Remove mod_ssl conflict

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974

freeipa.spec.in

@@ -121,7 +121,7 @@ Requires: mod_auth_kerb >= 5.4-16
 %else
 Requires: mod_auth_kerb >= 5.4-8
 %endif
-Requires: mod_nss
+Requires: mod_nss >= 1.0.8-24
 Requires: python-ldap
 Requires: python-krbV
 Requires: acl
@@ -166,10 +166,6 @@ Conflicts: bind < 9.8.2-0.4.rc2
 # member.
 Conflicts: nss-pam-ldapd < 0.8.4
 
-# mod_proxy provides a single API to communicate over SSL. If mod_ssl
-# is even loaded into Apache then it grabs this interface.
-Conflicts: mod_ssl
-
 Obsoletes: ipa-server >= 1.0
 
 %description server
@@ -836,6 +832,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Fri Aug 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.90-4
+- Remove mod_ssl conflict, it can now live with mod_nss installed
+
 * Wed Sep 4 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.3.90-3
 - Conform to tmpfiles.d packaging guidelines
 

install/tools/ipa-replica-install

@@ -474,6 +474,10 @@ def main():
     if options.setup_dns:
         check_bind()
 
+    # Check to see if httpd is already configured to listen on 443
+    if httpinstance.httpd_443_configured():
+        sys.exit("Aborting installation")
+
     check_dirsrv()
 
     if options.conf_ntp:

install/tools/ipa-server-install

@@ -791,6 +791,10 @@ def main():
         except ipaclient.ntpconf.NTPConfigurationError:
             pass
 
+    # Check to see if httpd is already configured to listen on 443
+    if httpinstance.httpd_443_configured():
+        sys.exit("Aborting installation")
+
     realm_name = ""
     host_name = ""
     domain_name = ""

install/tools/ipa-upgradeconfig

@@ -1047,6 +1047,7 @@ def main():
     http.remove_httpd_ccache()
     http.configure_selinux_for_httpd()
     http.configure_httpd_ccache()
+    http.change_mod_nss_port_to_http()
 
     ds = dsinstance.DsInstance()
     ds.configure_dirsrv_ccache()

ipaserver/install/httpinstance.py

@@ -23,6 +23,7 @@ import tempfile
 import pwd
 import shutil
 import stat
+import re
 
 import service
 import certs
@@ -32,6 +33,7 @@ from ipapython import ipautil
 from ipapython import services as ipaservices
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
+from ipaserver.install import sysupgrade
 from ipalib import api
 
 HTTPD_DIR = "/etc/httpd"
@@ -46,6 +48,31 @@ change with the command:
 Try updating the policycoreutils and selinux-policy packages.
 """
 
+def httpd_443_configured():
+    """
+    We now allow mod_ssl to be installed so don't automatically disable it.
+    However it can't share the same listen port as mod_nss, so check for that.
+
+    Returns True if something other than mod_nss is listening on 443.
+    False otherwise.
+    """
+    try:
+        (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS'])
+    except ipautil.CalledProcessError, e:
+        service.print_msg("WARNING: cannot check if port 443 is already configured")
+        service.print_msg("httpd returned error when checking: %s" % e)
+        return False
+
+    port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
+    for line in stdout.splitlines():
+        m = port_line_re.match(line)
+        if m and int(m.group('port')) == 443:
+            service.print_msg("Apache is already configured with a listener on port 443:")
+            service.print_msg(line)
+            return True
+
+    return False
+
 class WebGuiInstance(service.SimpleServiceInstance):
     def __init__(self):
         service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -87,7 +114,6 @@ class HTTPInstance(service.Service):
         self.ldap_connect()
 
 
-        self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
@@ -227,15 +253,25 @@ class HTTPInstance(service.Service):
         http_fd.close()
         os.chmod(target_fname, 0644)
 
-    def __disable_mod_ssl(self):
-        if os.path.exists(SSL_CONF):
-            self.fstore.backup_file(SSL_CONF)
-            os.unlink(SSL_CONF)
+    def change_mod_nss_port_to_http(self):
+        # mod_ssl enforces SSLEngine on for vhost on 443 even though
+        # the listener is mod_nss. This then crashes the httpd as mod_nss
+        # listened port obviously does not match mod_ssl requirements.
+        #
+        # Change port to http to workaround the mod_ssl check, the SSL is
+        # enforced in the vhost later, so it is benign.
+        #
+        # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
+        # is fixed.
+        if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+            installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
+            sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
 
     def __set_mod_nss_port(self):
         self.fstore.backup_file(NSS_CONF)
         if installutils.update_file(NSS_CONF, '8443', '443') != 0:
             print "Updating port in %s failed." % NSS_CONF
+        self.change_mod_nss_port_to_http()
 
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)