[Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

Petr Viktorin pviktori at redhat.com
Fri Oct 25 13:46:49 UTC 2013 

On 10/25/2013 02:09 PM, Martin Kosek wrote:
> On 10/25/2013 12:33 PM, Petr Viktorin wrote:
>> On 10/25/2013 10:31 AM, Martin Kosek wrote:
>>> Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
>>> machine (of course, when listening to different ports).
>>>
>>> To make sure that mod_ssl is not configured to listen on 443
>>> (default mod_ssl configuration), add a check to the installer checking
>>> of either mod_nss or mod_ssl was configured to listen on that port.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3974
>>>
>>>
>>>
>>> TO TEST:
>>> 1. Install newest mod_nss:
>>> F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
>>> 2. Install patched freeipa
>>> 3. Install mod_ssl
>>> 4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
>>> 10443 or others
>>> 5. "setenforce 0" to allow httpd listen on that port
>>> 6. ipa-server-install

Okay, I found another problem. After the above steps:
- ipa-server-install --uninstall
- Uninstall mod_ssl
- ipa-server-install

>> When mod_ssl.rpm is instaled *after* ipa-server-install, no check is
>> done,
>> Apache just fails to start.
>> We need to document this.
>
> Document where exactly? Ideas welcome. FreeIPA server uses set of ports,
> defined in
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites

Well, at least in the release notes.
The guide you linked to could also have note that this conflicts with 
the mod_nss defaults.

> When any other service binds to any of these port, some IPA service
> won't work. Regardless if it is mod_ssl or custom user service. People
> would probably not read FreeIPA documentation before installing mod_ssl
> anyway...

Right.
But still, we're removing the Conflicts with a package that will break 
IPA when installed (even indirectly).
We need to be careful here.

>>> The server should now listen on both 443 with mod_nss and 10443 with
>>> mod_ssl. CLI and Web UI should continue to work, as well as cert
>>> operations like "cert-show 1" - cert operations would not work if new
>>> mod_nss is not updated.
>>
>> That is the Apache server, right? IPA is only on 443.
>
> Yup. This just refers to testing hints above, where I suggested to
> configure mod_ssl to listen on some custom port to prove that both
> mod_ssl and mod_nss can run on the same server.
>
>>
>>> Martin
>>
>>
>>
>>> freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch
>>>
>>
>> ACK
>>
>>> freeipa-mkosek-434-remove-mod_ssl-conflict.patch
>>
>> Just a comment on logging:
>>
[...]
>>> +            print "WARNING: Apache is already configured with a
>>> listener on
>>> port 443:"
>>> +            print line
>>> +            return True
>>
>> Please also log these messages, otherwise the log ends up not being
>> very helpful.
>>
>> Since the installation aborts, I think these should be ERROR or
>> CRITICAL, not
>> WARNING.
>
> Right. I used service.print_msg as you suggested on IRC.

ACK, pushed to:
master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog)
ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85


-- 
Petr³

More information about the Freeipa-devel mailing list