I noticed this bug with the 2.4 upgrade, although I don't know if it had been happening every upgrade. I think this is technically a bug with the debian package but I could be wrong.

In short, /var/aegir/config/apache.conf gets rewritten to the default config file during the package upgrade.

This can go unnoticed if you don't have SSL or special server settings, but when you do have SSL enabled it causes some unpredictable results by removing most SSL-related stuff in the config file.

In my opinion, we should either avoid rewriting that file on upgrade, or (simply) run a Verify task on the server automatically after the hostmaster migrate. I think the latter could be a good overall policy.

For anyone encountering this bug post-upgrade, just run the Verify task on your apache_ssl server (found in the frontend, Servers tab).

Comments

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Version: 6.x-2.4 » 7.x-3.x-dev
Issue tags: +Aegir 3.1

+1 for adding docs or hints for this.

For a more complex setup it could be less fun to have everything verify directly after the upgrade... so maybe not automatically.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

I just reviewed the Debian package scripts, and I don't see where this'd get removed in an upgrade. We touch and chown it here, and then symlink to it here. We only appear to remove it here, upon purging the package.

That's it, as far I as I can see...

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

FWIW, I don't think extra verify tasks are necessarily the way to go here. They often re-write config files themselves, and may actually be the root cause here. The underlying issue here could well be a verify being triggered during the upgrade without sufficient context. That is, SSL is managed largely in the front-end, and so running a verify from the back-end could end up re-writing the config file without the SSL clauses. We don't test much of our SSL code. So this could be a latent issue, that we're only seeing surface in the context of a .deb upgrade, because they don't invoke the front-end.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Priority: Major » Normal

It's been a while ... lowering priority.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Status: Active » Closed (outdated)