opensslcnf not set (on rhel at least)

Bug #707161 reported by Erik Ordway on 2011-01-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Robert Lyon

Bug Description

ssl key generation is dependent on finding the openssl.cnf key on the OS. When installing Mahara on RHEL/Unbreakable Linux the name/value of opensslcnf/'/etc/pki/tls/openssl.cnf' does not get set in the 'config' table of the database. The prevents the key generation needed for extra-site networking. It is possible that on other linux variants the file can be found without this but not on this combination. This value does get set on a moodle 1.9 install which led me to figuring this out.

mahara 1.3.4

Red Hat Enterprise Linux Server release 5.5 (Tikanga) run from Oracle yum repository

PHP 5.1.6 (cli) (built: Nov 29 2010 17:42:31)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

Postgresql 8.4.5

Changed in mahara:
milestone: none → 1.4.0
importance: Undecided → Medium
status: New → Triaged
Erik Ordway (ordwaye) wrote :

In talking with some others the value may have been set in moodle because moodle was installed before rhel locked down access to the file. If I installed moodle now it would probably not work.

François Marier (fmarier) wrote :

Ok, I'm a bit confused here...

What exactly should be done in Mahara to resolve your problem on RHEL?

Erik Ordway (ordwaye) wrote :

The error when the key generation fails should say that it can not find the systems openssl.cnf . Even better there probably should be an warning durning install that says networking will not work till you locate the openssl.cnf .

François Marier (fmarier) wrote :

Ok, we can certainly provide a better error mesage.

What did you have to change on your system to make it work? Did you have to change a path somewhere in the Mahara config or the source code?

Erik Ordway (ordwaye) wrote :

Setting this name/value of opensslcnf/'/etc/pki/tls/openssl.cnf' in the 'config' table of the database. It is also possible that setting it in config.php might also work but I can not tested it.

Basically RHEL hides the openssl.cnf so that user processes (like apache) can not find it and can only use it they now the exact path. I do not understand why this is but it is.

Changed in mahara:
milestone: 1.4.0 → none
importance: Medium → Low
Robert Lyon (robertl-9) wrote :

I note there is a line
 $opensslcnf = get_config('opensslcnf');

in htdocs/api/xmlrpc/lib.php

But the opensslcnf variable does not get set on install nor does it seem to be listed in the comments of
htdocs/config.php
htdocs/lib/config-defaults.php

Should it be added to the
htdocs/lib/config-defaults.php

It's instructions should be added so people know it exists and what it does

Changed in mahara:
milestone: none → 1.9.0
Aaron Wells (u-aaronw) wrote :

Hi Robert,

It looks like this config option was added in Mahara 1.3, and never altered after that.

I agree, it should be added to config-defaults.php

Cheers,
Aaron

Robert Lyon (robertl-9) wrote :

added patch to include this option in config-defaults.php
https://reviews.mahara.org/#/c/2720/

Changed in mahara:
status: Triaged → In Progress
assignee: nobody → Robert Lyon (robertl-9)

Reviewed: https://reviews.mahara.org/2720
Committed: http://gitorious.org/mahara/mahara/commit/1cb01ce2085930a34757da7042c2bdb39618f485
Submitter: Son Nguyen (<email address hidden>)
Branch: master

commit 1cb01ce2085930a34757da7042c2bdb39618f485
Author: Robert Lyon <email address hidden>
Date: Wed Nov 20 09:36:54 2013 +1300

Updating config defaults with opensslcnf info (bug #707161)

- option added v1.3 but not documented in the list of defaults that
are available

Change-Id: Ib6010e502ffdefe00d86856674fc54362fa41faa
Signed-off-by: Robert Lyon <email address hidden>

Aaron Wells (u-aaronw) on 2013-11-21
Changed in mahara:
status: In Progress → Fix Committed
Robert Lyon (robertl-9) on 2014-04-22
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers