Project

General

Profile

Actions

Bug #27254

open

Bug #27156: Do not send CA list on client authentication

Apache refuses to start when /var/rudder/lib/ssl/policy_server.pem is a symlink

Added by François ARMAND 1 day ago. Updated about 16 hours ago.

Status:
Pending release
Priority:
N/A
Category:
Server components
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

When we try to copy /var/rudder/cfengine-community/inputs/certs/policy-server.pem, which is a symlink, apache refuse to start, telling us that the file does not exist:

Jul 09 12:25:05 server httpd[76973]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf:
Jul 09 12:25:05 server httpd[76973]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty

While:

[root@server vagrant]# ll /var/rudder/lib/ssl/policy_server.pem
lrwxrwxrwx. 1 root rudder 8 Jul  9 08:31 /var/rudder/lib/ssl/policy_server.pem -> root.pem
[root@server vagrant]# ll /var/rudder/lib/ssl/root.pem
-rw-r-----. 1 root rudder 1894 Jul  9 08:35 /var/rudder/lib/ssl/root.pem
cat /var/rudder/lib/ssl/policy_server.pem
-----BEGIN CERTIFICATE-----
MIIFSzCCAzOgAwIBAgIUI5ZJHwI/wFbd9VF4CTMeJ3ChRccwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGCgmSJomT8ixkAQEMBHJvb3QwHhcNMjUwNzA5MDgyOTE3WhcNMzUw
NzA3MDgyOTE3WjAWMRQwEgYKCZImiZPyLGQBAQwEcm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAMKFlne/p6Wo8pCFuRkF7etkDLC0vWqLML5LRF1B
1+1wEdY8Eq/WRTF7wK6SKIRCLLJttsbEVw6zP5lSmTBqQrOYSooWhBFyXmU+SvAL
....

So we need to copy root.pem directly


Files

clipboard-202507101425-lvrdj.png (20.5 KB) clipboard-202507101425-lvrdj.png François ARMAND, 2025-07-10 14:25
Actions #1

Updated by François ARMAND 1 day ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #2

Updated by François ARMAND 1 day ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1892
Actions #3

Updated by François ARMAND about 19 hours ago

This is actually a SELinux problem:

Actions #4

Updated by François ARMAND about 19 hours ago

  • Status changed from Pending technical review to In progress
Actions #5

Updated by Nicolas CHARLES about 19 hours ago

the selinux log is

type=AVC msg=audit(1752150940.565:1072): avc:  denied  { read } for  pid=26024 comm="httpd" name="policy_server.pem" dev="sda4" ino=477651 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rudder_relayd_var_lib_t:s0 tclass=lnk_file permissive=0
Actions #6

Updated by Benoît PECCATTE about 17 hours ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to François ARMAND
  • Pull Request changed from https://github.com/Normation/rudder-techniques/pull/1892 to https://github.com/Normation/rudder/pull/6514
Actions #7

Updated by Benoît PECCATTE about 16 hours ago

  • Status changed from Pending technical review to Pending release
Actions

Also available in: Atom PDF