[regression] apache2-ssl-certificate has gone missing since feisty

/usr/share/apache2/ssleay.cnf and the directory /etc/apache2/ssl is also missing.

Tested to confirm and its missing in Herd 5 aswell.

Confirmed, and marked as confirmed.
This is critical for people that need SSL on their servers.
Of course there are other ways to generate ssl cert files, but this is by far the easiest.

I have generated the build diff.gz (apache2_2.2.3-3.2build1.diff.gz) for apache2_2.2.3-3.2build1_all.deb, which includes the apache2-ssl-certificate, ssleay.cnf, and modified rules file to push these files out into their proper locations, (per the apache2 (2.0) deb package). The easiest way to use this, (until it is applied to the apache2 (2.2) source package) is to:

1. sudo apt-get build-dep apache2
2. sudo apt-get source -d apache2 (download only mode)
3. sudo cp path/to/apache2_2.2.3-3.2build1.dsc path/to/apache2_2.2.3-3.2build1.diff.gz .
(replace the existing diff.gz and .dsc with the files I have attached)
4. dpkg-source -x apache2_2.2.3-3.2build1.dsc
5. cd apache2-2.2.3
6. fakeroot debian/rules binary
7. sudo dpkg -i ../*.deb (modify to install the correct deb packages for your installation)

The apache2-ssl-certificate script is in:
apache2.2-common_2.2.3-3.2build1_amd64.deb

Obviously, these attachments are amd64 specific, but the changes that I made are platform agnostic, so someone with i386, etc., should be able to apply the same changes to their platform. I'll upload the modified files as well, to help facilitate this.

The same problem exists in 6.10 edgy.

I have just done a default LAMP install on ubuntu server - all fine.

On ubuntu i done a manual install of apache2 (and assoc friends), the command: 'apache2-ssl-certificate' returns; 'bash: apache2-ssl-certificate: command not found'

Duplicate Debian bug is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520

So, I take it Feisty is shipping with this bug still open? There're gonna be a lot of people wondering why all the Apache2/SSL tutorials are broken ...

Tested to confirm and its missing in the final release 5 aswell.

I think the Apache package manager stopped paying attention. It's a very simple fix.

I have the same problem... Is it going to be fixed soon?

I can confirm this one too!!!

It is also missing in Kubuntu 7.04 final.

Has anyone had a chance to test my patches in:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/77675/comments/4

Confirmed. Against all wise logic I SHOULD have had, I upgraded the Dapper server I was maintaining at work to Edgy, then Feisty. And when I was to re-certify it for WebDAV/SSL, "command not found". If speeves' patch won't work on me, I will be reinstalling Dapper, I just can't spend too much time to fix this since it is an important server. I hope the importance of this bug is escalated since I think that there probably guys out there who need SSL for work, as well. I hope this is fixed soon.

You can grab ssleay.cnf and apache2-ssl-certificate from Edgy's apache2 version.

I hope this workaround works for people who bothered by this issue. Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.

Though this bug makes more work for us, it is not show-stopper. We can always make the ssl certificates in the old-fashioned way as described here:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

Just modify your ssl vhost conf to point to the key and crt files that you create, and you should be good to go.

The solution proposed by mlind works.

I'm attaching patch against feisty's apache2 (2.2.3-3.2build1) which adds ssl-certificate script back from Edgy's apache2. For some reason, also lintian overrides were dropped in 2.0 --> 2.2 transition, so I decided not include one for apache2-ssl-certificate like there was in Edgy.

I guess we should try to get this in gutsy first.

I have also just discovered that this script is missing when I was trying to follow an SSL tutorial. For people who want quick SSL setup, this script was great! A real certificate is best, but if you don't want to spend money but DO want to secure web traffic, then a self-signed certificate works great. Please add this back into the apache package.

I find that htpasswd2 is also missing from /usr/sbin. Could it be related?

Malthe wrote:
> I find that htpasswd2 is also missing from /usr/sbin. Could it be
> related?
>
Hi Malthe,

Can you open a new bug for htpasswd2? That would help us to track these
issues separately.

thanks,

--
Shannon Eric Peevey
<email address hidden>
http://speeves.erikin.com

Done.

On 28/05/07, speeves <email address hidden> wrote:
> Malthe wrote:
> > I find that htpasswd2 is also missing from /usr/sbin. Could it be
> > related?
> >
> Hi Malthe,
>
> Can you open a new bug for htpasswd2? That would help us to track these
> issues separately.
>
> thanks,
>
> --
> Shannon Eric Peevey
> <email address hidden>
> http://speeves.erikin.com
>
> --
> apache2-ssl-certificate has gone missing since feisty
> https://bugs.launchpad.net/bugs/77675
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
--=====================--
  mail: <email address hidden>
  homepage: zeitmaschine.dk
--=====================--

@Malthe

In edgy, /usr/bin/htpasswd2 is a symlink pointing to /usr/bin/htpasswd.
Feisty and gutsy have the latter one (but not the symlink).

