Bug 252776 - security/py-certbot-apache: Looking in wrong location for Apache ssl_module
Summary: security/py-certbot-apache: Looking in wrong location for Apache ssl_module
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-python (Nobody)
URL: https://www.freshports.org/security/p...
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2021-01-17 12:41 UTC by Anton Samsonov
Modified: 2023-09-15 06:12 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (python)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Samsonov 2021-01-17 12:41:33 UTC
Certbot attempts to read mod_ssl.so (to get OpenSSL version) at wrong path:

attempted: /usr/local/etc/apache24/libexec/apache24/mod_ssl.so
real path: /usr/local/libexec/apache24/mod_ssl.so

My config in /usr/local/etc/apache24/httpd.conf:
ServerRoot "/usr/local"
Module ssl_module libexec/apache24/mod_ssl.so

That is, the module appears to be searched relative to httpd.conf — that is
wrong: according to Apache HTTP Server docs, relative paths in LoadModule
directive should be resolved against ServerRoot rather than the topmost
configuration directory.


I have reported this bug to https://github.com/certbot/certbot/issues/8593
and the upstream developers concluded that the issue is FreeBSD-specific,
caused by the following patch:

https://svnweb.freebsd.org/ports/head/security/py-certbot-apache/Makefile
?revision=491714&view=markup

which runs sed -e 's|/etc/apache2|${LOCALBASE}/etc/apache24|'
  ${WRKSRC}/certbot_apache/configurator.py

so that OS_DEFAULTS["server_root"] becomes "/usr/local/etc/apache24".


In my understanding, this alone is not the root cause for the problem,
because that variable is only used as default for --apache-server-root
to find httpd.conf initially. The real problem, IMHO, is that this
OS_DEFAULTS["server_root"] is later used instead of real ServerRoot
specified in httpd.conf — at least I see no attempt to parse ServerRoot
in certbot-apache code, but I am not very confident about that, as I just
started familiarizing myself with this software.

As an alternative, Certbot developers offered creating an overrides file,
just like override_debian.py, so that no downstream patching is needed.
But, again, I see no way how this could fix the original issue.


Could someone please share their experience with certbot-apache in FreeBSD
— how do you configure it, and did you ever check that it actually operates
flawlessly? Because for me it in fact succeeds despite this error, so
my guess is that nobody just notices it.