The ebuild overwrites server.crt and server.key in /etc/apache2/ssl with a self-signed certificate. The certificate is signed by localhost. Reproducible: Always Steps to Reproduce: 1. Copy real server.crt and server.key to /etc/apache2/ssl 2. emerge apache 3. files are overwritten Actual Results: Certificate replaced with a new certificate signed by localhost Expected Results: Should have checked to see if they exist before writing new ones. Perhaps put this under the protection of etc-update style config protect?
/etc/apache2/ssl is a subdirectory of /etc, which is in CONFIG_PROTECT. Please post your `emerge info` that that we can determine why your certificates got overwritten.
Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1, 2.6.12-gentoo-r10-Zeus i686) ================================================================= System uname: 2.6.12-gentoo-r10-Zeus i686 AMD Athlon(tm) XP 2600+ Gentoo Base System version 1.6.13 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O3 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 alsa apache2 apm arts avi berkdb bitmap-fonts crypt curl eds emboss encode foomaticdb fortran gdbm gif gpm gstreamer gtk2 imagemagick imap imlib ipv6 java jpeg libg++ libwww mad maildir mikmod motif mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss pam pdflib perl php png python quicktime readline samba sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
The bug bit me too. Here's my info in case it helps narrow down the cause of the bug. Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4. 20041102-r1, 2.6.11.11 i686) ================================================================= System uname: 2.6.11.11 i686 AMD Athlon(TM) XP 2400+ Gentoo Base System version 1.6.12 dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.10 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.4.3-r4, 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/s hare/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer" DISTDIR="/mnt/dump/gentoo/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://solder.ath.cx/gentoo ftp://planetmirror.com/pub/gentoo/ h ttp://www.ibiblio.org/pub/Linux/distributions/gentoo http://gentoo.oregonstate.e du" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow X alsa apache2 apm avi berkdb bitmap-fonts crypt cscope cups eds emboss encode foomaticdb fortran gdbm gif gpm gstreamer gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod mp3 mpeg mysql ncurses no-htdocs ogg oggvorbis ope ngl oss pam pdflib perl php png python readline sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts usb vorbis xml2 xmms xv zlib userland_GNU kernel_lin ux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS
ok, I see why CONFIG_PROTECT isn't protecting those files - the cert and key are generated during pkg_postinst, which is done after merging and on the live filesystem. However, gentestcrt.sh contains a check right at the beginning of it: if [ ! -e ./server.crt -a ! -e ./server.key ];then echo "Will create server.key and server.crt in `pwd`" else echo "server.key and server.crt already exist, dying" exit fi (we cd to ${ROOT}/etc/apache2/ssl before running it) The script should find that the files exist and not try to create the files again. Testing this on my own system, it's not recreating the certificates. Can you guys check your system and see if this test exists in /usr/sbin/gentestcrt.sh? Also, change to /etc/apache2/ssl and run the script /usr/sbin/gentestcrt.sh
The test exists in the script. When run manually, it does detect the certificates and exit gracefully. Just re-emerged apache to double check. Here's the tail end of the output: >>> original instance of package unmerged safely. * * Generating self-signed test certificate in /etc/apache2/ssl... * * * LFS support has been removed due to incompatibilites with other packages. * You _will_ have to re-emerge any Apache modules you have installed, or * they will likely misbehave/segfault. * * * Multiple MPM support has been disabled due to problems with external * modules. If you have relied on this functionality you will need * to find another solution. The Gentoo Apache team apologizes for * any inconvienence this may cause you. * >>> Regenerating /etc/ld.so.cache... >>> net-www/apache-2.0.54-r31 merged. >>> clean: No packages selected for removal. >>> Auto-cleaning packages ... >>> No outdated packages were found on your system. * GNU info directory index is up-to-date. Seems to be behaving correctly now, certificates no longer overwritten.
I'm not sure what caused this in the first place, we didn't change anything that would cause it to not work and then work again. Re-open this if it crops up again.