I answered and closed the htpasswd2 bug at:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/117406/comments/1

I'm rejecting this bug, as the ssl-cert package provides make-ssl-cert and also usr/share/ssl-cert/ssleay.cnf.

If you feel that this is not sufficient, feel free to reopen this bug.

Hi Soren,

I see that apache-ssl (apache 1.3) depends on ssl-cert, but it doesn't seem that apache2 has it as a dependency? Do you know which package depends on it?

thanks,
speeves

I have the same problem on Debian Sarge which has the latest Apache package (2.2.3) installed. Of course there are many ways to create ssl certificates, but many howto's mention the use of apache2-ssl-certificate, which are now rendered unusable. Of course, for a die-hard Debian user this poses few problems, but it might make installing an ssl-enabled (testing) website very annoying for others. Can you reopen the bug? Thanks.

reopened as requested.

On 7/20/07, mlind <email address hidden> wrote:
>
> reopened as requested.
>
> ** Changed in: apache2 (Ubuntu)
> Importance: Medium => Wishlist
> Status: Invalid => Confirmed

I realize that we may need to wait for this to be fixed in the Debian
package upstream, but I believe this to be of more importance than
"wishlist". In essence, there is no reference or dependency to the ssl-cert
package, leaving many users in the dark about this issue. At this point, if
we are to handle this in Ubuntu, (as opposed to waiting for the fix
upstream), we have a couple of options:

1. Use the patch that I have submitted above and add apache2-ssl-certificate
back into the apache2 package itself.
2. add the ssl-cert package as a dependence to to the apache2 package, and
upload that version.
3. add documentation to th README.Debian which states the issue and how to
resolve it

I recommend either 1 or 2, (2 is preferred, since it is the direction chosen
by the upstream maintainers), but 3 is an acceptable interim option. All
options would diverge the Apache2 package in Ubuntu from the Debian
upstream... I will be happy to provide a patch for either 2 or 3, but want
to see what works best for everyone. (1 is already available above).

thanks,
--
Shannon Eric Peevey
<email address hidden>
http://speeves.erikin.com

BTW, when checking out the changes in ssl-cert dependencies, I found these
related bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230791+
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231726+

They seem rather old, and it is possible that ssl-cert has fixed its ways
:) And, here are the related entries in the debian/changelog file:
apache2 (2.0.48-8) unstable; urgency=low
  * Disable ssl-cert until it sucks less. related to 230791 (closes:
#231726)
apache2 (2.0.48-5) unstable; urgency=low
    - Call ssl-cert to generate an SSL cert using debconf (closes: #178322)
apache2 (2.0.48-1) unstable; urgency=low
    - Add dependency on ssl-cert (Closes: #177837)

My take on this seems to point to a reinclusion of the
apache2-ssl-certificate into the source package, if ssl-cert is not a
satisfactory dependency...

If my patch above need only be modified for i386, let me know and I will
build an i386 vm to create the more popular architecture patch...

thanks,

--
Shannon Eric Peevey
<email address hidden>
http://speeves.erikin.com

I think that this bug should be solved quickly. All the proposed workarounds do not work.

make-ssl-cert lacks of a -days option. Hence, it issues a certificate for only one month.
I don't want to chage my servers certificates every month!

The old fashioned way with mod-ssl : http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28 is fairly complicated if you want to issue a slef-signed certificate. Furthermore, there are missing scripts in the actual package (sign.sh for example).

If you find a simple workaroud for issuing a simple sefl-signed certificate valid for one year or more, I'll be very grateful!

The workaround at https://launchpad.net/ubuntu/+source/apache2/+bug/77675/comments/4 worked fine for me. I built the package, extracted the ssleay.cnf file and placed it at /usr/share/apache2/ssleay.cnf and extracted the apache2-ssl-certificate and put it at /usr/sbin/apache2-ssl-certificate. I also manually created the /etc/apache2/ssl directory. That let me generate the /etc/apache2/ssl/apache.pem file containing both the key and the certificate. After properly configuring the apache server to work with the certificate it seemed to run fine.

