This doesn't seem to be generated out of the box, and it's on by default with USE=ssl. If generating this should be done, it should be documented on i.e. the wiki page for Apache. Otherwise, it should be off by default so that starting Apache works out of the box. ``` $ sudo systemctl status apache2 × apache2.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled; preset: disabled) Active: failed (Result: exit-code) since Thu 2025-05-22 11:54:29 ADT; 17s ago Duration: 101ms Invocation: 8fb2f071472a42a38f7686c869e46356 Process: 9123 ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 9123 (code=exited, status=1/FAILURE) Mem peak: 2.6M CPU: 30ms May 22 11:54:29 utmgentoo systemd[1]: Started The Apache HTTP Server. May 22 11:54:29 utmgentoo apache2[9123]: AH00526: Syntax error on line 47 of /etc/apache2/vhosts.d/00_default_ssl_vhost.conf: May 22 11:54:29 utmgentoo apache2[9123]: SSLCertificateFile: file '/etc/ssl/apache2/server.crt' does not exist or is empty May 22 11:54:29 utmgentoo systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE May 22 11:54:29 utmgentoo systemd[1]: apache2.service: Failed with result 'exit-code'. ``` emerge --info: ``` Portage 3.0.66.1 (python 3.12.9-final-0, default/linux/arm64/23.0/systemd, gcc-14, glibc-2.40-r8, 6.12.16-gentoo-dist aarch64) ================================================================= System uname: Linux-6.12.16-gentoo-dist-aarch64-with-glibc2.40 KiB Mem: 3991628 total, 3431176 free KiB Swap: 4194300 total, 4194300 free Timestamp of repository gentoo: Tue, 06 May 2025 04:45:00 +0000 Head commit of repository gentoo: 5cb7f712f96426481ecf1d9646b6ac16abe3f69c sh bash 5.2_p37 ld GNU ld (Gentoo 2.43 p3) 2.43.1 app-misc/pax-utils: 1.3.8::gentoo app-shells/bash: 5.2_p37::gentoo dev-build/autoconf: 2.72-r1::gentoo dev-build/automake: 1.17-r1::gentoo dev-build/cmake: 3.31.5::gentoo dev-build/libtool: 2.5.4::gentoo dev-build/make: 4.4.1-r100::gentoo dev-build/meson: 1.5.2::gentoo dev-lang/perl: 5.40.0-r1::gentoo dev-lang/python: 3.12.9::gentoo, 3.13.2::gentoo llvm-core/clang: 16.0.6::gentoo, 19.1.7::gentoo llvm-core/llvm: 16.0.6-r5::gentoo, 19.1.7::gentoo sys-apps/baselayout: 2.17::gentoo sys-apps/sandbox: 2.39::gentoo sys-apps/systemd: 256.10::gentoo sys-devel/binutils: 2.43-r2::gentoo sys-devel/binutils-config: 5.5.2::gentoo sys-devel/gcc: 12.4.1_p20241219::gentoo, 14.2.1_p20241221::gentoo sys-devel/gcc-config: 2.12.1::gentoo sys-kernel/linux-headers: 6.12::gentoo (virtual/os-headers) sys-libs/glibc: 2.40-r8::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 volatile: False sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 3 sync-rsync-verify-jobs: 1 sync-rsync-extra-opts: personal location: /var/db/repos/personal masters: gentoo volatile: False Binary Repositories: gentoobinhost priority: 1 sync-uri: https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64 ACCEPT_KEYWORDS="arm64" ACCEPT_LICENSE="@FREE" CBUILD="aarch64-unknown-linux-gnu" CFLAGS="-march=armv8.4-a -O2 -pipe" CHOST="aarch64-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d" CXXFLAGS="-march=armv8.4-a -O2 -pipe" DISTDIR="/var/cache/distfiles" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=armv8.4-a -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles getbinpkg ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=armv8.4-a -O2 -pipe" GENTOO_MIRRORS="http://mirror.reenigne.net/gentoo/ http://gentoo.mirrors.tera-byte.com/ http://mirror.csclub.uwaterloo.ca/gentoo-distfiles/" LANG="en_CA.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LEX="flex" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="acl arm64 bzip2 crypt gdbm iconv ipv6 libtirpc ncurses nls openmp pam pcre readline seccomp ssl systemd test-rust udev unicode xattr zlib" ADA_TARGET="gcc_14" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp v8 vfp vfp-d32 vfpv3 vfpv4" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GUILE_SINGLE_TARGET="3-0" GUILE_TARGETS="3-0" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres17" PYTHON_SINGLE_TARGET="python3_13" PYTHON_TARGETS="python3_13" RUBY_TARGETS="ruby32" VIDEO_CARDS="fbdev dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, MAKEOPTS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS ```
Installing apache should install that certificate. It does this only when the associated .pem file does not exist. Perhaps you have a /etc/ssl/apache2/server.pem file left that prohibits the generation of the certificate?
