Bug 2356216 - sscg fails with openssl 3.5+
Summary: sscg fails with openssl 3.5+
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sscg
Version: rawhide
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-31 13:33 UTC by Florence Blanc-Renaud
Modified: 2025-04-20 04:21 UTC (History)
1 user (show)

Fixed In Version: sscg-3.0.6-1.fc43 sscg-3.0.6-2.fc40 sscg-3.0.6-2.fc41 sscg-3.0.6-2.fc42
Clone Of:
Environment:
Last Closed: 2025-03-31 17:14:05 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Florence Blanc-Renaud 2025-03-31 13:33:18 UTC 
When mod_ssl is installed, systemctl start httpd fails.

At startup, httpd calls /usr/libexec/httpd-ssl-gencerts in order to create a key / certificate pair in /etc/pki/tls/private/localhost.key and /etc/pki/tls/certs/localhost.crt if they don't exist (the cert is configured by default in /etc/httpd/conf.d/ssl.conf).

httpd-ssl-gencerts internally calls /usr/sbin/sscg but this CLI fails with:
Error occurred in X509_REQ_set_version: [error:05880106:x509 certificate routines::passed invalid argument].

The version shipped in rawhide is sscg-3.0.5-8.fc42.x86_64 which fails with openssl-3.5.0-2.fc43.x86_64. It used to work with openssl-3.2.4-3.fc43.x86_64.

Reproducible: Always

Steps to Reproduce:
1. dnf install -y httpd mod_md mod_ssl
2. systemctl start httpd

Actual Results:  
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.


Expected Results:  
Should succeed

# systemctl start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
[root@vm-10-0-184-33 ~]# systemctl status httpd
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: failed (Result: exit-code) since Mon 2025-03-31 09:27:08 EDT; 5s ago
 Invocation: 2f62182f68cc4a80be79a299b8cd79f1
       Docs: man:httpd.service(8)
    Process: 26471 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 26471 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
   Mem peak: 4M
        CPU: 84ms

Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd.service - The Apache HTTP Server...
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com (httpd)[26471]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd.service - The Apache HTTP Server.


The journal also contains:
Mar 31 09:27:07 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd-init.service - One-time temporary TLS key generation for httpd.service...
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd-ssl-gencerts[26467]: Error occurred in X509_REQ_set_version: [error:05880106:x509 certificate routines::passed invalid argument].
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd-init.service: Main process exited, code=exited, status=5/NOTINSTALLED
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd-init.service: Failed with result 'exit-code'.
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd-init.service - One-time temporary TLS key generation for httpd.service.
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd-init comm="systemd" exe="/usr/lib/systemd/syste>
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com audit: BPF prog-id=158 op=LOAD
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Starting httpd.service - The Apache HTTP Server...
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com (httpd)[26471]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com httpd[26471]: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Mar 31 09:27:08 vm-10-0-184-33.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start httpd.service - The Apache HTTP Server.


The upstream repo for sscg contains a patch that mentions an incompatibility with openssl 3.4 and above:
Commit b63dd4d x509: Use proper version for CSR

and the next patch:
Commit 8b096dc Use magic number for X509_VERSION_1

I suspect that those patches should be added to the rawhide build.
Comment 1 Stephen Gallagher 2025-03-31 17:14:05 UTC 
Thanks for the ping. I forgot to do a minor upstream release and package that up. It's on it's way to Rawhide now.
Comment 2 Fedora Update System 2025-04-02 12:50:23 UTC 
FEDORA-2025-e0a5b5357c (sscg-3.0.6-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-e0a5b5357c
Comment 3 Fedora Update System 2025-04-02 12:50:24 UTC 
FEDORA-2025-cf95d15f1f (sscg-3.0.6-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-cf95d15f1f
Comment 4 Fedora Update System 2025-04-02 12:50:25 UTC 
FEDORA-2025-91d5981247 (sscg-3.0.6-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-91d5981247
Comment 5 Fedora Update System 2025-04-03 02:20:31 UTC 
FEDORA-2025-e0a5b5357c has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e0a5b5357c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e0a5b5357c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-04-03 03:14:55 UTC 
FEDORA-2025-91d5981247 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-91d5981247`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-91d5981247

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-04-03 03:43:22 UTC 
FEDORA-2025-cf95d15f1f has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cf95d15f1f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cf95d15f1f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-04-04 01:15:48 UTC 
FEDORA-2025-9f66a41214 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-9f66a41214`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-9f66a41214

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2025-04-04 01:24:53 UTC 
FEDORA-2025-c2b9f2de20 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c2b9f2de20`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c2b9f2de20

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2025-04-04 02:21:37 UTC 
FEDORA-2025-303cff376c has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-303cff376c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-303cff376c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2025-04-19 19:43:41 UTC 
FEDORA-2025-9f66a41214 (sscg-3.0.6-2.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2025-04-20 00:26:24 UTC 
FEDORA-2025-303cff376c (sscg-3.0.6-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2025-04-20 04:21:08 UTC 
FEDORA-2025-c2b9f2de20 (sscg-3.0.6-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.