You could use make-ssl-cert form package ssl-cert instead of apache2-ssl-certificate. I have a tutorial (sorry is in Catalan) at:

http://acacha.dyndns.org/mediawiki/index.php/Apache#Creaci.C3.B3_del_certificat

On 10/16/07, acacha <email address hidden> wrote:
> You could use make-ssl-cert form package ssl-cert instead of apache2
> -ssl-certificate. I have a tutorial (sorry is in Catalan) at:
>
> http://acacha.dyndns.org/mediawiki/index.php/Apache#Creaci.C3.B3_del_certificat
>
> --
> apache2-ssl-certificate has gone missing since feisty
> https://bugs.launchpad.net/bugs/77675
> You received this bug notification because you are a direct subscriber
> of the bug.
>
It still seems to me that the best solution is in my comment above:
<snip>
I realize that we may need to wait for this to be fixed in the Debian
package upstream, but I believe this to be of more importance than
"wishlist". In essence, there is no reference or dependency to the
ssl-cert package, leaving many users in the dark about this issue. At
this point, if we are to handle this in Ubuntu, (as opposed to waiting
for the fix upstream), we have a couple of options:

1. Use the patch that I have submitted above and add
apache2-ssl-certificate back into the apache2 package itself.
2. add the ssl-cert package as a dependence to to the apache2 package,
and upload that version.
3. add documentation to th README.Debian which states the issue and
how to resolve it

I recommend either 1 or 2, (2 is preferred, since it is the direction
chosen by the upstream maintainers), but 3 is an acceptable interim
option. All options would diverge the Apache2 package in Ubuntu from
the Debian upstream... I will be happy to provide a patch for either
2 or 3, but want to see what works best for everyone. (1 is already
available above).
</snip>

Let me see if I can get a Debian Maintainer to sponsor a patch to
include ssl-cert as a dependency in the Debian package upstream.

thanks,

--
Shannon Eric Peevey
<email address hidden>
http://speeves.erikin.com

*bump*

the script is still missing in hardy. have any workarounds been implemented since this bugreport was opened?

My workaroud was the following:

As I'm alos using debian, I wanted a workaround for both ubuntu and debian (my problem is basically the lack of a duration option in the make-ssl-certs script).
I wanted to create a new clean version of the make-ssl-certs script with a -days option but was not able to do so.
I finally hardcoded (or modified by hands) the make-ssl-certs script in order to add the -days 365 option to the openssl req command.

I can confirm this also but what I want to know is why has this been declined for release twice (Gutsy and Feisty).

Please, open a new bug so that we can track this separately.

thanks,
speeves

On 2/8/08, fuelrod <email address hidden> wrote:
> I can confirm this also but what I want to know is why has this been
> declined for release twice (Gutsy and Feisty).
>
> --
> apache2-ssl-certificate has gone missing since feisty
> https://bugs.launchpad.net/bugs/77675
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Shannon Eric Peevey
<email address hidden>
http://speeves.erikin.com

Still missing on Ubuntu 7.10 server with Apache2 2.2.4... That's not good, as it makes internal servers unsecure...

I think that the documentation at https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration is quite clear on how to generate a self signed certificate, so I do not understand why we would need apache2-ssl-certificate?

I went and corrected all references to it on http://www.google.com/search?q=site%3Ahelp.ubuntu.com+apache2-ssl-certificate so that this should not bug users anymore.

I think we can close this bug unless someone objects to that.

On 3/20/08, Nick Barcet <email address hidden> wrote:
>
> I think that the documentation at
> https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration is
> quite clear on how to generate a self signed certificate, so I do not
> understand why we would need apache2-ssl-certificate?

Would it be possible to put a link to that documentation in the
README.Debian? I think that would be sufficient, as it looks like ssl-cert
is now a deprecated process as well...

Why not make it easier for users, specially the casual home user who wants to setup a secure web server, by providing him a script that actually does the job? Nothing beats more documentation than an actual tool that does the job for the user. If the script already existed, why not bring it back?

This is script is particularly useful when someone comes from another distribution (such as Fedora) and migrates his stuff to Ubuntu. Saves the user the task to search the web on how to generate it.

Nick,

There are many useful tutorials on the Web on how to install a secure server on Ubuntu which make reference to that script. Why leave people who are learning with a broken tutorial? Following your reasoning, one could ask why do we need most of the GUI in the Ubuntu desktop, since you can do the same from the command line.

Someone took the time to report the bug because they were upset by the script's disappearance. Two dozen people have subscribed to the bug because they care. Please reconsider closing this bug.

George

I actually feel a link to Nick's documentation at:
https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration

Or, the same information in the README.Debian, (which I think is a better
location, (for people without internet connections, etc.)),

is sufficient to close this bug, per this entry in the apache source
debian/changelog:
changelog: * Disable ssl-cert until it sucks less. related to 230791
(closes: #231726)

If ssl-cert is a non-stable, or doesn't work as expected, then we definitely
need to rely on the tools that will work for every situation. (ie openssl).

See my comments for other alternatives to Nick's solution:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/77675/comments/4
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/77675/comments/29

I am available to update my patches, etc. from comment 4, if that seems to
be the best idea, (if someone will sponsor the upload).

