[Bug 837513] New: request-tracker package in devel:languages:perl has an issue (rt-mailgate)
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c0 Summary: request-tracker package in devel:languages:perl has an issue (rt-mailgate) Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: lrupp@suse.com ReportedBy: ncutler@suse.com QAContact: qa-bugs@suse.de Found By: Field Engineer Blocker: --- rt-mailgate is a critical component of Request Tracker (package 'request-tracker' in project 'devel:languages:perl') As it currently stands, in openSUSE or SLE11-SP2 I can get rt-mailgate to communicate with the server using SSL encryption (https) *only* if I explicitly provide the --ca-file option to rt-mailgate. Even this is a bug; rt-mailgate should be able to find the Trust Root certificate itself. Still, at least it worked. Today I upgraded our RT server to SLE11-SP3, and rt-mailgate stopped working over SSL completely. The MTA passes the email to rt-mailgate, but rt-mailgate does nothing and eventually times out. I can reproduce the bug (on SLE11-SP3) by issuing the following command: # echo "hello" | /usr/bin/rt-mailgate --debug --queue General --action correspond --ca-file /etc/ssl/certs/Trust-Root.crt.pem --url https://our.rt.instance This generates the following output: /usr/bin/rt-mailgate: temp file is '/tmp/OOT6t4Rcoi/TsM08ZYrQV' /usr/bin/rt-mailgate: connecting to https://our.rt.instance/REST/1.0/NoAuth/mail-gateway Nothing further happens. I have worked around the issue by having rt-mailgate communicate without SSL (http). This works fine: # echo "hello" |/usr/bin/rt-mailgate --debug --queue rt_internal --action comment --url http://our.rt.instance /usr/bin/rt-mailgate: temp file is '/tmp/cdJXHiPXWr/IgReSdTbFr' /usr/bin/rt-mailgate: connecting to http://our.rt.instance/REST/1.0/NoAuth/mail-gateway not ok - Could not load a valid user # Or, if I provide a valid email: # cat testmail |/usr/bin/rt-mailgate --debug --queue rt_internal --action comment --url http://our.rt.instance /usr/bin/rt-mailgate: temp file is '/tmp/JxvCRVKXAJ/x3uMMQP32D' /usr/bin/rt-mailgate: connecting to http://our.rt.instance/REST/1.0/NoAuth/mail-gateway okTicket: 35348Queue: GeneralOwner: NobodyStatus: newSubject: testRequestor: me@some.domain # and of course the ticket is created as expected and I can see it in the RT web UI. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c2 --- Comment #2 from Nathan Cutler <ncutler@suse.com> 2013-08-30 12:20:13 UTC --- Nota Bene: we currently run two Request Tracker instances and both were upgraded to SP3 recently. After filing this bug report I went and looked at the other instance and it is not suffering from this problem. I'm thinking it might just be a missing "Requires" in the spec file. . . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c3 --- Comment #3 from Darin Perusich <darin@darins.net> 2013-09-08 18:46:18 UTC --- Perhaps /etc/ssl/certs/Trust-Root.crt.pem doesn't have a hash associated with it. Does "ls -l `openssl x509 -hash -noout -in /etc/ssl/certs/Trust-Root.crt.pem`.0" return anything. If not have you tried running "update-ca-certificates -f" to recreate them? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c Darin Perusich <darin@darins.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |ncutler@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c4 Nathan Cutler <ncutler@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|ncutler@suse.com | --- Comment #4 from Nathan Cutler <ncutler@suse.com> 2013-10-04 11:10:10 UTC ---
Does "ls -l `openssl x509 -hash -noout -in /etc/ssl/certs/Trust-Root.crt.pem`.0" return anything. If not have you tried running "update-ca-certificates -f" to recreate them?
No, the certificate chain is fine. The problem appears to be in the perl-Net-SSLeay package. When I install version 1.35-2.14 (from SLES11-SP3-Core repository), rt-mailgate works. However, when I install version 1.55-21.1 (from devel.lang.perl), it stops working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c5 --- Comment #5 from Nathan Cutler <ncutler@suse.com> 2013-10-04 11:56:30 UTC ---
No, the certificate chain is fine. The problem appears to be in the perl-Net-SSLeay package. When I install version 1.35-2.14 (from SLES11-SP3-Core repository), rt-mailgate works. However, when I install version 1.55-21.1 (from devel.lang.perl), it stops working.
