debdiff for libapache2-mod-auth-mellon attached ** Description changed:
- Imported from Debian bug http://bugs.debian.org/990228: + [ Impact ] - Package: openssl - Version: 3.0.0~~alpha16-1 - Severity: serious - User: debian...@lists.debian.org - Usertags: piuparts + The upgrade to OpenSSL 3 results in the failure of the + mellon_create_metadata helper script to generate the initial SP metadata + files required by apache mod_auth_mellon. Since ubuntu jammy uses + OpenSSL 3, this fix is essential to restore the functionality of + mellon_create_metadata. The issue arises because OpenSSL 3 no longer + supports using device files, such as /dev/urandom, as RANDFILE input, + which mellon_create_metadata depends on to generate SAML service + provider metadata, including a public key pair and configuration + XML file. - Hi, + [ Test Plan ] - during a test with piuparts I noticed your package causes other package - to fail installation/upgrading. + Run the following command: + mellon_create_metadata urn:example https://example.org/mellon - From the attached log (scroll to the bottom...): + Only two files, urn_example.cert and urn_example.key will be + created in the current working directory. The expected output should + include a third file, urn_example.xml. Note that there are no + error messages indicating a problem, as stderr is suppressed in the + script. - ... - Setting up openssl (3.0.0~~alpha16-1) ... - Setting up libbsd0:amd64 (0.11.3-1) ... - Setting up readline-common (8.1-2) ... - Setting up libxml2:amd64 (2.9.10+dfsg-6.7) ... - Setting up libgdbm6:amd64 (1.19-2) ... - Setting up postgresql-client-common (226) ... - Setting up libedit2:amd64 (3.1-20210522-1~exp1) ... - Setting up libreadline8:amd64 (8.1-2) ... - Setting up libldap-2.4-2:amd64 (2.4.57+dfsg-3) ... - Setting up libllvm11:amd64 (1:11.0.1-2) ... - Setting up ssl-cert (1.1.0+nmu1) ... - Could not create certificate. Openssl output was: - Generating a RSA private key - ..+..+......+.......+.....+...+.........+.......+...+..+...+.+..+...+.........+.......+...+..+.........+.+...........+...+.+......+........+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+........+.......+.........+..+...+....+..+.+............+..+................+...+............+..+.............+...+..+.......+...+.....+..................+.......+.........+........+.+........................+............+.........+..+.........+.+..+......+.+...........+.........+.+.....+....+.........+.....+.+....................+....+............+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - ..+.+........+...+...+.......+..................+..+.........+...+.+............+...+.....+......................+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+....+......+...+..+...+..........+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+......+...+....+..+....+..+....+.........+..+...+....+.....+.+......+.....+.+..+.............+..+..........+..+.+........+............+.........+....+..+.......+.....+...+.......+...+...+..+....+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key' - ----- - Warning: No -copy_extensions given; ignoring any extensions in the request - Cannot write random bytes: - 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom - dpkg: error processing package ssl-cert (--configure): - installed ssl-cert package post-installation script subprocess returned error exit status 1 - dpkg: dependency problems prevent configuration of postgresql-common: - postgresql-common depends on ssl-cert (>= 1.0.11); however: - Package ssl-cert is not configured yet. - ... + To test the generated metadata and the mod_auth_mellon module, you will + need apache installed. First create a directory /etc/apache2/saml2 and + move the three files generated in the previous step into this directory. - Hmm, well, yes, /dev/urandom is not a regular file. It's a character - device node. + Next, download the metadata for a test IdP and save it in the same + directory using the following command: + curl https://login.ubuntu.com/saml/metadata -Lo \ + /etc/apache2/saml2/idp_metadata.xml + Enable auth_mellon module (a2enmod auth_mellon) and create a test apache + configuration with the following content: - cheers, + <Location / > + MellonEnable info + MellonEndpointPath /mellon/ + MellonSPMetadataFile /etc/apache2/saml2/urn_example.xml + MellonSPPrivateKeyFile /etc/apache2/saml2/urn_example.key + MellonSPCertFile /etc/apache2/saml2/urn_example.cert + MellonIdPMetadataFile /etc/apache2/saml2/idp_metadata.xml + </Location> - Andreas + Restart apache and test the mellon login endpoint, and This should + redirect you to the correct IdP login page with a SAML request, + confirming that the metadata and the auth_mellon module are working + correctly. + + curl -v '127.1/mellon/login?ReturnTo=http%3A%2F%2F127.0.0.1%2F&IdP=https%3A%2F%2Flogin.ubuntu.com' + ... + Location: https://login.ubuntu.com/saml/?SAMLRequest=hZJN... + ... + + [ Where problems could occur ] + + The upstream changes involve writing 256 bytes from /dev/urandom to + a temporary file, which is then used as input for OpenSSL RANDFILE. + While these changes are unlikely to cause significant regressions, + there is a hypothetical issue where, in rare cases, the OpenSSL command + might fail due to unrelated reasons. In such scenarios, the updated + script could leave behind two residual temporary files instead of the + single file left by the current version. However, since these files + are small and typically cleaned up regularly by the system, this + behavior should not negatively impact the user. + + [ Other Info ] + + Upstream fix: https://github.com/latchset/mod_auth_mellon/issues/105 ** Patch added: "libapache2-mod-auth-mellon_0.18.0-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1945774/+attachment/5821605/+files/libapache2-mod-auth-mellon_0.18.0-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945774 Title: openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom To manage notifications about this bug go to: https://bugs.launchpad.net/mod-auth-mellon/+bug/1945774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
