SSL pass phrase dialog can't read input

Bug #582963 reported by cdenley
52
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Fix Released
Undecided
Thierry Carrez
Ubuntu Server papercuts
Fix Released
Medium
Chuck Short
apache2 (Ubuntu)
Fix Released
Medium
Clint Byrum
Maverick
Won't Fix
Medium
Clint Byrum

Bug Description

Binary package hint: apache2

When you configure apache to use a password-protected SSL key, you are prompted to provide that password when apache starts. The PID file has not been written at this point, so the init script won't work properly until the password is provided or apache is killed manually. In ubuntu 10.04, when apache is started by upstart, it cannot read input from the the console. You must login, kill it manually, then start apache. I was able to workaround the problem using by adding "stty sane" to /etc/init.d/apache2.

sed -e '/^ENV=/i stty sane' /etc/init.d/apache2|sudo tee /etc/init.d/apache2

cdenley@vmware:~$ lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04
cdenley@vmware:~$ apt-cache policy apache2 upstart
apache2:
  Installed: 2.2.14-5ubuntu8
  Candidate: 2.2.14-5ubuntu8
  Version table:
 *** 2.2.14-5ubuntu8 0
        500 http://mirror.anl.gov/pub/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
upstart:
  Installed: 0.6.5-6
  Candidate: 0.6.5-6
  Version table:
 *** 0.6.5-6 0
        500 http://mirror.anl.gov/pub/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

==== Natty Release Notes ====

If you have setup Apache with an encrypted SSL key, the system will now prompt for the pass-phrase on the console during boot. This is different from the behavior of previous versions which would simply fail to start apache.

Tags: server-nrs
Thierry Carrez (ttx)
Changed in apache2 (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Thierry Carrez (ttx)
Changed in apache2 (Ubuntu):
assignee: nobody → Chuck Short (zulcss)
Revision history for this message
Dave Walker (davewalker) wrote :

This seems to have a trivial fix, nominating as a papercut for investigation and fix if it is appropriate.

Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

apache2's init script has the "X-Interactive: true" header. IMHO upstart should support this header like insserv does.

Thierry Carrez (ttx)
Changed in server-papercuts:
importance: Undecided → Medium
milestone: none → maverick-beta
status: New → Confirmed
Thierry Carrez (ttx)
Changed in server-papercuts:
assignee: nobody → Chuck Short (zulcss)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.16-1ubuntu2

---------------
apache2 (2.2.16-1ubuntu2) maverick; urgency=low

  * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a
    password prompt when using apache-ssl. (LP: #582963)
 -- Chuck Short <email address hidden> Wed, 25 Aug 2010 09:25:05 -0400

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released
Thierry Carrez (ttx)
Changed in server-papercuts:
milestone: maverick-beta → none
Revision history for this message
Bilal Akhtar (bilalakhtar) wrote :

This bug has caused a regression bug #626723 .

Revision history for this message
Thierry Carrez (ttx) wrote :

Reopening since the change was reverted in bug 626723

Changed in apache2 (Ubuntu):
status: Fix Released → Triaged
Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

Doesn't upstart have a facility to handle this kind of problems? If no, how does e.g. cryptsetup work in Ubuntu?

Thierry Carrez (ttx)
tags: added: server-mrs
Revision history for this message
Colin Watson (cjwatson) wrote :

This should use 'plymouth ask-for-password'.

Changed in apache2 (Ubuntu Maverick):
assignee: Chuck Short (zulcss) → Clint Byrum (clint-fewbar)
status: Triaged → In Progress
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Please see the merge proposal above for a solution.

I don't know if this is the perfect solution, but it seems secure (no passphrases written to disk or passed on executed commands), and should solve the issue without breaking restarting apache on a terminal.

Revision history for this message
Thierry Carrez (ttx) wrote :

A bit too scary for RC, could be considered for SRU once it gets security review.

Changed in apache2 (Ubuntu Maverick):
importance: High → Medium
milestone: none → maverick-updates
tags: removed: server-mrs
Thierry Carrez (ttx)
Changed in ubuntu-release-notes:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.16-4ubuntu2

---------------
apache2 (2.2.16-4ubuntu2) natty; urgency=low

  [Clint Byrum]
  * Adding plymouth aware passphrase dialog program ask-for-passphrase.
    (LP: #582963)
    + debian/control: apache2.2-common depends on bash for ask-for-passphrase
    + debian/config-dir/mods-available/ssl.conf:
      - SSLPassPhraseDialog now uses exec:/usr/share/apache2/ask-for-passhrase

  [Chuck Short]
  * Add apport hook. (LP: #609177)
    + debian/apache2.py, debian/apache2.2-common.install
 -- Chuck Short <email address hidden> Mon, 22 Nov 2010 09:43:43 -0500

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

This looks like something which could suddenly start blocking the automatic boot to ask for the passphrase, where it wouldn't before? If that can happen, there is no way I'd ever accept this as an SRU.

