From 6d24870c870d0cff0857dd7219d5475854bf8b85 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 25 Oct 2013 10:22:08 +0200 Subject: Remove mod_ssl conflict Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 --- ipaserver/install/httpinstance.py | 46 ++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 14fa9cc6..689e657e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -23,6 +23,7 @@ import tempfile import pwd import shutil import stat +import re import service import certs @@ -32,6 +33,7 @@ from ipapython import ipautil from ipapython import services as ipaservices from ipapython import dogtag from ipapython.ipa_log_manager import * +from ipaserver.install import sysupgrade from ipalib import api HTTPD_DIR = "/etc/httpd" @@ -46,6 +48,31 @@ change with the command: Try updating the policycoreutils and selinux-policy packages. """ +def httpd_443_configured(): + """ + We now allow mod_ssl to be installed so don't automatically disable it. + However it can't share the same listen port as mod_nss, so check for that. + + Returns True if something other than mod_nss is listening on 443. + False otherwise. + """ + try: + (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS']) + except ipautil.CalledProcessError, e: + service.print_msg("WARNING: cannot check if port 443 is already configured") + service.print_msg("httpd returned error when checking: %s" % e) + return False + + port_line_re = re.compile(r'(?P
\S+):(?P\d+)') + for line in stdout.splitlines(): + m = port_line_re.match(line) + if m and int(m.group('port')) == 443: + service.print_msg("Apache is already configured with a listener on port 443:") + service.print_msg(line) + return True + + return False + class WebGuiInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "ipa_webgui") @@ -87,7 +114,6 @@ class HTTPInstance(service.Service): self.ldap_connect() - self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) @@ -227,15 +253,25 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0644) - def __disable_mod_ssl(self): - if os.path.exists(SSL_CONF): - self.fstore.backup_file(SSL_CONF) - os.unlink(SSL_CONF) + def change_mod_nss_port_to_http(self): + # mod_ssl enforces SSLEngine on for vhost on 443 even though + # the listener is mod_nss. This then crashes the httpd as mod_nss + # listened port obviously does not match mod_ssl requirements. + # + # Change port to http to workaround the mod_ssl check, the SSL is + # enforced in the vhost later, so it is benign. + # + # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 + # is fixed. + if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): + installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) + sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) def __set_mod_nss_port(self): self.fstore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: print "Updating port in %s failed." % NSS_CONF + self.change_mod_nss_port_to_http() def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -- cgit