Bug 195481 - Dovecot update deletes symlinks to cert files...
Summary: Dovecot update deletes symlinks to cert files...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: dovecot
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Janousek
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-15 13:45 UTC by Michael H. Warfield
Modified: 2014-01-21 22:54 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-04-06 12:52:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michael H. Warfield 2006-06-15 13:45:27 UTC
Description of problem:

After a "yum update" which updates dovecot, dovecot fails to restart and refuses
to start manually because it can not access /usr/share/ssl/certs/dovecot.pem,
which had been a symbolic link to the real certificate file.

Version-Release number of selected component (if applicable):

dovecot-1.0-0.beta8.2.fc5 (and recent earlier updates.

How reproducible:

Very...  Has happened with the last couple of dovecot updates on 4 different
systems.

Steps to Reproduce:
1. Create a real certificate pair foo.crt/foo.key in
/usr/share/ssl/{certs/foo.crt,private/foo.key}, CA signed or selfsign as desired.

2. Create symlink from foo.crt to dovecot.pem in .../certs.

3. Create symlink from foo.key to dovecot.pem in .../private.

3. Configured ssl cert paths (dovecot.pem) in /etc/dovecot.conf

4. Update dovecot using yum

5. Note: dovecot refuses to start, unable to open cert file .../certs/dovecot.pem.

6. Note: .../certs/dovecot.pem is missing (only symlink, real cert file still
present).

7. Note: .../private/dovecot.pem is still present (undamaged).
  
Actual results:

Symlink to the cert file is deleted by yum update process.
Dovecot refuses to {re}start.
Dovecot in non-functional after an update until certs are repaired.

Expected results:

Existing cert and key files or symlinks should NEVER be tampered with (mine are
actual, real, signed X.509 certificates).  Dovecot should be functional after an
update.

Additional info:

Comment 1 Petr Rockai 2006-07-11 16:20:45 UTC
Are you sure your symlinks did not end up under /etc/pki/, the new 
default location for ssl cert stuff? I could tamper with the conffile to 
fix the location of the files if they are moved. I don't quite like the 
idea of leaving everything as it is, letting systems to gradually rot over 
upgrades. All solutions seem to create complex failure scenarios. Not 
touching certificates causes default setups to get screwed. Moving them 
and tampering with conffiles may lead to non-working setup or confused 
admin (where did my certs go). Not touching certificates nor conffile 
leaves things in deprecated locations also by default. Generating 
certificate in new location if it's not there causes confusion again (why 
did the certificate change? which is the right one), etc.... I don't 
know.

Comment 2 Tomas Janousek 2007-04-06 12:52:32 UTC
Closing, been in NEEDINFO for too long.


Note You need to log in before you can comment on or make changes to this bug.