#4021 Remove "Listen 443 http" from nss.conf
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1029046

+++ This bug was initially created as a clone of Bug #1023168 +++

Description of problem:

This is a follow up for Bug 1018172. As Joe Orton commented, "Listen X https"
or simply "Listen 443" now means an implicit "SSLEngine on" for the vhost. This
does not play well when the HTTPS vhost is processed with mod_ssl and httpd
won't start:

[Tue Oct 15 07:19:56.815573 2013] [ssl:emerg] [pid 4757] AH02240: Server should
be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
((null):0)
[Tue Oct 15 07:19:56.815594 2013] [ssl:emerg] [pid 4757] AH02312: Fatal error
initialising mod_ssl, exiting.

We should be able to at least set "SSLEngine off" in the mod_nss config to
avoid this error.


Additional Note:

Our current workaround is to use "Listen 443 http".

+++++++++++++++++++++++++++

With httpd-2.4.6-6.fc20/httpd-2.4.6-7.el7, mod_nss can add

 <IfModule mod_ssl.c>
    SSLEngine off
 </IfModule>

to vhosts in the default mod_nss.conf to avoid the "Listen X http" hack.

See Bug 1029042 and Bug 1029043 filed for mod_nss. When this is fixed in
mod_nss, IPA should remove the "Listen 443 http" hack.

Reverted the change in ipa-3-3; the required version of httpd is not available for Fedora 19.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.x - 2013/11 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata