[Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

Petr Viktorin pviktori at redhat.com
Fri Oct 25 10:33:25 UTC 2013 

On 10/25/2013 10:31 AM, Martin Kosek wrote:
> Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
> machine (of course, when listening to different ports).
>
> To make sure that mod_ssl is not configured to listen on 443
> (default mod_ssl configuration), add a check to the installer checking
> of either mod_nss or mod_ssl was configured to listen on that port.
>
> https://fedorahosted.org/freeipa/ticket/3974
>
>
>
> TO TEST:
> 1. Install newest mod_nss:
> F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
> 2. Install patched freeipa
> 3. Install mod_ssl
> 4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
> 10443 or others
> 5. "setenforce 0" to allow httpd listen on that port
> 6. ipa-server-install

When mod_ssl.rpm is instaled *after* ipa-server-install, no check is 
done, Apache just fails to start.
We need to document this.

> The server should now listen on both 443 with mod_nss and 10443 with
> mod_ssl. CLI and Web UI should continue to work, as well as cert
> operations like "cert-show 1" - cert operations would not work if new
> mod_nss is not updated.

That is the Apache server, right? IPA is only on 443.

> Martin



> freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch

ACK

> freeipa-mkosek-434-remove-mod_ssl-conflict.patch

Just a comment on logging:

> +def httpd_443_configured():
> +    """
> +    We now allow mod_ssl to be installed so don't automatically disable it.
> +    However it can't share the same listen port as mod_nss, so check for that.
> +
> +    Returns True if something other than mod_nss is listening on 443.
> +    False otherwise.
> +    """
> +    try:
> +        (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS'])
> +    except ipautil.CalledProcessError, e:
> +        print >> sys.stderr, "WARNING: cannot check if port 443 is already configured."
> +        print >> sys.stderr, "httpd returned error when checking:", str(e)
> +        return False
> +
> +    port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
> +    for line in stdout.splitlines():
> +        m = port_line_re.match(line)
> +        if m and int(m.group('port')) == 443:
> +            print "WARNING: Apache is already configured with a listener on port 443:"
> +            print line
> +            return True

Please also log these messages, otherwise the log ends up not being very 
helpful.

Since the installation aborts, I think these should be ERROR or 
CRITICAL, not WARNING.


-- 
Petr³

More information about the Freeipa-devel mailing list