Fix HTTPD SSL configuration for Debian.

The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaplatform/base/paths.py

@@ -51,6 +51,7 @@ class BasePathNamespace(object):
     HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
     HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+    HTTPD_SSL_SITE_CONF = "/etc/httpd/conf.d/ssl.conf"
     HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
     HTTPD_KEY_FILE = "/var/lib/ipa/private/httpd.key"
     HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"

ipaplatform/base/tasks.py

@@ -240,5 +240,8 @@ class BaseTaskNamespace(object):
         except ipautil.CalledProcessError as e:
             logger.debug('Failed to add user to group: %s', e)
 
+    def setup_httpd_logging(self):
+        raise NotImplementedError()
+
 
 tasks = BaseTaskNamespace()

ipaplatform/debian/paths.py

@@ -28,6 +28,8 @@ class DebianPathNamespace(BasePathNamespace):
     HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
     HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
     HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+    HTTPD_SSL_CONF = "/etc/apache2/mods-available/ssl.conf"
+    HTTPD_SSL_SITE_CONF = "/etc/apache2/sites-available/default-ssl.conf"
     OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
     HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
     NAMED_CONF = "/etc/bind/named.conf"

ipaplatform/debian/tasks.py

@@ -18,7 +18,6 @@ class DebianTaskNamespace(RedHatTaskNamespace):
     def restore_pre_ipa_client_configuration(fstore, statestore,
                                              was_sssd_installed,
                                              was_sssd_configured):
-        ret = True
         try:
             ipautil.run(["pam-auth-update",
                          "--package", "--remove", "mkhomedir"])
@@ -66,5 +65,9 @@ class DebianTaskNamespace(RedHatTaskNamespace):
         # Debian doesn't require special mod_wsgi configuration
         pass
 
+    def setup_httpd_logging(self):
+        # Debian handles httpd logging differently
+        pass
+
 
 tasks = DebianTaskNamespace()

ipaplatform/redhat/tasks.py

@@ -47,6 +47,7 @@ from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.redhat.authconfig import get_auth_tool
 from ipaplatform.base.tasks import BaseTaskNamespace
+from ipaserver.install import installutils
 
 logger = logging.getLogger(__name__)
 
@@ -565,5 +566,13 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             pass
         return False
 
+    def setup_httpd_logging(self):
+        installutils.set_directive(paths.HTTPD_SSL_CONF,
+                                   'ErrorLog',
+                                   'logs/error_log', False)
+        installutils.set_directive(paths.HTTPD_SSL_CONF,
+                                   'TransferLog',
+                                   'logs/access_log', False)
+
 
 tasks = RedHatTaskNamespace()

ipaserver/install/httpinstance.py

@@ -214,6 +214,7 @@ class HTTPInstance(service.Service):
 
     def backup_ssl_conf(self):
         self.fstore.backup_file(paths.HTTPD_SSL_CONF)
+        self.fstore.backup_file(paths.HTTPD_SSL_SITE_CONF)
 
     def disable_nss_conf(self):
         """
@@ -235,12 +236,7 @@ class HTTPInstance(service.Service):
                                    '+TLSv1 +TLSv1.1 +TLSv1.2', False)
 
     def set_mod_ssl_logdir(self):
-        installutils.set_directive(paths.HTTPD_SSL_CONF,
-                                   'ErrorLog',
-                                   'logs/error_log', False)
-        installutils.set_directive(paths.HTTPD_SSL_CONF,
-                                   'TransferLog',
-                                   'logs/access_log', False)
+        tasks.setup_httpd_logging()
 
     def disable_mod_ssl_ocsp(self):
         if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
@@ -272,14 +268,14 @@ class HTTPInstance(service.Service):
 
     def __add_include(self):
         """This should run after __set_mod_nss_port so is already backed up"""
-        if installutils.update_file(paths.HTTPD_SSL_CONF,
+        if installutils.update_file(paths.HTTPD_SSL_SITE_CONF,
                                     '</VirtualHost>',
                                     'Include {path}\n'
                                     '</VirtualHost>'.format(
                                         path=paths.HTTPD_IPA_REWRITE_CONF)
                                     ) != 0:
             self.print_msg("Adding Include conf.d/ipa-rewrite to "
-                           "%s failed." % paths.HTTPD_SSL_CONF)
+                           "%s failed." % paths.HTTPD_SSL_SITE_CONF)
 
     def configure_certmonger_renewal_guard(self):
         certmonger = services.knownservices.certmonger
@@ -404,10 +400,10 @@ class HTTPInstance(service.Service):
 
     def configure_mod_ssl_certs(self):
         """Configure the mod_ssl certificate directives"""
-        installutils.set_directive(paths.HTTPD_SSL_CONF,
+        installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
                                    'SSLCertificateFile',
                                    paths.HTTPD_CERT_FILE, False)
-        installutils.set_directive(paths.HTTPD_SSL_CONF,
+        installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
                                    'SSLCertificateKeyFile',
                                    paths.HTTPD_KEY_FILE, False)
         installutils.set_directive(
@@ -415,7 +411,7 @@ class HTTPInstance(service.Service):
             'SSLPassPhraseDialog',
             'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
             False)
-        installutils.set_directive(paths.HTTPD_SSL_CONF,
+        installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
                                    'SSLCACertificateFile',
                                    paths.IPA_CA_CRT, False)
         # set SSLVerifyDepth for external CA installations
@@ -512,7 +508,7 @@ class HTTPInstance(service.Service):
                              'external-helper', helper)
 
         for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
-                  paths.HTTPD_NSS_CONF]:
+                  paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]:
             try:
                 self.fstore.restore_file(f)
             except ValueError as error:

ipaserver/install/ipa_backup.py

@@ -148,6 +148,7 @@ class Backup(admintool.AdminTool):
         paths.HTTPD_IPA_PKI_PROXY_CONF,
         paths.HTTPD_IPA_REWRITE_CONF,
         paths.HTTPD_SSL_CONF,
+        paths.HTTPD_SSL_SITE_CONF,
         paths.HTTPD_CERT_FILE,
         paths.HTTPD_KEY_FILE,
         paths.HTTPD_IPA_CONF,