This was a new install, so there would be no previous Apache config. The only thing that I could think of that may throw it off is that I'm using the binary packages whenever possible. Perhaps those don't create the certificate vs. a normal emerge from source?
Created attachment 929353 [details] emerge -av www-server/apache Attaching the emerge output since I forgot, in case it helps for i.e. post-install stuff that didn't get triggered.
(In reply to Calvin Buckley from comment #2) > This was a new install, so there would be no previous Apache config. The > only thing that I could think of that may throw it off is that I'm using the > binary packages whenever possible. Perhaps those don't create the > certificate vs. a normal emerge from source? That is a possibility, I have cc'ed the binhost people so that they can have a look.
(In reply to Calvin Buckley from comment #2) > This was a new install, so there would be no previous Apache config. The > only thing that I could think of that may throw it off is that I'm using the > binary packages whenever possible. Perhaps those don't create the > certificate vs. a normal emerge from source? Binary packages run pkg_postinst only after being installed. Its (pkg_postinst) output is not part of the built package. apache-2.eclass defines apache-2_pkg_postinst() { if use ssl && [[ ! -e "${EROOT}/etc/ssl/apache2/server.pem" ]]; then SSL_ORGANIZATION="${SSL_ORGANIZATION:-Apache HTTP Server}" install_cert /etc/ssl/apache2/server [...] } and this code snippet is executed at `emerge --getbinpkg www-servers/apache` time, *not* on the build server.
From your log, >>> /etc/apache2/httpd.conf * Generating OpenSSL configuration for CA ... [ ok ] * Generating 4096 bit RSA key for CA ... [ !! ] * * The location of SSL certificates has changed. If you are * upgrading from www-servers/apache-2.2.13 or earlier (or remerged * *any* apache version), you might want to move your old * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and * update your config files. This is from within that conditional block... install_cert() { [...] # Generate a CA environment #164601 gen_cnf 1 || return 1 # will print: Generating OpenSSL configuration gen_key 1 || return 1 # will print: Generating ${SSL_BITS} bit RSA key gen_csr 1 || return 1 # will print: Generating Certificate Signing Request gen_crt 1 || return 1 # will print: Generating self-signed X.509 Certificate [...] } But only the first two run. Oops. The status is "[ !! ]" indicating failure.
Created attachment 929561 [details, diff] ssl-cert eclass patch Could you apply this patch to ssl-cert.eclass and reinstall apache? Hopefully this will generate a more useful error message in the build log.
There's no change after applying the patch. Do I need to not use the binary package for this to be applied? ``` [...] >>> /etc/apache2/httpd.conf * Generating OpenSSL configuration for CA ... [ ok ] * Generating 4096 bit RSA key for CA ... [ !! ] * * The location of SSL certificates has changed. If you are * upgrading from www-servers/apache-2.2.13 or earlier (or remerged * *any* apache version), you might want to move your old * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and * update your config files. * * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags * in make.conf. Make sure to enable those in order to compile them. * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise. * Attention: The tls module based on rustls-ffi has been moved to its own package. * emerge www-apache/mod_tls to continue using the tls module. >>> www-servers/apache-2.4.63-r1 merged. [...] ```
(In reply to Calvin Buckley from comment #8) > There's no change after applying the patch. Do I need to not use the binary > package for this to be applied? Yes. The pkg_postinst shell code at the time the binary package got built, is what is stored in the binary package for later running.
Building `www-servers/apache-2.4.63-r1` after having merged Mike's patch, it seems it actually succeeds somehow: ``` [...] >>> /usr/lib64/apache2/modules/mod_authn_file.so * Generating OpenSSL configuration for CA ... [ ok ] * Generating 4096 bit RSA key for CA ... [ ok ] * Generating Certificate Signing Request for CA ... [ ok ] * Generating self-signed X.509 Certificate for CA ... Certificate request self-signature ok subject=C=US, ST=California, L=Santa Barbara, O=Apache HTTP Server, OU=For Testing Purposes Only, CN=localhost CA, emailAddress=root@localhost [ ok ] * Generating OpenSSL configuration ... [ ok ] * Generating 4096 bit RSA key ... [ ok ] * Generating Certificate Signing Request ... [ ok ] * Generating authority-signed X.509 Certificate ... Certificate request self-signature ok subject=C=US, ST=California, L=Santa Barbara, O=Apache HTTP Server, OU=For Testing Purposes Only, CN=localhost, emailAddress=root@localhost [ ok ] * Generating PEM Certificate ... [ ok ] * * The location of SSL certificates has changed. If you are * upgrading from www-servers/apache-2.2.13 or earlier (or remerged * *any* apache version), you might want to move your old * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and * update your config files. * * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags * in make.conf. Make sure to enable those in order to compile them. * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise. * Attention: The tls module based on rustls-ffi has been moved to its own package. * emerge www-apache/mod_tls to continue using the tls module. >>> www-servers/apache-2.4.63-r1 merged. ``` The generated certificate is in `/etc/ssl/apache2`. But, If I try using the same version as binpkg from emerge, however, it fails as previously mentioned: ``` [...] >>> /etc/apache2/httpd.conf * Generating OpenSSL configuration for CA ... [ ok ] * Generating 4096 bit RSA key for CA ... [ !! ] * * The location of SSL certificates has changed. If you are * upgrading from www-servers/apache-2.2.13 or earlier (or remerged * *any* apache version), you might want to move your old * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and * update your config files. * * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags * in make.conf. Make sure to enable those in order to compile them. * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise. * Attention: The tls module based on rustls-ffi has been moved to its own package. * emerge www-apache/mod_tls to continue using the tls module. >>> www-servers/apache-2.4.63-r1 merged. ```
Hmm, maybe just add a /usr/local/bin/openssl wrapper script that redirects stdout/stderr to /tmp/sslcert.log and wait for the binary package to call the wrapper.
