[regression] apache2-ssl-certificate has gone missing since feisty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Debian) |
Fix Released
|
Unknown
|
||
| apache2 (Ubuntu) |
Wishlist
|
Unassigned | ||
Bug Description
Binary package hint: apache2
Enabling SSL/TLS encryption for Apache is difficult.
apache2-
lithorus (lithorus) wrote : | #1 |
burgerbee (bigge) wrote : | #2 |
Tested to confirm and its missing in Herd 5 aswell.
Paul Williams (pwill) wrote : | #3 |
Confirmed, and marked as confirmed.
This is critical for people that need SSL on their servers.
Of course there are other ways to generate ssl cert files, but this is by far the easiest.
Changed in apache2: | |
status: | Unconfirmed → Confirmed |
speeves (speeves) wrote : | #4 |
I have generated the build diff.gz (apache2_
1. sudo apt-get build-dep apache2
2. sudo apt-get source -d apache2 (download only mode)
3. sudo cp path/to/
(replace the existing diff.gz and .dsc with the files I have attached)
4. dpkg-source -x apache2_
5. cd apache2-2.2.3
6. fakeroot debian/rules binary
7. sudo dpkg -i ../*.deb (modify to install the correct deb packages for your installation)
The apache2-
apache2.
Obviously, these attachments are amd64 specific, but the changes that I made are platform agnostic, so someone with i386, etc., should be able to apply the same changes to their platform. I'll upload the modified files as well, to help facilitate this.
maxwas (maxwas) wrote : | #5 |
The same problem exists in 6.10 edgy.
I have just done a default LAMP install on ubuntu server - all fine.
On ubuntu i done a manual install of apache2 (and assoc friends), the command: 'apache2-
Matti Lindell (mlind) wrote : | #6 |
Duplicate Debian bug is http://
Changed in apache2: | |
status: | Unknown → Unconfirmed |
Luke Maurer (luke-maurer) wrote : | #7 |
So, I take it Feisty is shipping with this bug still open? There're gonna be a lot of people wondering why all the Apache2/SSL tutorials are broken ...
Joachim Davain (joachim-davain) wrote : | #8 |
Tested to confirm and its missing in the final release 5 aswell.
Paul Williams (pwill) wrote : | #9 |
I think the Apache package manager stopped paying attention. It's a very simple fix.
Changed in apache2: | |
importance: | Undecided → Medium |
Milan Mitrović (milan.mitrovic) wrote : | #10 |
I have the same problem... Is it going to be fixed soon?
I can confirm this one too!!!
stormreaver (kubuntu-tonyobryan) wrote : | #12 |
It is also missing in Kubuntu 7.04 final.
speeves (speeves) wrote : | #13 |
Has anyone had a chance to test my patches in:
https:/
Confirmed. Against all wise logic I SHOULD have had, I upgraded the Dapper server I was maintaining at work to Edgy, then Feisty. And when I was to re-certify it for WebDAV/SSL, "command not found". If speeves' patch won't work on me, I will be reinstalling Dapper, I just can't spend too much time to fix this since it is an important server. I hope the importance of this bug is escalated since I think that there probably guys out there who need SSL for work, as well. I hope this is fixed soon.
Matti Lindell (mlind) wrote : | #15 |
You can grab ssleay.cnf and apache2-
I hope this workaround works for people who bothered by this issue. Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-
Create /etc/apache2/ssl directory. Then apache2-
speeves (speeves) wrote : | #16 |
Though this bug makes more work for us, it is not show-stopper. We can always make the ssl certificates in the old-fashioned way as described here:
http://
Just modify your ssl vhost conf to point to the key and crt files that you create, and you should be good to go.
Luís Pereira (luispereira) wrote : | #17 |
The solution proposed by mlind works.
Matti Lindell (mlind) wrote : | #18 |
I'm attaching patch against feisty's apache2 (2.2.3-3.2build1) which adds ssl-certificate script back from Edgy's apache2. For some reason, also lintian overrides were dropped in 2.0 --> 2.2 transition, so I decided not include one for apache2-
I guess we should try to get this in gutsy first.
