[Bug 252776] security/py-certbot-apache: Looking in wrong location for Apache ssl_module

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 17 12:41:33 UTC 2021 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252776

            Bug ID: 252776
           Summary: security/py-certbot-apache: Looking in wrong location
                    for  Apache ssl_module
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: python at FreeBSD.org
          Reporter: dev-freebsd at zxlab.ru
             Flags: maintainer-feedback?(python at FreeBSD.org)
          Assignee: python at FreeBSD.org

Certbot attempts to read mod_ssl.so (to get OpenSSL version) at wrong path:

attempted: /usr/local/etc/apache24/libexec/apache24/mod_ssl.so
real path: /usr/local/libexec/apache24/mod_ssl.so

My config in /usr/local/etc/apache24/httpd.conf:
ServerRoot "/usr/local"
Module ssl_module libexec/apache24/mod_ssl.so

That is, the module appears to be searched relative to httpd.conf — that is
wrong: according to Apache HTTP Server docs, relative paths in LoadModule
directive should be resolved against ServerRoot rather than the topmost
configuration directory.


I have reported this bug to https://github.com/certbot/certbot/issues/8593
and the upstream developers concluded that the issue is FreeBSD-specific,
caused by the following patch:

https://svnweb.freebsd.org/ports/head/security/py-certbot-apache/Makefile
?revision=491714&view=markup

which runs sed -e 's|/etc/apache2|${LOCALBASE}/etc/apache24|'
  ${WRKSRC}/certbot_apache/configurator.py

so that OS_DEFAULTS["server_root"] becomes "/usr/local/etc/apache24".


In my understanding, this alone is not the root cause for the problem,
because that variable is only used as default for --apache-server-root
to find httpd.conf initially. The real problem, IMHO, is that this
OS_DEFAULTS["server_root"] is later used instead of real ServerRoot
specified in httpd.conf — at least I see no attempt to parse ServerRoot
in certbot-apache code, but I am not very confident about that, as I just
started familiarizing myself with this software.

As an alternative, Certbot developers offered creating an overrides file,
just like override_debian.py, so that no downstream patching is needed.
But, again, I see no way how this could fix the original issue.


Could someone please share their experience with certbot-apache in FreeBSD
— how do you configure it, and did you ever check that it actually operates
flawlessly? Because for me it in fact succeeds despite this error, so
my guess is that nobody just notices it.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-python mailing list