Reinstalling the binary package after removing /etc/ssl/apache2 again, same error condition as last time, and nothing interesting in stdio from openssl: ``` utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.err ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264461ca.key 4096 utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.out ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264461ca.key 4096 utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl #!/usr/bin/env bash set -euo pipefail echo " ** openssl $@" >> /tmp/ssl.out echo " ** openssl $@" >> /tmp/ssl.err /usr/bin/openssl "$@" | tee -a /tmp/ssl.out 2>> /tmp/ssl.err ```
(In reply to Calvin Buckley from comment #12) > utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl > #!/usr/bin/env bash > set -euo pipefail > echo " ** openssl $@" >> /tmp/ssl.out > echo " ** openssl $@" >> /tmp/ssl.err > /usr/bin/openssl "$@" | tee -a /tmp/ssl.out 2>> /tmp/ssl.err > ``` Don't bother with tee. For this use case it is unnecessary complexity and is hiding the fact that the error stream for the openssl tool isn't being redirected at all -- only the error stream for "tee".
ah, forget I was capturing stderr from the wrong thing. I love unix! ``` utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.out ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264967ca.key 4096 utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.err ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264967ca.key 4096 Can't load /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log into RNG 209024ABFFFF0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../openssl-3.3.3/crypto/rand/randfile.c:107:Filename=/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl #!/usr/bin/env bash set -euo pipefail echo " ** openssl $@" >> /tmp/ssl.out echo " ** openssl $@" >> /tmp/ssl.err /usr/bin/openssl "$@" >> /tmp/ssl.out 2>> /tmp/ssl.err ```
``` # Location of some random files OpenSSL can use: don't use # /dev/u?random here -- doesn't work properly on all platforms SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf" ```
(In reply to Sam James from comment #15) > ``` > # Location of some random files OpenSSL can use: don't use > # /dev/u?random here -- doesn't work properly on all platforms > SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf" > ``` https://docs.openssl.org/1.1.1/man1/rand/#notes """ NOTES¶ Prior to OpenSSL 1.1.1, it was common for applications to store information about the state of the random-number generator in a file that was loaded at startup and rewritten upon exit. On modern operating systems, this is generally no longer necessary as OpenSSL will seed itself from a trusted entropy source provided by the operating system. The -rand and -writerand flags are still supported for special platforms or circumstances that might require them. It is generally an error to use the same seed file more than once and every use of -rand should be paired with -writerand. """"
*** Bug 791184 has been marked as a duplicate of this bug. ***
An old dupe: bug 791184.
openssl is trying to use ${T}/eclass-debug.log to seed its random number generator. It seems this file does not exist when the binpkg is being merged. ssl-cert.eclass mentions that /dev/[u]random should not be used since it "doesn't work properly on all platforms". This comment dates back to 2003 and is likely nonsense. Modern openssl will use the getrandom() syscall on Linux anyway. I would propose we drop SSL_RANDOM and the -rand option from ssl-cert.eclass.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf8a9809c6529960579264d2102ced61c9779960 commit bf8a9809c6529960579264d2102ced61c9779960 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2025-05-26 03:07:43 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2025-05-27 18:14:49 +0000 ssl-cert.eclass: do not pass -rand to openssl Let openssl find a suitable entropy source instead of using some random log files for "random" bytes. Bug: https://bugs.gentoo.org/956442 Signed-off-by: Mike Gilbert <floppym@gentoo.org> eclass/ssl-cert.eclass | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=511c5d9c5f92f4b2994f11435e3936b7286318be commit 511c5d9c5f92f4b2994f11435e3936b7286318be Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2025-05-25 16:49:21 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2025-05-27 18:14:48 +0000 ssl-cert.eclass: use edob for openssl calls Bug: https://bugs.gentoo.org/956442 Signed-off-by: Mike Gilbert <floppym@gentoo.org> eclass/ssl-cert.eclass | 40 ++++++++++++++++++---------------------- 1 file changed, 18 insertions(+), 22 deletions(-)
My understanding is that the changes in ssl-cert.eclass should fix this. Please re-open if this is still a problem.