Tristan Rhodes (tristanrhodes) wrote : Re: apache2-ssl-certificate has gone missing since feisty | #19 |
I have also just discovered that this script is missing when I was trying to follow an SSL tutorial. For people who want quick SSL setup, this script was great! A real certificate is best, but if you don't want to spend money but DO want to secure web traffic, then a self-signed certificate works great. Please add this back into the apache package.
Malthe Borch (mborch) wrote : | #20 |
I find that htpasswd2 is also missing from /usr/sbin. Could it be related?
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #21 |
Malthe wrote:
> I find that htpasswd2 is also missing from /usr/sbin. Could it be
> related?
>
Hi Malthe,
Can you open a new bug for htpasswd2? That would help us to track these
issues separately.
thanks,
--
Shannon Eric Peevey
<email address hidden>
http://
Malthe Borch (mborch) wrote : | #22 |
Done.
On 28/05/07, speeves <email address hidden> wrote:
> Malthe wrote:
> > I find that htpasswd2 is also missing from /usr/sbin. Could it be
> > related?
> >
> Hi Malthe,
>
> Can you open a new bug for htpasswd2? That would help us to track these
> issues separately.
>
> thanks,
>
> --
> Shannon Eric Peevey
> <email address hidden>
> http://
>
> --
> apache2-
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
--
--=====
mail: <email address hidden>
homepage: zeitmaschine.dk
--=====
@Malthe
In edgy, /usr/bin/htpasswd2 is a symlink pointing to /usr/bin/htpasswd.
Feisty and gutsy have the latter one (but not the symlink).
speeves (speeves) wrote : | #24 |
I answered and closed the htpasswd2 bug at:
https:/
Soren Hansen (soren) wrote : | #25 |
I'm rejecting this bug, as the ssl-cert package provides make-ssl-cert and also usr/share/
If you feel that this is not sufficient, feel free to reopen this bug.
Changed in apache2: | |
assignee: | nobody → shawarma |
status: | Confirmed → Rejected |
speeves (speeves) wrote : | #26 |
Hi Soren,
I see that apache-ssl (apache 1.3) depends on ssl-cert, but it doesn't seem that apache2 has it as a dependency? Do you know which package depends on it?
thanks,
speeves
Hansch (hansch) wrote : | #27 |
I have the same problem on Debian Sarge which has the latest Apache package (2.2.3) installed. Of course there are many ways to create ssl certificates, but many howto's mention the use of apache2-
Matti Lindell (mlind) wrote : | #28 |
reopened as requested.
Changed in apache2: | |
importance: | Medium → Wishlist |
status: | Invalid → Confirmed |
assignee: | shawarma → nobody |
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #29 |
On 7/20/07, mlind <email address hidden> wrote:
>
> reopened as requested.
>
> ** Changed in: apache2 (Ubuntu)
> Importance: Medium => Wishlist
> Status: Invalid => Confirmed
I realize that we may need to wait for this to be fixed in the Debian
package upstream, but I believe this to be of more importance than
"wishlist". In essence, there is no reference or dependency to the ssl-cert
package, leaving many users in the dark about this issue. At this point, if
we are to handle this in Ubuntu, (as opposed to waiting for the fix
upstream), we have a couple of options:
1. Use the patch that I have submitted above and add apache2-
back into the apache2 package itself.
2. add the ssl-cert package as a dependence to to the apache2 package, and
upload that version.
