Join Log in
Score:0
avatar Server

Post Fedora Server upgrade to FC38, Apache httpd server no longer honors Lets Encrypt keys

ru flag
Richard T

The environment has twins of virtually everything, including two web server / firewall / gateway systems, and they were getting long-in-the-tooth version wise, so I decided to upgrade from Fedora Server 30 to 38 on one of them.

My timing was curious because at the very same time I began the upgrade, without even touching (physically or electronically) the other server, it decided to fail! So, now I have a "server down" scenario. -ugh-

The update DID NOT involve crossing Apache's HTTPD's change in handling SSL keys, I don't think, because both before and after versions are sub-versions of 2.4 - the older was 2.4.41 and the younger 2.4.57, which is the present youngest version, which coincides with Fedora Core 38. (This is Fedora Server 38, of course.)

However, when starting, Apache's HTTPD (hereafter just called httpd), complains about the lines pertaining to the encryption keys provided by LetsEncrypt.

The keys are all current, of course, as LetsEncrypt doesn't let you get keys that last more than 3 months, I think.

The errors are like this example:

May 20 17:09:24 host2 httpd[3180]: AH00526: Syntax error on line 76 of /etc/httpd/conf.d/virtualhosts.conf:
May 20 17:09:24 host2 httpd[3180]: Invalid command 'SSLCertificateFile', perhaps misspelled or defined by a module not included in the server configuration

However, a VERY basic check of the documentation yields this link, which provides a template example which is virtually identical to what's in the virtualhosts.conf file - namely:

LoadModule ssl_module modules/mod_ssl.so

Listen 443 <VirtualHost *:443> ServerName www.example.com SSLEngine on SSLCertificateFile "/path/to/www.example.com.cert" SSLCertificateKeyFile "/path/to/www.example.com.key"

Rather than me come up with a version of my own config that likewise removes the exact domains the server hosts.

I did a thorough listing of the packages that WERE installed and then that are NOW installed and don't see anything but mod_http2-1.15.3-2.fc30.x86_64 on the old system and mod_http2-2.0.11-2.fc38.x86_64 on the new one, and there are some 106 modules installed so...

Given all this focus on security and encryption, what gives?

43
1 + 0
Score:0
avatar Server
ru flag
Richard T

It turns out that the silly people who now run the show, all the while screaming about security, don't deign to include the module; not only is it NOT in the httpd software package, it's not in the mod_http2-2.0.11-2.fc38x86_64 package EITHER!

Instead, you have to:

dnf install mod_ssl

in order to get this - and then INSTANTLY it all works.

Ya know, I think this is a BUG - I see it as a packaging bug but it's surely a documentation bug at the very least, as I actually looked. And no, buried deep in the documentation is not OK! Hence my wasted time - hope this saves someone some time.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.