472454 – Installing proxy 5.2 on RHEL 5 through the web UI leaves SSL improperly configured

Bug 472454 - Installing proxy 5.2 on RHEL 5 through the web UI leaves SSL improperly configured

Summary: Installing proxy 5.2 on RHEL 5 through the web UI leaves SSL improperly confi...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite Proxy 5
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	520
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Shannon Hughes
QA Contact:	Tomas Lestach
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	456999 472601 472604
TreeView+	depends on / blocked

Reported:	2008-11-20 22:09 UTC by Justin Sherrill
Modified:	2018-10-20 00:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sat530
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-10 14:37:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Justin Sherrill 2008-11-20 22:09:51 UTC

Description of problem:
After installing proxy 5.2 on RHEL 5 using the web UI installer, clients can't connect to the proxy using SSL.  

Version-Release number of selected component (if applicable):
Proxy 5.2

How reproducible:


Steps to Reproduce:
1.  Install 5.2 proxy on RHEL 5 through the web UI from a 5.2 Satellite
  
Actual results:
Proxy server is using ssl certs in /etc/pki/certs/localhost.crt


Expected results:
Proxy server is using ssl certs in /etc/httpd/conf/*/

Additional info:

With RHEL 5 the /etc/httpd/conf.d/ssl.conf file started pointing to /etc/pki/certs instead of /etc/httpd/conf/* for it's ssl.  The proxy 5.2 web installer doesn't bother changing these entries (as it never had to for RHEL 4).  

GPS consultant first reported this and i reproduced using test10-64 as a satellite.

Comment 1 Justin Sherrill 2008-11-20 22:20:20 UTC

btw the command line proxy installer handles this fine with these lines:

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
cat /etc/httpd/conf.d/ssl.conf.bak \
	| sed  "s|^SSLCertificateFile /etc/pki/tls/certs/localhost.crt$|SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt|g" \
	| sed  "s|^SSLCertificateKeyFile /etc/pki/tls/private/localhost.key$|SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key|g" \
    > /etc/httpd/conf.d/ssl.conf

Comment 2 Xixi 2008-11-20 23:19:08 UTC

Workaround/manual fix until the official fix is released -

Change /etc/httpd/conf.d/ssl.conf so that these two lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

becomes 

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Then save and restart rhn-proxy service.

Comment 3 Shannon Hughes 2008-11-21 18:33:54 UTC

fix is in git trunk branch for sw0.4 and sat530

Comment 4 Tomas Lestach 2009-07-02 12:32:33 UTC

I installed RHN Proxy 5.2 on RHEL5 over WEBUI.

Running on proxy:
# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

I successfully registered a client to the proxy server over SSL.

Verified with RHN Proxy 5.2.

Comment 5 Michael Mráka 2009-08-04 10:08:40 UTC

Verified in stage -> RELEASE_PENDING.

Proxy 5.3.0 installed via webUI.
# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Comment 6 Brandon Perkins 2009-09-10 14:37:05 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1433.html

Note You need to log in before you can comment on or make changes to this bug.