All of this would be vaguely tolerable if, of course, you could easily create a self signed cert using the ubuntu openssl package, as elucidated here :

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

However, the current feisty dist doesn't include the needed signing script sign.sh from the source dist, at least not that I could see.

You can however, find the script here : http://www.opensourcehowto.org/how-to/apache/setup-apache2-with-openssl.html

(referenced for anyone else trying to do this !)

Broken in Hardy Beta. This seems to be a regression: in earlier Ubuntus, cert was generated automatically.

Details of Hardy setup and tests done http://myy.helia.fi/~karte/ubuntu_hardy_8.04.html#encrypted_tls_https_connections_difficult

setup

   1. sudo apt-get install apache2
   2. sudo apt-get install openssl
   3. sudo apt-get install ssl-cert

create ssl certificate:
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/localhost.pem

switch to apache sites configuration:
cd /etc/apache2/sites-available/

bakup the default configuration:
sudo cp default default.backup.date

be sure to listen the port 80 for the default:
sudo sed -i '1,2s/\*/*:80/' default

create the ssl configuration:
sudo cp default ssl

set the ssl port:
sudo sed -i '1,2s/\*:80/*:443/' ssl
sudo sed -i "3a\\\tSSLEngine On\n\tSSLCertificateFile /etc/ssl/private/localhost.pem" ssl

enable ssl:
sudo a2ensite ssl
sudo a2enmod ssl

restart apache2:
sudo /etc/init.d/apache2 restart

=)

Thanks maraja, I'll try it out.

Could this process be packaged so that it would only require a single command?

Taro,

I guess so but I do not know how to do it =/

If anyone is going to create a .deb out of it, he should consider that the user may only need one (or two, or all) of the initial setup steps.

This has been fixed for intrepid. Thanks for the bug report.

Regards
chuck

Hi,

Seems that this is confirmed to be fixed in the current Ubuntu release 8.10 (Intrepid Ibex)...
Anyway, here still my two cents for testing Hardy (8.0.4); I cannot quite get the self-signed certificate working according the instructions by maraja https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/77675/comments/47

Sure, the steps can be done succesfully, i.e. ssleay.cnf is available and all, but when testing https, error is thrown:

$ curl https://localhost
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
...
$ firefox https://localhost
"Secure Connection Failed"-page is thrown saying, that certificate is not trusted.

Detailed testing steps described in http://koti.mbnet.fi/deka/ubuntu

Regards,
Mika

It's not working in 9.04 Jaunty.

I can also confirm that is not working in Jaunty. I've wasted a lot of time jumping from tutorial to tutorial to finally find the above thread. I'm planning on exploring the other options but this is really going to frustrate anyone starting out with SSL.

Please don't change the status of a bug without giving an explanation.

je sais pas

Hi,

The bug exists in Karmic. I just tried to run the command:
kumar@kumar:~$ apache2-ssl-certificate
apache2-ssl-certificate: command not found

This may not stop any determined from creating certificates but its still an issue.

Found this issue by following a tutorial that used apache2-ssl-certificate as others mentioned. Started at 8.04 and upgraded up to 9.10 checking if apache2 would include the script at each step along the way. No luck.

I'm glad I found this discussion explaining the issue with posts to other tutorials for making the cert. However until I did it was pretty confusing to be missing the script while the tutorials were saying it should be part of the apache2 package. I realize that in general you don't want to design packages based on someone overgeneralizing in an install guide but the script sounds useful and if it's a good fit on the Ubuntu side including it would clear up some confusion for people that end up in the same situation.

This has been fixed for a while now.

chuck

@Chuck Short: If this is fixed, where is the apache2-ssl-certificate script? I can't find it:

http://packages.ubuntu.com/search?searchon=contents&keywords=apache2-ssl-certificate&mode=filename&suite=lucid&arch=any

"You have searched for filenames that contain apache2-ssl-certificate in suite lucid, all sections, and all architectures.

Sorry, your search gave no results"

The way to do this has changed. The procedure is still simple for a self signed ssl cert.

The following is the correct way:

apt-get install apache2
a2enmod ssl
a2ensite default-ssl
make-ssl-cert generate-default-snakeoil
/etc/init.d/apache2 restart

You can find this in the follow doc under SSL:
/usr/share/doc/apache2.2-common/README.Debian.gz

Just want to point out that often a force is required when making a new ssl-cert for proper functionality.

 make-ssl-cert generate-default-snakeoil --force-overwrite

I'm guessing most people who have googled this bug has had some form certificate before, so forcing a overwrite is usually a good idea since neither the internet nor your hosts file are static.. =P

But as gl1176 mentioned, check out the readme /usr/share/doc/apacheX.X-common/README.Debian.gz .

This is a question. We should close this as a bug now.

Marking