3. add documentation to th README.Debian which states the issue and how to
resolve it
I recommend either 1 or 2, (2 is preferred, since it is the direction chosen
by the upstream maintainers), but 3 is an acceptable interim option. All
options would diverge the Apache2 package in Ubuntu from the Debian
upstream... I will be happy to provide a patch for either 2 or 3, but want
to see what works best for everyone. (1 is already available above).
thanks,
--
Shannon Eric Peevey
<email address hidden>
http://
speeves (speeves) wrote : | #30 |
BTW, when checking out the changes in ssl-cert dependencies, I found these
related bugs:
http://
http://
They seem rather old, and it is possible that ssl-cert has fixed its ways
:) And, here are the related entries in the debian/changelog file:
apache2 (2.0.48-8) unstable; urgency=low
* Disable ssl-cert until it sucks less. related to 230791 (closes:
#231726)
apache2 (2.0.48-5) unstable; urgency=low
- Call ssl-cert to generate an SSL cert using debconf (closes: #178322)
apache2 (2.0.48-1) unstable; urgency=low
- Add dependency on ssl-cert (Closes: #177837)
My take on this seems to point to a reinclusion of the
apache2-
satisfactory dependency...
If my patch above need only be modified for i386, let me know and I will
build an i386 vm to create the more popular architecture patch...
thanks,
--
Shannon Eric Peevey
<email address hidden>
http://
I think that this bug should be solved quickly. All the proposed workarounds do not work.
make-ssl-cert lacks of a -days option. Hence, it issues a certificate for only one month.
I don't want to chage my servers certificates every month!
The old fashioned way with mod-ssl : http://
If you find a simple workaroud for issuing a simple sefl-signed certificate valid for one year or more, I'll be very grateful!
The workaround at https:/
acacha (sergi-tur) wrote : | #33 |
You could use make-ssl-cert form package ssl-cert instead of apache2-
http://
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #34 |
On 10/16/07, acacha <email address hidden> wrote:
> You could use make-ssl-cert form package ssl-cert instead of apache2
> -ssl-certificate. I have a tutorial (sorry is in Catalan) at:
>
> http://
>
> --
> apache2-
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
It still seems to me that the best solution is in my comment above:
<snip>
I realize that we may need to wait for this to be fixed in the Debian
package upstream, but I believe this to be of more importance than
"wishlist". In essence, there is no reference or dependency to the
ssl-cert package, leaving many users in the dark about this issue. At
this point, if we are to handle this in Ubuntu, (as opposed to waiting
for the fix upstream), we have a couple of options:
1. Use the patch that I have submitted above and add
apache2-
2. add the ssl-cert package as a dependence to to the apache2 package,
and upload that version.
3. add documentation to th README.Debian which states the issue and
how to resolve it
I recommend either 1 or 2, (2 is preferred, since it is the direction
chosen by the upstream maintainers), but 3 is an acceptable interim
option. All options would diverge the Apache2 package in Ubuntu from
the Debian upstream... I will be happy to provide a patch for either
2 or 3, but want to see what works best for everyone. (1 is already
available above).
</snip>
Let me see if I can get a Debian Maintainer to sponsor a patch to
include ssl-cert as a dependency in the Debian package upstream.
thanks,
--
Shannon Eric Peevey
<email address hidden>
http://
Changed in apache2: | |
status: | Confirmed → Triaged |
*bump*
the script is still missing in hardy. have any workarounds been implemented since this bugreport was opened?
mathieubll (mathieu-mangeot) wrote : | #36 |
My workaroud was the following:
As I'm alos using debian, I wanted a workaround for both ubuntu and debian (my problem is basically the lack of a duration option in the make-ssl-certs script).
I wanted to create a new clean version of the make-ssl-certs script with a -days option but was not able to do so.
I finally hardcoded (or modified by hands) the make-ssl-certs script in order to add the -days 365 option to the openssl req command.
fuelrod (danielhodder) wrote : | #37 |
I can confirm this also but what I want to know is why has this been declined for release twice (Gutsy and Feisty).
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #38 |
Please, open a new bug so that we can track this separately.
thanks,
speeves
On 2/8/08, fuelrod <email address hidden> wrote:
> I can confirm this also but what I want to know is why has this been
> declined for release twice (Gutsy and Feisty).
>
> --
> apache2-
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
--
Shannon Eric Peevey
<email address hidden>
http://
Still missing on Ubuntu 7.10 server with Apache2 2.2.4... That's not good, as it makes internal servers unsecure...
