SSLPassPhraseDialog setting problems - /usr/libexec/httpd-ssl-pass-dialog

Question

SSLPassPhraseDialog setting problems - /usr/libexec/httpd-ssl-pass-dialog

lauer opened this issue 6 years ago · 6 comments

Describe the bug
The template for apache_vhost contains SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
This seems to be a default setting, however this does not exists on my Ubuntu 18.04.

If I remove this line in the template, all works fine.

Installation method/version

Github / latest

Ansible Version

ansible 2.6.1

Targetted hosts
Concerns the following OS(es):

Ubuntu

Expected behavior
When TLS enabled for zabbix web, I expected it to work with default settings, when cert and key path has been applied.

Additional context
Using certbot to generate SSL certificates

Server version: Apache/2.4.29 (Ubuntu)
Server built:   2018-06-07T21:10:10
Server's Module Magic Number: 20120211:68
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Answer 1 · 2018-09-07T19:14:14.000Z

I just merged a PR that is able to override them via the property zabbix_apache_SSLPassPhraseDialog, see the readme.

Answer 2 · 2018-12-02T07:13:20.000Z

It seems that for Ubuntu 18.04 you can set zabbix_apache_SSLPassPhraseDialog: builtin.

Answer 3 · 2019-01-16T05:57:45.000Z

Also worth mentioning that the error "SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)." which prevents Apache from starting in Ubuntu 18.04 can be resolved by adding the module "socache_shmcb" to the variable apache_mods_enabled for dependency role geerlingguy.apache.

Answer 4 · 2019-01-16T07:13:20.000Z

Hi @jrgoldfinemiddleton

Thank you for this information. Are you able to provide a notification in the readme for this to help others?

Kind regards,
Werner

Answer 5 · 2019-02-08T04:11:52.000Z

Hi Werner,

I've reviewed the readme and am not sure where the ideal place would be to call out something specific to Ubuntu in there. The challenge is there are so many possible combinations of variable values in the role. This seems like a pretty specific note to have in the readme given how general the rest of it is.

Perhaps we should consider reviewing whether variables have sane default values for each distribution. That way when the role is run without any customization at all, it at least doesn't fail. That still may not solve the problem of informing users of all the knobs they can tweak.

Another option could be to add "OS-specific" sections to the readme and just put miscellaneous stuff in there. What do you think?

Thanks,
Jason

Answer 6 · 2019-07-30T20:53:51.000Z

Faced a similar situation when adding Letsencrypt. I solved the problem by adding such variables:

    zabbix_apache_tls: true
    zabbix_apache_redirect: true
    zabbix_apache_SSLPassPhraseDialog: builtin
    zabbix_apache_SSLSessionCache: none
    zabbix_apache_tls_crt: /etc/letsencrypt/live/zabbix.rllinsure.com/fullchain.pem
    zabbix_apache_tls_key: /etc/letsencrypt/live/zabbix.rllinsure.com/privkey.pem