Michael D. Setzer II via users wrote: > On 29 May 2025 at 18:08, Todd Zullinger wrote: >> And chage the file there means you now have to track future >> changes to it yourself rather than picking them up via the >> normal package updates. > > Don't understand this? Looked at another Fedora system that has > httpd installed, but never setup. I also the VirtualHost options all > commented out by default? So why would installing updates break > things.
To be fair, I didn't say it would break. But now you won't
pick up any changes to /etc/httpd/conf.d/ssl.conf which are
shipped with future mod_ssl updates. You'll then need to
merge in anything which is useful, which you have to review
and determine manually.
It's the same reason you should avoid editing most files
shipped by packages, and instead add your own file in a
conf.d directory.
It's less likely to leave you in a state where something is
updated in the default configuration down the road (maybe
years after you've forgotten that you edited the config) and
now httpd doesn't start because it depends on those changes.
> The changes are mostly to commented lines?
It's not really what the changes are, it's that you've
changed a file marked as %config(noreplace) by the package.
So future updates will create an ssl.conf.rpmnew which *may*
contain changes that are worth integrating.
> diff ssl.conf ssl.conf.sav
> 59,60c59,60
> < DocumentRoot "/var/www/html"
> < ServerName setzco.dyndns.org:443
> ---
>> #DocumentRoot "/var/www/html"
>> #ServerName www.example.com:443
> 101c101
> < SSLCertificateFile /etc/letsencrypt/live/setzco.dyndns.org/cert.pem
> ---
>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> 109c109
> < SSLCertificateKeyFile /etc/letsencrypt/live/setzco.dyndns.org/privkey.pem
> ---
>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> 118c118
> < SSLCertificateChainFile /etc/letsencrypt/live/setzco.dyndns.org/chain.pem
> ---
>> #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
BTW, swapping the order of the arguments to diff makes that
much more readable (to most of us, I imagine). :)
I tend to prefer the unified diff output format as well,
which is now engrained in many folks because it is what git
diff uses, e.g.:
diff -u ssl.conf.sav ssl.conf
In the end, I think you could use:
$ cat <<-EOF | sudo tee /etc/httpd/conf.d/00-setzco.dyndns.org.conf >/dev/null
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName setzco.dyndns.org:443
SSLCertificateFile /etc/letsencrypt/live/setzco.dyndns.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/setzco.dyndns.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/setzco.dyndns.org/chain.pem
</VirtualHost>
EOF
(That's not tested with httpd, so I may be missing
something. You can run `sudo httpd -t` or `sudo apachectl
configtest` to check for issues.)
And then you don't have to wonder whether future changes to
/etc/httpd/conf.d/ssl.conf need to be merged into your
modified config file.
It's not a huge problem, but there are good reasons that
Let's Encrypt doesn't (or shouldn't) recommend you modify
the packaged files.
As with most rules or guidelines, if you know the reason for
them and why they don't apply to your situation, you're free
to ignore them. :)
--
Todd
signature.asc
Description: PGP signature
-- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
