Bug 252776

Summary: security/py-certbot-apache: Looking in wrong location for Apache ssl_module
Product: Ports & Packages Reporter: Anton Samsonov <dev-freebsd>
Component: Individual Port(s)Assignee: freebsd-python (Nobody) <python>
Status: New ---    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (python)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Anton Samsonov 2021-01-17 12:41:33 UTC
Certbot attempts to read mod_ssl.so (to get OpenSSL version) at wrong path:

attempted: /usr/local/etc/apache24/libexec/apache24/mod_ssl.so
real path: /usr/local/libexec/apache24/mod_ssl.so

My config in /usr/local/etc/apache24/httpd.conf:
ServerRoot "/usr/local"
Module ssl_module libexec/apache24/mod_ssl.so

That is, the module appears to be searched relative to httpd.conf — that is
wrong: according to Apache HTTP Server docs, relative paths in LoadModule
directive should be resolved against ServerRoot rather than the topmost
configuration directory.


I have reported this bug to https://github.com/certbot/certbot/issues/8593
and the upstream developers concluded that the issue is FreeBSD-specific,
caused by the following patch:

https://svnweb.freebsd.org/ports/head/security/py-certbot-apache/Makefile
?revision=491714&view=markup

which runs sed -e 's|/etc/apache2|${LOCALBASE}/etc/apache24|'
  ${WRKSRC}/certbot_apache/configurator.py

so that OS_DEFAULTS["server_root"] becomes "/usr/local/etc/apache24".


In my understanding, this alone is not the root cause for the problem,
because that variable is only used as default for --apache-server-root
to find httpd.conf initially. The real problem, IMHO, is that this
OS_DEFAULTS["server_root"] is later used instead of real ServerRoot
specified in httpd.conf — at least I see no attempt to parse ServerRoot
in certbot-apache code, but I am not very confident about that, as I just
started familiarizing myself with this software.

As an alternative, Certbot developers offered creating an overrides file,
just like override_debian.py, so that no downstream patching is needed.
But, again, I see no way how this could fix the original issue.


Could someone please share their experience with certbot-apache in FreeBSD
— how do you configure it, and did you ever check that it actually operates
flawlessly? Because for me it in fact succeeds despite this error, so
my guess is that nobody just notices it.