summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--freeipa.spec.in9
-rwxr-xr-xinstall/tools/ipa-replica-install4
-rwxr-xr-x[-rw-r--r--]install/tools/ipa-server-install4
-rw-r--r--install/tools/ipa-upgradeconfig1
-rw-r--r--ipaserver/install/httpinstance.py46
5 files changed, 54 insertions, 10 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5b37c4c43..21ed8f90c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -121,7 +121,7 @@ Requires: mod_auth_kerb >= 5.4-16
%else
Requires: mod_auth_kerb >= 5.4-8
%endif
-Requires: mod_nss
+Requires: mod_nss >= 1.0.8-24
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -166,10 +166,6 @@ Conflicts: bind < 9.8.2-0.4.rc2
# member.
Conflicts: nss-pam-ldapd < 0.8.4
-# mod_proxy provides a single API to communicate over SSL. If mod_ssl
-# is even loaded into Apache then it grabs this interface.
-Conflicts: mod_ssl
-
Obsoletes: ipa-server >= 1.0
%description server
@@ -836,6 +832,9 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Fri Aug 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.90-4
+- Remove mod_ssl conflict, it can now live with mod_nss installed
+
* Wed Sep 4 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.3.90-3
- Conform to tmpfiles.d packaging guidelines
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 5e6941402..1cffa48e1 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -474,6 +474,10 @@ def main():
if options.setup_dns:
check_bind()
+ # Check to see if httpd is already configured to listen on 443
+ if httpinstance.httpd_443_configured():
+ sys.exit("Aborting installation")
+
check_dirsrv()
if options.conf_ntp:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cf769f557..b3dcf6d93 100644..100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -791,6 +791,10 @@ def main():
except ipaclient.ntpconf.NTPConfigurationError:
pass
+ # Check to see if httpd is already configured to listen on 443
+ if httpinstance.httpd_443_configured():
+ sys.exit("Aborting installation")
+
realm_name = ""
host_name = ""
domain_name = ""
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 2ee598322..41c51263d 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1047,6 +1047,7 @@ def main():
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
http.configure_httpd_ccache()
+ http.change_mod_nss_port_to_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 14fa9cc6f..689e657e2 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -23,6 +23,7 @@ import tempfile
import pwd
import shutil
import stat
+import re
import service
import certs
@@ -32,6 +33,7 @@ from ipapython import ipautil
from ipapython import services as ipaservices
from ipapython import dogtag
from ipapython.ipa_log_manager import *
+from ipaserver.install import sysupgrade
from ipalib import api
HTTPD_DIR = "/etc/httpd"
@@ -46,6 +48,31 @@ change with the command:
Try updating the policycoreutils and selinux-policy packages.
"""
+def httpd_443_configured():
+ """
+ We now allow mod_ssl to be installed so don't automatically disable it.
+ However it can't share the same listen port as mod_nss, so check for that.
+
+ Returns True if something other than mod_nss is listening on 443.
+ False otherwise.
+ """
+ try:
+ (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS'])
+ except ipautil.CalledProcessError, e:
+ service.print_msg("WARNING: cannot check if port 443 is already configured")
+ service.print_msg("httpd returned error when checking: %s" % e)
+ return False
+
+ port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
+ for line in stdout.splitlines():
+ m = port_line_re.match(line)
+ if m and int(m.group('port')) == 443:
+ service.print_msg("Apache is already configured with a listener on port 443:")
+ service.print_msg(line)
+ return True
+
+ return False
+
class WebGuiInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -87,7 +114,6 @@ class HTTPInstance(service.Service):
self.ldap_connect()
- self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
@@ -227,15 +253,25 @@ class HTTPInstance(service.Service):
http_fd.close()
os.chmod(target_fname, 0644)
- def __disable_mod_ssl(self):
- if os.path.exists(SSL_CONF):
- self.fstore.backup_file(SSL_CONF)
- os.unlink(SSL_CONF)
+ def change_mod_nss_port_to_http(self):
+ # mod_ssl enforces SSLEngine on for vhost on 443 even though
+ # the listener is mod_nss. This then crashes the httpd as mod_nss
+ # listened port obviously does not match mod_ssl requirements.
+ #
+ # Change port to http to workaround the mod_ssl check, the SSL is
+ # enforced in the vhost later, so it is benign.
+ #
+ # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
+ # is fixed.
+ if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+ installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print "Updating port in %s failed." % NSS_CONF
+ self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)