in F8 obviates the need to make a key. 

Note You need to log in before you can comment on or make changes to this bug.