Bug 106698

Summary:	Apache-2.0.54-r31 overwrites ssl certificates
Product:	Gentoo Linux	Reporter:	John Caswell <thecyanshadow>
Component:	[OLD] Server	Assignee:	Apache Team - Bugzilla Reports <apache-bugs>
Status:	RESOLVED WORKSFORME
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description John Caswell 2005-09-20 09:56:54 UTC

The ebuild overwrites server.crt and server.key in /etc/apache2/ssl with a
self-signed certificate.  The certificate is signed by localhost.

Reproducible: Always
Steps to Reproduce:
1.  Copy real server.crt and server.key to /etc/apache2/ssl
2.  emerge apache
3.  files are overwritten

Actual Results:  
Certificate replaced with a new certificate signed by localhost

Expected Results:  
Should have checked to see if they exist before writing new ones.  Perhaps put
this under the protection of etc-update style config protect?

Comment 1 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2005-09-20 13:25:39 UTC

/etc/apache2/ssl is a subdirectory of /etc, which is in CONFIG_PROTECT. Please
post your `emerge info` that that we can determine why your certificates got
overwritten.

Comment 2 John Caswell 2005-09-20 13:27:41 UTC

Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1,
2.6.12-gentoo-r10-Zeus i686)
=================================================================
System uname: 2.6.12-gentoo-r10-Zeus i686 AMD Athlon(tm) XP 2600+
Gentoo Base System version 1.6.13
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5-r2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/alias /var/qmail/control
/var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 apm arts avi berkdb bitmap-fonts crypt curl eds emboss
encode foomaticdb fortran gdbm gif gpm gstreamer gtk2 imagemagick imap imlib
ipv6 java jpeg libg++ libwww mad maildir mikmod motif mp3 mpeg mysql ncurses nls
ogg oggvorbis opengl oss pam pdflib perl php png python quicktime readline samba
sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts vorbis xml2 xmms xv
zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

Comment 3 Colonel Paneek 2005-09-21 14:57:07 UTC

The bug bit me too.
Here's my info in case it helps narrow down the cause of the bug.

Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.
             20041102-r1, 2.6.11.11 i686)
=================================================================
System uname: 2.6.11.11 i686 AMD Athlon(TM) XP 2400+
Gentoo Base System version 1.6.12
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.10
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.4.3-r4, 1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/s
             hare/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer"
DISTDIR="/mnt/dump/gentoo/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://solder.ath.cx/gentoo ftp://planetmirror.com/pub/gentoo/ h
             ttp://www.ibiblio.org/pub/Linux/distributions/gentoo
http://gentoo.oregonstate.e              du"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow X alsa apache2 apm avi berkdb bitmap-fonts crypt cscope cups eds
              emboss encode foomaticdb fortran gdbm gif gpm gstreamer gtk gtk2
imlib ipv6 jpeg               kde libg++ libwww mad mikmod mp3 mpeg mysql
ncurses no-htdocs ogg oggvorbis ope              ngl oss pam pdflib perl php png
python readline sdl spell ssl tcpd tiff truetype               truetype-fonts
type1-fonts usb vorbis xml2 xmms xv zlib userland_GNU kernel_lin              ux
elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS

Comment 4 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2005-09-21 18:56:34 UTC

ok, I see why CONFIG_PROTECT isn't protecting those files - the cert and key are
generated during pkg_postinst, which is done after merging and on the live
filesystem.

However, gentestcrt.sh contains a check right at the beginning of it:

if [ ! -e ./server.crt -a ! -e ./server.key ];then 
    echo "Will create server.key and server.crt in `pwd`"
else
    echo "server.key and server.crt already exist, dying"
    exit
fi

(we cd to ${ROOT}/etc/apache2/ssl before running it)

The script should find that the files exist and not try to create the files
again. Testing this on my own system, it's not recreating the certificates.

Can you guys check your system and see if this test exists in
/usr/sbin/gentestcrt.sh?

Also, change to /etc/apache2/ssl and run the script /usr/sbin/gentestcrt.sh

Comment 5 John Caswell 2005-09-29 12:26:44 UTC

The test exists in the script.
When run manually, it does detect the certificates and exit gracefully.

Just re-emerged apache to double check.  Here's the tail end of the output:

>>> original instance of package unmerged safely.
 *
 * Generating self-signed test certificate in /etc/apache2/ssl...
 *
 *
 * LFS support has been removed due to incompatibilites with other packages.
 * You _will_ have to re-emerge any Apache modules you have installed, or
 * they will likely misbehave/segfault.
 *
 *
 * Multiple MPM support has been disabled due to problems with external
 * modules.  If you have relied on this functionality you will need
 * to find another solution.  The Gentoo Apache team apologizes for
 * any inconvienence this may cause you.
 *
>>> Regenerating /etc/ld.so.cache...
>>> net-www/apache-2.0.54-r31 merged.

>>> clean: No packages selected for removal.

>>> Auto-cleaning packages ...

>>> No outdated packages were found on your system.


 * GNU info directory index is up-to-date.

Seems to be behaving correctly now, certificates no longer overwritten.

Comment 6 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2005-10-22 14:32:32 UTC

I'm not sure what caused this in the first place, we didn't change anything that
would cause it to not work and then work again. Re-open this if it crops up again.