Description of problem: Upgrading httpd and mod_ssl when an invalid key is present in /etc/pki/tls/private/localhost.key could cause an upgrade failure in mod_ssl's post routine. This will occur if /etc/pki/tls/certs/localhost.crt does not exist. Version-Release number of selected component (if applicable): How reproducible: every time Steps to Reproduce: 1. make sure /etc/pki/tls/certs/localhost.crt does not exist 2. make sure /etc/pki/tls/private/localhost.key does exist but is not a proper key file (can be a zero length file) 3. upgrade httpd and mod_ssl from 2.2.3-43.el5 to 2.2.3-53.el5_7.3 Actual results: [root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd httpd-2.2.3-43.el5 mod_ssl-2.2.3-43.el5 [root@b1sp3-cm private]# ll /etc/pki/tls/private total 0 -rw------- 1 root root 0 Nov 2 2010 localhost.key [root@b1sp3-cm private]# ll /etc/pki/tls/certs total 444 -rw-r--r-- 1 root root 2240 Mar 12 2010 Makefile -rw-r--r-- 1 root root 441017 Mar 12 2010 ca-bundle.crt -rwxr-xr-x 1 root root 610 Mar 12 2010 make-dummy-cert [root@b1sp3-cm pub]# rpm -Uvh mod_ssl-2.2.3-53.el5_7.3.i386.rpm httpd-2.2.3-53.el5_7.3.i386.rpm Preparing... ########################################### [100%] 1:httpd ########################################### [ 50%] 2:mod_ssl ########################################### [100%] error: %post(mod_ssl-2.2.3-53.el5_7.3.i386) scriptlet failed, exit status 1 [root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd httpd-2.2.3-53.el5_7.3 mod_ssl-2.2.3-43.el5 mod_ssl-2.2.3-53.el5_7.3 Expected results: [root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd httpd-2.2.3-43.el5 mod_ssl-2.2.3-43.el5 [root@b1sp3-cm pub]# rpm -Uvh mod_ssl-2.2.3-53.el5_7.3.i386.rpm httpd-2.2.3-53.el5_7.3.i386.rpm Preparing... ########################################### [100%] 1:httpd ########################################### [ 50%] 2:mod_ssl ########################################### [100%] [root@b1sp3-cm pub]# rpm -qa | grep -e mod_ssl -e httpd httpd-2.2.3-53.el5_7.3 mod_ssl-2.2.3-53.el5_7.3 Additional info: Patch the spec like so? build-2:/SPECS:30$ diff -u httpd.spec.orig httpd.spec --- httpd.spec.orig 2011-11-09 19:29:15.708095000 -0500 +++ httpd.spec 2011-11-09 19:33:37.465072000 -0500 @@ -580,6 +580,8 @@ fi if [ ! -f %{sslcert} ] ; then + openssl rsa -check -in /etc/pki/tls/private/localhost.key 2>/dev/null + if [ $? -eq 0 ] cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \ -x509 -days 365 -set_serial $RANDOM \ -out %{sslcert} 2>/dev/null @@ -591,6 +593,7 @@ ${FQDN} root@${FQDN} EOF + fi fi %check
Thanks for the report.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
*** Bug 867736 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0130.html