Actions
Bug #27268
openBug #27156: Do not send CA list on client authentication
Bug #27254: Apache refuses to start when /var/rudder/lib/ssl/policy_server.pem is a symlink
On root, /var/rudder/lib/ssl/policy_server.pem can not be copied with a mixed of logic and selinux
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
We still have a problem that appeared between 8.3.2.
On root server (Alma 9.5):
rudder agent run E| compliant rudder-service-relayd Rudder-relayd service Policy-server cer| Copying /var/rudder/lib/ssl/policy_server.pem from local /var/rudder/cfengine-community/inputs/certs/policy-server.pem was correct
[root@server vagrant]# ll /var/rudder/cfengine-community/inputs/certs/policy-server.pem lrwxrwxrwx. 1 root root 8 Jul 11 09:05 /var/rudder/cfengine-community/inputs/certs/policy-server.pem -> root.pem [root@server vagrant]# ll /var/rudder/lib/ssl/policy_server.pem lrwxrwxrwx. 1 root rudder 8 Jul 11 09:00 /var/rudder/lib/ssl/policy_server.pem -> root.pem
On 8.3.3 (fresh install, not migration):
E| error rudder-service-relayd Rudder-relayd service Policy-server cer| Copying /var/rudder/lib/ssl/policy_server.pem from local /var/rudder/cfengine-community/inputs/certs/policy-server.pem could not be repaired
And this time, /var/rudder/lib/ssl/policy_server.pem is a file (so we can't copy a link on a file).
And on migration from 8.3.2 to 8.3.3, we can the file types, but then, we get an error from apache:
[root@server vagrant]# systemctl status httpd × httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Fri 2025-07-11 09:33:35 UTC; 32s ago Duration: 31min 21.738s Docs: man:httpd.service(8) Process: 36408 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 36408 (code=exited, status=1/FAILURE) Status: "Reading configuration..." CPU: 42ms Jul 11 09:33:35 server systemd[1]: Starting The Apache HTTP Server... Jul 11 09:33:35 server httpd[36408]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf: Jul 11 09:33:35 server httpd[36408]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty Jul 11 09:33:35 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 09:33:35 server systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 09:33:35 server systemd[1]: Failed to start The Apache HTTP Server. Jul 11 09:33:36 server systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.
That error is resolved by "setenforce 0".
The CP logic is taken care of in https://issues.rudder.io/issues/27267
Updated by François ARMAND about 8 hours ago
- Related to Bug #27267: Overwrite the /var/rudder/lib/ssl/policy_server.pem when it is a symlink added
Actions