Just to clarify: the bug here is that rt-mailgate *hangs* with version 1.55-21.1 of perl-Net-SSLeay, while with version 1.35-2.14 of that package it generates an error message or successfully delivers the mail to RT (depending on what input I give it). BTW I did try the command you gave me: # cd /etc/ssl/certs # ls -l `openssl x509 -hash -noout -in /etc/ssl/certs/Trust-Root.crt.pem`.0 lrwxrwxrwx 1 root root 25 Oct 4 11:38 e801b2a2.0 -> Trust-Root.crt.pem (Actually, in my case the file is /etc/apache2/ssl.crt/Trust-Root.crt, but you get the idea.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c6 --- Comment #6 from Darin Perusich <darin@darins.net> 2013-10-04 12:28:33 UTC --- When perl-Net-SSLeay-1.55-21.1 is installed are any errors generated? If not can you turn on debug logging, config values below, and attached them? I'm not using perl-Net-SSLeay from d:l:p but I'll load it up on my RT test instance and see if I'm able to reproduce. FWIW I'll be pushing request-tracker 4.2.0 to devel:languages:perl today. I have to take a look at the changelog for mailgate/Net::SSLeay issues/fixes. Set($LogToFileNamed , "rt.log"); Set($LogToFile , 'debug'); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c7 --- Comment #7 from Darin Perusich <darin@darins.net> 2013-10-04 12:50:00 UTC --- I've updated my test server, openSUSE 12.3, RT-4.2.0, to perl-Net-SSLeay-1.55-24.1.x86_64 and I'm able to create tickets, add correspondence, etc, without issue. zypper in perl-Net-SSLeay-1.55-24.1.x86_64 Loading repository data... Reading installed packages... Resolving package dependencies... The following package is going to be upgraded: perl-Net-SSLeay The following package is going to change vendor: perl-Net-SSLeay openSUSE -> obs://build.opensuse.org/devel:languages:perl -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c8 --- Comment #8 from Darin Perusich <darin@darins.net> 2013-11-05 15:57:48 UTC --- What version of perl-LWP-Protocol-https are you running on the affected systems? The version in d:l:p, perl-LWP-Protocol-https-6.04-13.1 was causing this same problem for me on OpenSUSE 12.3, after downgrading to perl-LWP-Protocol-https-6.03-4.1.1 (vendor opensuse) the problem went away. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=837513 https://bugzilla.novell.com/show_bug.cgi?id=837513#c9 --- Comment #9 from Nathan Cutler <ncutler@suse.com> 2013-11-06 08:24:24 UTC ---
What version of perl-LWP-Protocol-https are you running on the affected systems? The version in d:l:p, perl-LWP-Protocol-https-6.04-13.1 was causing this same problem for me on OpenSUSE 12.3, after downgrading to perl-LWP-Protocol-https-6.03-4.1.1 (vendor opensuse) the problem went away.
I currently have only one testing system, running RT 4.0.17 and SLE11-SP3. For testing I use this command: # echo "hello" | /usr/bin/rt-mailgate --debug --queue General --action correspond --ca-file /etc/ssl/certs/[our-Trust-Root].crt.pem --url https://[our.rt.instance] Here's what I'm getting as of today. Unfortunately, I can only test two of the four possible combinations, because SLE11-SP3 does not ship with the perl-LWP-Protocol-https package. 1st combination: perl-Net-SSLeay v. 1.55-24.1 (from d:l:p for SLE11-SP2) perl-LWP-Protocol-https v. 6.04-13.3 (from d:l:p) RESULT: broken (hangs) 2nd combination: perl-Net-SSLeay v. 1.35-2.14 (from SLES11-SP3 repository) perl-LWP-Protocol-https v. 6.04-13.3 (from d:l:p for SLE11-SP2) RESULT: works ("Could not load a valid user") 3rd combination: perl-Net-SSLeay v. 1.55-24.1 (from d:l:p for SLE11-SP2) perl-LWP-Protocol-https v. ??? (from SLES11-SP3 repository) RESULT: could not test because package is missing 4th combination: perl-Net-SSLeay v. 1.35-2.14 (from SLES11-SP3 repository) perl-LWP-Protocol-https v. ??? (from SLES11-SP3 repository) RESULT: could not test because package is missing Hope this helps. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com