From owner-freebsd-python@freebsd.org Sun Jan 17 12:41:33 2021 Return-Path: Delivered-To: freebsd-python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 61F5A4E8194 for ; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DJZKn26wGz4rkv for ; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 48B344E7E4D; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) Delivered-To: python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 486C44E8032 for ; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DJZKn1VyNz4rnQ for ; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1C2CE21A82 for ; Sun, 17 Jan 2021 12:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 10HCfXVV028522 for ; Sun, 17 Jan 2021 12:41:33 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 10HCfXXc028521 for python@FreeBSD.org; Sun, 17 Jan 2021 12:41:33 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: maintainer-feedback requested: [Bug 252776] security/py-certbot-apache: Looking in wrong location for Apache ssl_module Date: Sun, 17 Jan 2021 12:41:33 +0000 X-Bugzilla-Type: request X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2021 12:41:33 -0000 Bugzilla Automation has asked freebsd-python (Nobody) for maintainer-feedback: Bug 252776: security/py-certbot-apache: Looking in wrong location for Apac= he ssl_module https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252776 --- Description --- Certbot attempts to=C2=A0read mod_ssl.so (to=C2=A0get OpenSSL version) at= =C2=A0wrong path: attempted: /usr/local/etc/apache24/libexec/apache24/mod_ssl.so real path: /usr/local/libexec/apache24/mod_ssl.so My config in /usr/local/etc/apache24/httpd.conf: ServerRoot "/usr/local" Module ssl_module libexec/apache24/mod_ssl.so That is, the=C2=A0module appears to=C2=A0be searched relative to=C2=A0httpd= .conf =E2=80=94 that is wrong: according to=C2=A0Apache HTTP Server docs, relative paths in=C2=A0Lo= adModule directive should be resolved against ServerRoot rather than the=C2=A0topmost configuration directory. I have reported this bug to=C2=A0https://github.com/certbot/certbot/issues/= 8593 and=C2=A0the=C2=A0upstream developers concluded that the=C2=A0issue is Free= BSD-specific, caused by the=C2=A0following patch: https://svnweb.freebsd.org/ports/head/security/py-certbot-apache/Makefile ?revision=3D491714&view=3Dmarkup which runs sed -e 's|/etc/apache2|${LOCALBASE}/etc/apache24|' ${WRKSRC}/certbot_apache/configurator.py so that OS_DEFAULTS["server_root"] becomes "/usr/local/etc/apache24". In=C2=A0my understanding, this alone is=C2=A0not the=C2=A0root cause for=C2= =A0the=C2=A0problem, because that variable is only used as=C2=A0default for=C2=A0--apache-server= -root to=C2=A0find httpd.conf initially. The=C2=A0real problem, IMHO, is that this OS_DEFAULTS["server_root"] is later used instead of=C2=A0real ServerRoot specified in=C2=A0httpd.conf =E2=80=94 at=C2=A0least I=C2=A0see no=C2=A0att= empt to=C2=A0parse ServerRoot in=C2=A0certbot-apache code, but=C2=A0I=C2=A0am not very confident about th= at, as=C2=A0I=C2=A0just started familiarizing myself with=C2=A0this software. As=C2=A0an=C2=A0alternative, Certbot developers offered creating an=C2=A0ov= errides file, just like override_debian.py, so=C2=A0that no=C2=A0downstream patching is n= eeded. But, again, I see no=C2=A0way how this could fix the=C2=A0original issue. Could someone please share their experience with=C2=A0certbot-apache in=C2= =A0FreeBSD =E2=80=94 how do you configure it, and=C2=A0did you ever check that it actu= ally operates flawlessly? Because for=C2=A0me it in=C2=A0fact succeeds despite this error= , so my=C2=A0guess is that nobody just notices it.