Project

General

Profile

Actions

Bug #27268

open

Bug #27156: Do not send CA list on client authentication

Bug #27254: Apache refuses to start when /var/rudder/lib/ssl/policy_server.pem is a symlink

On root, /var/rudder/lib/ssl/policy_server.pem can not be copied with a mixed of logic and selinux

Added by François ARMAND about 7 hours ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
-
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

We still have a problem that appeared between 8.3.2.

On root server (Alma 9.5):

rudder agent run
E| compliant     rudder-service-relayd     Rudder-relayd service     Policy-server cer| Copying /var/rudder/lib/ssl/policy_server.pem from local /var/rudder/cfengine-community/inputs/certs/policy-server.pem was correct

[root@server vagrant]# ll /var/rudder/cfengine-community/inputs/certs/policy-server.pem
lrwxrwxrwx. 1 root root 8 Jul 11 09:05 /var/rudder/cfengine-community/inputs/certs/policy-server.pem -> root.pem
[root@server vagrant]# ll /var/rudder/lib/ssl/policy_server.pem
lrwxrwxrwx. 1 root rudder 8 Jul 11 09:00 /var/rudder/lib/ssl/policy_server.pem -> root.pem

On 8.3.3 (fresh install, not migration):

E| error         rudder-service-relayd     Rudder-relayd service     Policy-server cer| Copying /var/rudder/lib/ssl/policy_server.pem from local /var/rudder/cfengine-community/inputs/certs/policy-server.pem could not be repaired

And this time, /var/rudder/lib/ssl/policy_server.pem is a file (so we can't copy a link on a file).

And on migration from 8.3.2 to 8.3.3, we can the file types, but then, we get an error from apache:

[root@server vagrant]# systemctl status httpd
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2025-07-11 09:33:35 UTC; 32s ago
   Duration: 31min 21.738s
       Docs: man:httpd.service(8)
    Process: 36408 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 36408 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..." 
        CPU: 42ms

Jul 11 09:33:35 server systemd[1]: Starting The Apache HTTP Server...
Jul 11 09:33:35 server httpd[36408]: AH00526: Syntax error on line 32 of /opt/rudder/etc/rudder-apache-relay-ssl.conf:
Jul 11 09:33:35 server httpd[36408]: SSLCADNRequestFile: file '/var/rudder/lib/ssl/policy_server.pem' does not exist or is empty
Jul 11 09:33:35 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 09:33:35 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 11 09:33:35 server systemd[1]: Failed to start The Apache HTTP Server.
Jul 11 09:33:36 server systemd[1]: httpd.service: Unit cannot be reloaded because it is inactive.

That error is resolved by "setenforce 0".

The CP logic is taken care of in https://issues.rudder.io/issues/27267


Related issues 1 (1 open0 closed)

Related to Rudder - Bug #27267: Overwrite the /var/rudder/lib/ssl/policy_server.pem when it is a symlinkPending releaseBenoît PECCATTEActions
Actions #1

Updated by François ARMAND about 7 hours ago

  • Related to Bug #27267: Overwrite the /var/rudder/lib/ssl/policy_server.pem when it is a symlink added
Actions

Also available in: Atom PDF