On 10/25/2013 02:09 PM, Martin Kosek wrote:
On 10/25/2013 12:33 PM, Petr Viktorin wrote:
On 10/25/2013 10:31 AM, Martin Kosek wrote:
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
1. Install newest mod_nss:
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. "setenforce 0" to allow httpd listen on that port
Okay, I found another problem. After the above steps:
- ipa-server-install --uninstall
- Uninstall mod_ssl
When mod_ssl.rpm is instaled *after* ipa-server-install, no check is
Apache just fails to start.
We need to document this.
Document where exactly? Ideas welcome. FreeIPA server uses set of ports,
Well, at least in the release notes.
The guide you linked to could also have note that this conflicts with
the mod_nss defaults.
When any other service binds to any of these port, some IPA service
won't work. Regardless if it is mod_ssl or custom user service. People
would probably not read FreeIPA documentation before installing mod_ssl
But still, we're removing the Conflicts with a package that will break
IPA when installed (even indirectly).
We need to be careful here.
The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like "cert-show 1" - cert operations would not work if new
mod_nss is not updated.
That is the Apache server, right? IPA is only on 443.
Yup. This just refers to testing hints above, where I suggested to
configure mod_ssl to listen on some custom port to prove that both
mod_ssl and mod_nss can run on the same server.
Just a comment on logging:
+ print "WARNING: Apache is already configured with a
+ print line
+ return True
Please also log these messages, otherwise the log ends up not being
Since the installation aborts, I think these should be ERROR or
Right. I used service.print_msg as you suggested on IRC.
ACK, pushed to:
master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog)
Freeipa-devel mailing list