Date: Sun, 17 Jan 2021 12:41:33 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: maintainer-feedback requested: [Bug 252776] security/py-certbot-apache: Looking in wrong location for Apache ssl_module Message-ID: <bug-252776-21822-Da0ijw33HE@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-252776-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-252776-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-python (Nobody) <python@FreeBSD.org> for maintainer-feedback: Bug 252776: security/py-certbot-apache: Looking in wrong location for Apac= he ssl_module https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252776 --- Description --- Certbot attempts to=C2=A0read mod_ssl.so (to=C2=A0get OpenSSL version) at= =C2=A0wrong path: attempted: /usr/local/etc/apache24/libexec/apache24/mod_ssl.so real path: /usr/local/libexec/apache24/mod_ssl.so My config in /usr/local/etc/apache24/httpd.conf: ServerRoot "/usr/local" Module ssl_module libexec/apache24/mod_ssl.so That is, the=C2=A0module appears to=C2=A0be searched relative to=C2=A0httpd= .conf =E2=80=94 that is wrong: according to=C2=A0Apache HTTP Server docs, relative paths in=C2=A0Lo= adModule directive should be resolved against ServerRoot rather than the=C2=A0topmost configuration directory. I have reported this bug to=C2=A0https://github.com/certbot/certbot/issues/= 8593 and=C2=A0the=C2=A0upstream developers concluded that the=C2=A0issue is Free= BSD-specific, caused by the=C2=A0following patch: https://svnweb.freebsd.org/ports/head/security/py-certbot-apache/Makefile ?revision=3D491714&view=3Dmarkup which runs sed -e 's|/etc/apache2|${LOCALBASE}/etc/apache24|' ${WRKSRC}/certbot_apache/configurator.py so that OS_DEFAULTS["server_root"] becomes "/usr/local/etc/apache24". In=C2=A0my understanding, this alone is=C2=A0not the=C2=A0root cause for=C2= =A0the=C2=A0problem, because that variable is only used as=C2=A0default for=C2=A0--apache-server= -root to=C2=A0find httpd.conf initially. The=C2=A0real problem, IMHO, is that this OS_DEFAULTS["server_root"] is later used instead of=C2=A0real ServerRoot specified in=C2=A0httpd.conf =E2=80=94 at=C2=A0least I=C2=A0see no=C2=A0att= empt to=C2=A0parse ServerRoot in=C2=A0certbot-apache code, but=C2=A0I=C2=A0am not very confident about th= at, as=C2=A0I=C2=A0just started familiarizing myself with=C2=A0this software. As=C2=A0an=C2=A0alternative, Certbot developers offered creating an=C2=A0ov= errides file, just like override_debian.py, so=C2=A0that no=C2=A0downstream patching is n= eeded. But, again, I see no=C2=A0way how this could fix the=C2=A0original issue. Could someone please share their experience with=C2=A0certbot-apache in=C2= =A0FreeBSD =E2=80=94 how do you configure it, and=C2=A0did you ever check that it actu= ally operates flawlessly? Because for=C2=A0me it in=C2=A0fact succeeds despite this error= , so my=C2=A0guess is that nobody just notices it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-252776-21822-Da0ijw33HE>