Bug #27254
closed
Bug #27156: Do not send CA list on client authentication
Apache refuses to start when /var/rudder/lib/ssl/policy_server.pem is a symlink
Description
When we try to copy /var/rudder/cfengine-community/inputs/certs/policy-server.pem, which is a symlink, apache refuse to start, telling us that the file does not exist:
Jul 09 12:25:05 server httpd[76973]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf: Jul 09 12:25:05 server httpd[76973]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty
While:
[root@server vagrant]# ll /var/rudder/lib/ssl/policy_server.pem lrwxrwxrwx. 1 root rudder 8 Jul 9 08:31 /var/rudder/lib/ssl/policy_server.pem -> root.pem [root@server vagrant]# ll /var/rudder/lib/ssl/root.pem -rw-r-----. 1 root rudder 1894 Jul 9 08:35 /var/rudder/lib/ssl/root.pem cat /var/rudder/lib/ssl/policy_server.pem -----BEGIN CERTIFICATE----- MIIFSzCCAzOgAwIBAgIUI5ZJHwI/wFbd9VF4CTMeJ3ChRccwDQYJKoZIhvcNAQEL BQAwFjEUMBIGCgmSJomT8ixkAQEMBHJvb3QwHhcNMjUwNzA5MDgyOTE3WhcNMzUw NzA3MDgyOTE3WjAWMRQwEgYKCZImiZPyLGQBAQwEcm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAMKFlne/p6Wo8pCFuRkF7etkDLC0vWqLML5LRF1B 1+1wEdY8Eq/WRTF7wK6SKIRCLLJttsbEVw6zP5lSmTBqQrOYSooWhBFyXmU+SvAL ....
So we need to copy root.pem directly
Files
Updated by François ARMAND 24 days ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND 24 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1892
Updated by François ARMAND 23 days ago
- Status changed from Pending technical review to In progress
Updated by Nicolas CHARLES 23 days ago
the selinux log is
type=AVC msg=audit(1752150940.565:1072): avc: denied { read } for pid=26024 comm="httpd" name="policy_server.pem" dev="sda4" ino=477651 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rudder_relayd_var_lib_t:s0 tclass=lnk_file permissive=0
Updated by Benoît PECCATTE 23 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to François ARMAND
- Pull Request changed from https://github.com/Normation/rudder-techniques/pull/1892 to https://github.com/Normation/rudder/pull/6514
Updated by Benoît PECCATTE 23 days ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|4d891cb773ead9772d5f5358508149ae75931d2f.
Updated by François ARMAND 22 days ago
- Fix check changed from To do to Error - Blocking
Updated by François ARMAND 18 days ago
- Fix check changed from Error - Blocking to Error - Fixed
So, it was a mix of several things:
- https://issues.rudder.io/issues/27267 which made impossible to copy the correct file where it was needed
- https://issues.rudder.io/issues/27276 which is an older bug with an easy workaround caused by SELinux.
The first one was new and is now corrected. The second one can wait next release patch.
Updated by Félix DALLIDET 16 days ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.2.8 and 8.3.3 which were released today.