On 10/25/2013 02:09 PM, Martin Kosek wrote:
On 10/25/2013 12:33 PM, Petr Viktorin wrote:
On 10/25/2013 10:31 AM, Martin Kosek wrote:
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974



TO TEST:
1. Install newest mod_nss:
F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. "setenforce 0" to allow httpd listen on that port
6. ipa-server-install

Okay, I found another problem. After the above steps:
- ipa-server-install --uninstall
- Uninstall mod_ssl
- ipa-server-install

When mod_ssl.rpm is instaled *after* ipa-server-install, no check is
done,
Apache just fails to start.
We need to document this.

Document where exactly? Ideas welcome. FreeIPA server uses set of ports,
defined in
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites

Well, at least in the release notes.
The guide you linked to could also have note that this conflicts with the mod_nss defaults.

When any other service binds to any of these port, some IPA service
won't work. Regardless if it is mod_ssl or custom user service. People
would probably not read FreeIPA documentation before installing mod_ssl
anyway...

Right.
But still, we're removing the Conflicts with a package that will break IPA when installed (even indirectly).
We need to be careful here.

The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like "cert-show 1" - cert operations would not work if new
mod_nss is not updated.

That is the Apache server, right? IPA is only on 443.

Yup. This just refers to testing hints above, where I suggested to
configure mod_ssl to listen on some custom port to prove that both
mod_ssl and mod_nss can run on the same server.


Martin



freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch


ACK

freeipa-mkosek-434-remove-mod_ssl-conflict.patch

Just a comment on logging:

[...]
+            print "WARNING: Apache is already configured with a
listener on
port 443:"
+            print line
+            return True

Please also log these messages, otherwise the log ends up not being
very helpful.

Since the installation aborts, I think these should be ERROR or
CRITICAL, not
WARNING.

Right. I used service.print_msg as you suggested on IRC.

ACK, pushed to:
master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog)
ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to