Duplicate entries in apache_serviceproxy_customsites.conf after importing renewed certificate

Originator:michalm.mac
Number:rdar://30991727 Date Originated:11.3.2017
Status:Closed Resolved:
Product:Server Product Version:5.2
Classification:Serious bug Reproducible:Always
 
Summary:
I've successfully obtained lettsencrypt certificate for domain owncloud.osxadmin.cz. (guide -> https://community.letsencrypt.org/t/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website/15005).
Certifiate was configured for single website via Server.app.
Certifcate name was: owncloud.osxadmin.cz.6038AC0CB1BE09CABB873D44F23E73FA995FCFBB.

I decided to set up automated renewal. After certificate was successfully renewed there was a serious issue when importing this renewed certificate.

I am using `security` tool to import p12 archive:
local passkey=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
  openssl pkcs12 -export -inkey "${pem_dir}/privkey.pem" -in "${pem_dir}/cert.pem" -certfile "${pem_dir}/fullchain.pem" -out "${pem_dir}/letsencrypt_sslcert.p12" -passout "pass:${passkey}"
  security import "${pem_dir}/letsencrypt_sslcert.p12" -f pkcs12 -k "/Library/Keychains/System.keychain" -P "$passkey" -T "/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd"
}

After importing renewed certificate into keychain some Server daemon noticed new certificate in keychain and updated configuration files.

Following files were updated to reference new certificate  owncloud.osxadmin.cz.DAAD369B1290CB8CCB4D106B458E71D73ABD3C4E:
../apache2/servermgr_web_apache2_config.plist
../apache2/sites/0000_127.0.0.1_34543_owncloud.osxadmin.cz.conf

However duplicate Vhost entries appeared in file apache_serviceproxy_customsites.conf:

Use VHost443 * owncloud.osxadmin.cz "# No ServerAliases" owncloud.osxadmin.cz.DAAD369B1290CB8CCB4D106B458E71D73ABD3C4E SHA-256:58733dc12e78d7f128c059687ca5fcb2111718533c85d046932489cd4e47b2b8:"owncloud.osxadmin.cz"
Use VHost80 * icinga.osxadmin.cz "# No ServerAliases"
Use VHost80 * munki.osxadmin.cz "# No ServerAliases"
Use VHost80 * observium.osxadmin.cz "# No ServerAliases"

Use VHost443 * owncloud.osxadmin.cz "# No ServerAliases" owncloud.osxadmin.cz.6038AC0CB1BE09CABB873D44F23E73FA995FCFBB SHA-256:2c38715aed1be9cbcd5df897e41796f9b635cb4b6ca7d9226c06efb8ff27d097:"owncloud.osxadmin.cz"
Use VHost80 * icinga.osxadmin.cz "# No ServerAliases"
Use VHost80 * munki.osxadmin.cz "# No ServerAliases"
Use VHost80 * observium.osxadmin.cz "# No ServerAliases"

This misconfiguration broke Server Apache web proxy and manual intervention was required to fix it.

Steps to Reproduce:
1. Create website in Server.app with TLS certificate configured for domain abc.xyz
2. Import new (renewed) TLS certificate in p12 archive for abc.xyz with `security` tool

Expected Results:
Server is automatically and correctly reconfigured to use the new (renewed) certficate for all services using it.

Actual Results:
Server is automatically reconfigured to use the new certificate.
However there is misconfiguration in file apache_serviceproxy_customsites.conf (duplicate entries).
Server apache proxy is broken and manual intervention is need to fix this.

Version:
Server 5.2
OS X 10.11.6
macOS 10.12

Attachments:
'AFTERIMPORT_apache_serviceproxy_customsites.conf .txt' and 'BEFOREIMPORT_apache_serviceproxy_customsites.conf .txt' were successfully uploaded.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!