Nick Barcet (nijaba) wrote : | #40 |
I think that the documentation at https:/
I went and corrected all references to it on http://
I think we can close this bug unless someone objects to that.
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #41 |
On 3/20/08, Nick Barcet <email address hidden> wrote:
>
> I think that the documentation at
> https:/
> quite clear on how to generate a self signed certificate, so I do not
> understand why we would need apache2-
Would it be possible to put a link to that documentation in the
README.Debian? I think that would be sufficient, as it looks like ssl-cert
is now a deprecated process as well...
Why not make it easier for users, specially the casual home user who wants to setup a secure web server, by providing him a script that actually does the job? Nothing beats more documentation than an actual tool that does the job for the user. If the script already existed, why not bring it back?
This is script is particularly useful when someone comes from another distribution (such as Fedora) and migrates his stuff to Ubuntu. Saves the user the task to search the web on how to generate it.
George (gapop) wrote : | #43 |
Nick,
There are many useful tutorials on the Web on how to install a secure server on Ubuntu which make reference to that script. Why leave people who are learning with a broken tutorial? Following your reasoning, one could ask why do we need most of the GUI in the Ubuntu desktop, since you can do the same from the command line.
Someone took the time to report the bug because they were upset by the script's disappearance. Two dozen people have subscribed to the bug because they care. Please reconsider closing this bug.
George
speeves (speeves) wrote : Re: [Bug 77675] Re: apache2-ssl-certificate has gone missing since feisty | #44 |
I actually feel a link to Nick's documentation at:
https:/
Or, the same information in the README.Debian, (which I think is a better
location, (for people without internet connections, etc.)),
is sufficient to close this bug, per this entry in the apache source
debian/changelog:
changelog: * Disable ssl-cert until it sucks less. related to 230791
(closes: #231726)
If ssl-cert is a non-stable, or doesn't work as expected, then we definitely
need to rely on the tools that will work for every situation. (ie openssl).
See my comments for other alternatives to Nick's solution:
https:/
https:/
I am available to update my patches, etc. from comment 4, if that seems to
be the best idea, (if someone will sponsor the upload).
All of this would be vaguely tolerable if, of course, you could easily create a self signed cert using the ubuntu openssl package, as elucidated here :
http://
However, the current feisty dist doesn't include the needed signing script sign.sh from the source dist, at least not that I could see.
You can however, find the script here : http://
(referenced for anyone else trying to do this !)
Tero Karvinen (karvinen+launchpad) wrote : Broken in Hardy Re: apache2-ssl-certificate has gone missing since feisty | #46 |
Broken in Hardy Beta. This seems to be a regression: in earlier Ubuntus, cert was generated automatically.
Details of Hardy setup and tests done http://
description: | updated |
maraja (ugo-grandolini) wrote : | #47 |
setup
1. sudo apt-get install apache2
2. sudo apt-get install openssl
3. sudo apt-get install ssl-cert
create ssl certificate:
sudo make-ssl-cert /usr/share/
switch to apache sites configuration:
cd /etc/apache2/
bakup the default configuration:
sudo cp default default.backup.date
be sure to listen the port 80 for the default:
sudo sed -i '1,2s/\*/*:80/' default
create the ssl configuration:
sudo cp default ssl
set the ssl port:
sudo sed -i '1,2s/\*:80/*:443/' ssl
sudo sed -i "3a\\\tSSLEngine On\n\tSSLCertif
enable ssl:
sudo a2ensite ssl
sudo a2enmod ssl
restart apache2:
sudo /etc/init.d/apache2 restart
=)
Thanks maraja, I'll try it out.
Could this process be packaged so that it would only require a single command?
maraja (ugo-grandolini) wrote : | #49 |
Taro,
I guess so but I do not know how to do it =/
If anyone is going to create a .deb out of it, he should consider that the user may only need one (or two, or all) of the initial setup steps.
