Bug 80133 - apacheconf SSL hard to debug requires manual editing of config file
Summary: apacheconf SSL hard to debug requires manual editing of config file
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: redhat-config-httpd
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-20 12:34 UTC by Edward J. Huff
Modified: 2015-03-05 01:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-07-30 15:56:28 UTC

Attachments (Terms of Use)

Description Edward J. Huff 2002-12-20 12:34:27 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Ok, I see I should upgrade to 8.0 and use redhat-config-httpd.
Maybe all this is fixed there...  If not,

* apacheconf doesn't have a way to start over from scratch.
  (other than erasing and reinstalling the rpm).

* It doesn't have a way to switch between various configurations.

* Documents (except the man page) don't mention the alchemist files
  or explain _where_ the configuration data is remembered or even
  state clearly that the config file is _not_ parsed.

* loglevel changes didn't appear in the config file.

I tried to set up a webserver serving SSL with a locally generated
certificate.  It took a _LONG_ time (8 hours), because I ran into
two unilluminating error messages.

First, I got failure to start apache, and the log said
Hint: SSLCertificateFile.  There was such an entry, in
the <VirtualHost _default_:443> section (right after
  ## SSL Virtual Host Context
), but I needed one farther down, after the
  # Virtual hosts
  <IfDefine HAVE_SSL>
section.  I also needed a SSLCertificateKeyFile entry.
This was not easy to figure out.  I did it by googling for
the error message, and by reading the source code.

After I got that fixed (by editing the config file), apache
would start up, but immediately exited with

[crit] (98)Address already in use: make_sock: could not bind to port 443

This was caused by the presence of two "Listen 443" statements
in the file.  The one after the comment "Apache will only listen on port 80 by
default" needed to be removed.  This was also not easy to figure out.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. clear apacheconf by erasing and reinstalling it (how else?)
2. rpm -e apacheconf; rpm -ivh apacheconf-0.8.2-2.noarch.rpm 
3. run apacheconf (Is there a way to make it record everthing
   that was done?).  It comes up with default settings.
4. Select virtual server, SSL, enable SSL, OK, Ok (alert
server name cannot be blank), enter server name, Ok, Ok to exit,
Ok to overwrite config.
5. start httpd. (it fails)
6. edit config file to insert second set of SSLCertificate... entries.
7. it comes up and runs.  But if I do what the customization guide
says, I get two Listen 443 statements and it fails.
8. stop httpd, run apacheconf, select "all available addresses on port 80",
click "edit", change 80 to 443, click Ok, Ok, Ok save and exit, Ok overwrite,
edit the conf file again to add the missing SSLCertificate entries.
9. start httpd, get status:  "httpd dead but subsys locked"
examine log: [crit] (98)Address already in use: make_sock: could not bind to
port 443

Actual Results:  Only one "SSLCertificateFile" and "...KeyFile" entry.

Two "Listen 443" entries. (well, with the above instructions,
I got only one, because I didn't change the default from 80
to 443 -- but the RedHat customization guide said I should
add a port 443.)

Expected Results:  Two "SSLCertificateFile" and "...KeyFile" entries.  Is the
first one

Only one "Listen 443" entry.

Additional info:

*** httpd.conf	Fri Dec 20 07:27:53 2002
--- httpd.conf~	Fri Dec 20 07:24:59 2002
*** 732,739 ****
   	ServerSignature email
   	SSLEngine on
- SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
- SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Comment 1 Phil Knirsch 2003-11-27 11:25:47 UTC
Reassinging to r-c-h and myself.

Read ya, Phil

Comment 2 Phil Knirsch 2004-07-30 15:56:28 UTC
Most of the SSL stuff should be fixed in the lastest rawhide version.

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.