Bug#234591: apache2-common: Confusing SSL configuration

[Chris Stork <cs-debian-bugs@nil.ics.uci.edu>]

Package: apache2-common
Version: 2.0.48-7
Severity: normal
Followup-For: Bug #234591

I tried to configure apache2 with SSL (in order to run a subversion
repository) and it was unclear to me what's the preferred way to
configure SSL access.  

I found four sources of SSL-related information on my unstable box:

- /usr/share/doc/apache2-common/README-SSL
- /usr/share/doc/apache2/examples/ssl.conf.gz
- the program apache2-ssl-certificate and its output (I assume) in 
  /etc/apache2/ssl/
- /etc/apache2/mods-available/ssl.conf

None of them seem to be aware of the other, as can be derived from where
they place their files, e.g., for certificates we have:

- README-SSL:                /etc/apache2/sites/<SERVERNAME>-ssl.*/
- examples/ssl.conf:         /etc/apache2/ssl.*/
- apache2-ssl-certificate:   /etc/apache2/ssl/
- mods-available/ssl.conf:   N/A

I think this is highly confusing.  (I think /etc/apache2/ssl/ is the
best location since it provides the highest degree of modularity, imho,
but that's beside the point of this bug report.)

Also, I guess I'm missing something about the intention behind
apache2-ssl-certificate, but since it is lacking a man page I didn't
find out.  (This should probably be a separate bug report.)

In general, it's not clear how automation of the configuration process
is achieved as hinted at in /etc/apache2/README.  For example, I assumed
that it is a good idea to leave apache2.conf untouched and try to put
all my changes in conf.d or httpd.conf?  However, that's impossible
since I need to change the 

    NameVirtualHost *

directive to 

    NameVirtualHost *:80

in order to support the IP-based virtual host for the SSL port.

Essentially, I think that the aim should be to provide a configuration
that works safely out-of-the-box and it should be obvious how to extend
it without missing out on any automatic config updates that Debian
provides.

Anyway, thanks for all your efforts :-)

-Chris

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8

Versions of packages apache2-common depends on:
ii  debconf                      1.4.16      Debian configuration management sy
ii  debianutils                  2.5.4       Miscellaneous utilities specific t
ii  libapr0                      2.0.48-7    The Apache Portable Runtime
ii  libc6                        2.3.2.ds1-9 GNU C Library: Shared libraries an
ii  libdb4.2                     4.2.52-10   Berkeley v4.2 Database Libraries [
ii  libexpat1                    1.95.6-6    XML parsing C library - runtime li
ii  libldap2                     2.1.22-1    OpenLDAP libraries
ii  libssl0.9.7                  0.9.7c-5    SSL shared libraries
ii  mime-support                 3.23-1      MIME files 'mime.types' & 'mailcap
ii  net-tools                    1.60-8      The NET-3 networking toolkit
ii  openssl                      0.9.7c-5    Secure Socket Layer (SSL) binary a
ii  ssl-cert                     1.0-7       Simple debconf wrapper for openssl
ii  zlib1g                       1:1.2.1-2   compression library - runtime

-- no debconf information

-- 
Chris Stork   <>  Support eff.org!  <>   http://www.ics.uci.edu/~cstork/
OpenPGP fingerprint:  B08B 602C C806 C492 D069  021E 41F3 8C8D 50F9 CA2F