Changed in apache2: | |
status: | New → Fix Committed |
Changed in apache2: | |
status: | Fix Committed → Fix Released |
Chuck Short (zulcss) wrote : | #50 |
This has been fixed for intrepid. Thanks for the bug report.
Regards
chuck
Changed in apache2: | |
status: | Triaged → Fix Released |
Hi,
Seems that this is confirmed to be fixed in the current Ubuntu release 8.10 (Intrepid Ibex)...
Anyway, here still my two cents for testing Hardy (8.0.4); I cannot quite get the self-signed certificate working according the instructions by maraja https:/
Sure, the steps can be done succesfully, i.e. ssleay.cnf is available and all, but when testing https, error is thrown:
$ curl https:/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:
...
$ firefox https:/
"Secure Connection Failed"-page is thrown saying, that certificate is not trusted.
Detailed testing steps described in http://
Regards,
Mika
enedene (enedene) wrote : | #52 |
It's not working in 9.04 Jaunty.
Conor Gallagher (cjbooms) wrote : | #53 |
I can also confirm that is not working in Jaunty. I've wasted a lot of time jumping from tutorial to tutorial to finally find the above thread. I'm planning on exploring the other options but this is really going to frustrate anyone starting out with SSL.
Changed in apache2 (Ubuntu): | |
status: | Fix Released → Confirmed |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu): | |
status: | Fix Released → In Progress |
Mathias Gug (mathiaz) wrote : | #54 |
Please don't change the status of a bug without giving an explanation.
Changed in apache2 (Ubuntu): | |
status: | In Progress → Fix Released |
moncefioce (moncefbouallagui1) wrote : | #55 |
je sais pas
Kumar (kumarldh) wrote : | #56 |
Hi,
The bug exists in Karmic. I just tried to run the command:
kumar@kumar:~$ apache2-
apache2-
This may not stop any determined from creating certificates but its still an issue.
Changed in apache2 (Ubuntu): | |
status: | Fix Released → Confirmed |
QQ Some More (qqsomemore) wrote : | #57 |
Found this issue by following a tutorial that used apache2-
I'm glad I found this discussion explaining the issue with posts to other tutorials for making the cert. However until I did it was pretty confusing to be missing the script while the tutorials were saying it should be part of the apache2 package. I realize that in general you don't want to design packages based on someone overgeneralizing in an install guide but the script sounds useful and if it's a good fit on the Ubuntu side including it would clear up some confusion for people that end up in the same situation.
Chuck Short (zulcss) wrote : | #58 |
This has been fixed for a while now.
chuck
Changed in apache2 (Ubuntu): | |
status: | Confirmed → Fix Released |
2GooD (david+launchpad) wrote : | #59 |
@Chuck Short: If this is fixed, where is the apache2-
"You have searched for filenames that contain apache2-
Sorry, your search gave no results"
gl1176 (gl76) wrote : | #60 |
The way to do this has changed. The procedure is still simple for a self signed ssl cert.
The following is the correct way:
apt-get install apache2
a2enmod ssl
a2ensite default-ssl
make-ssl-cert generate-
/etc/init.d/apache2 restart
You can find this in the follow doc under SSL:
/usr/share/
flindeberg (flindeberg) wrote : | #61 |
Just want to point out that often a force is required when making a new ssl-cert for proper functionality.
make-ssl-cert generate-
I'm guessing most people who have googled this bug has had some form certificate before, so forcing a overwrite is usually a good idea since neither the internet nor your hosts file are static.. =P
But as gl1176 mentioned, check out the readme /usr/share/
speeves (speeves) wrote : | #62 |
This is a question. We should close this as a bug now.
Changed in apache2 (Ubuntu): | |
assignee: | nobody → speeves (speeves) |
speeves (speeves) wrote : | #63 |
Marking
Changed in apache2 (Ubuntu): | |
status: | Fix Released → Invalid |
assignee: | speeves (speeves) → nobody |
Changed in apache2 (Ubuntu): | |
status: | Invalid → Fix Released |
/usr/share/ apache2/ ssleay. cnf and the directory /etc/apache2/ssl is also missing.