Changed in apache2 (Ubuntu):
milestone: maverick-updates → none
Changed in apache2 (Ubuntu Maverick):
status: In Progress → Incomplete
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Release team, I've subscribed you because I think this also needs a note in the Natty release notes. The potential halting of the boot to ask for a password is a new behavior that people should be aware of on upgrade to Natty.

Changed in apache2 (Ubuntu Maverick):
status: Incomplete → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 582963] Re: SSL pass phrase dialog can't read input

On Fri, Mar 25, 2011 at 08:07:15PM -0000, Clint Byrum wrote:
> Release team, I've subscribed you because I think this also needs a note
> in the Natty release notes.

Please open a task on the 'ubuntu-release-notes' project rather than
subscribing ubuntu-release for this.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Note that it already had a task, which was fixed in the maverick notes.

I cannot change that task back to New or create a task for the Natty
series.

I will open a new bug report against ubuntu-release-notes and provide a
link to this bug report.

On Fri, 2011-03-25 at 20:20 +0000, Steve Langasek wrote:
> On Fri, Mar 25, 2011 at 08:07:15PM -0000, Clint Byrum wrote:
> > Release team, I've subscribed you because I think this also needs a note
> > in the Natty release notes.
>
> Please open a task on the 'ubuntu-release-notes' project rather than
> subscribing ubuntu-release for this.
>
> --
> Steve Langasek Give me a lever long enough and a Free OS
> Debian Developer to set it on, and I can move the world.
> Ubuntu Developer http://www.debian.org/
> <email address hidden> <email address hidden>
>

Revision history for this message
Steve Langasek (vorlon) wrote :

On Fri, Mar 25, 2011 at 09:42:49PM -0000, Clint Byrum wrote:
> Note that it already had a task, which was fixed in the maverick notes.

> I cannot change that task back to New or create a task for the Natty
> series.

oh, oops. :-)

> I will open a new bug report against ubuntu-release-notes and provide a
> link to this bug report.

Or I could reopen the release-notes task on this bug, whichever you prefer.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

On Fri, 2011-03-25 at 21:54 +0000, Steve Langasek wrote:
> On Fri, Mar 25, 2011 at 09:42:49PM -0000, Clint Byrum wrote:
> > Note that it already had a task, which was fixed in the maverick notes.
>
> > I cannot change that task back to New or create a task for the Natty
> > series.
>
> oh, oops. :-)
>
> > I will open a new bug report against ubuntu-release-notes and provide a
> > link to this bug report.
>
> Or I could reopen the release-notes task on this bug, whichever you
> prefer.
>

I think reopening the task would be preferrable, wasn't sure if that was
the procedure.

Once that is done I'll update the bug description with suggested text.

Steve Langasek (vorlon)
Changed in ubuntu-release-notes:
status: Fix Released → Triaged
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Thanks Steve, I've updated the description with the note I'd like to see
in Natty's release notes.

On Mon, 2011-03-28 at 18:21 +0000, Steve Langasek wrote:
> ** Changed in: ubuntu-release-notes
> Status: Fix Released => Triaged
>

description: updated
Revision history for this message
juan garcia garcia (mendumon) wrote :

Today 04/26/2011 is it still a bug? Is there any solution for this error? Can anyone tell me what would be the best way to solve it?
thanks.
regards

Changed in server-papercuts:
status: Confirmed → Fix Released
Revision history for this message
juan garcia garcia (mendumon) wrote :

hi Scott I'm new here I do not understand English very well and do not understand what you say. can you explain a little?
thanks a lot

Revision history for this message
Scott Kitterman (kitterman) wrote :

This bug has been fixed in the new Ubuntu version that is about to be released.

Revision history for this message
Colin Watson (cjwatson) wrote :

Release-noted (thanks, Clint):

 * If you have set up Apache with an encrypted SSL key, the system will now prompt for the passphrase on the console during boot. This is different from the behavior of previous versions which would simply fail to start apache. (Bug:582963)

Changed in ubuntu-release-notes:
status: Triaged → Fix Released
Dave Walker (davewalker)
tags: added: server-nrs
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.