Dec 12, 2011

How to install Bugzilla with HTTPS on Ubuntu 10.04.3 LTS Server


So after a quick search, I couldn't find any one site with specific instructions on how to install Bugzilla 4.0.2 on the Ubuntu 10.04.3 LTS GNU/Linux server.

Since I spent some time and worked out the problems myself, I thought I'd post what worked for me. If you have any suggestions to make this writeup more accurate, or more secure, please leave a comment below with your wisdom. Thanks!


Things that you might need:
  • hostname for the server
  • username password for the bugzilla server
  • ip address to use for the bugzilla server (static is suggested)
  • root password for your mysql
  • password for your self-signed SSL cert
  • password for the bugs user
  • email address / name / password for the admin user
First, install Ubuntu 10.04.3 LTS Server version. There is nothing special about this step besides I recommend you use a strong password for the user you create and perhaps you can select 'Install security updates automatically' at the manage upgrades prompt. Also, don't select 'LAMP server' during the software installation step as we'll put in just the specific packages we need in the steps below. Although, if you want to remotely manage your server using ssh, do choose OpenSSH server to install (I'll put in some instructions for disabling root login to ssh later**). Once your Ubuntu Server is installed and ruuning, login and switch to root. From here on out, you'll perform the installation steps as root. To become root:
sudo -s
Run updates for the box. This will get you setup for the next step of installing packages.
apt-get update && apt-get upgrade -y
Note: this step may require a reboot to fully complete the update if the kernel was updated. Tip: At this point, if you're setting up your server in a virtual machine this is a good place to make a baseline snapshot so you can revert to it later if things go all wrong. I used Oracle's Virtualbox, the Open Source version. I installed Virtualbox with the terminal command: sudo apt-get install virtualbox-ose If you have a specific (static) IP address for the bugzilla server, set it up on the box with this:
vi /etc/network/interfaces
Then comment out this line by putting # in front like this:
#iface eth0 inet dhcp
Then add these lines (apply specific values for your environment):
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
Then reset the networking on your server with the command
/etc/init.d/networking restart
Now we'll install the baseline packages for the bugzilla webserver using apt-get:
apt-get install libnet-ssleay-perl apache2 libapache2-mod-perl2 libapache2-mod-auth-mysql mysql-server mailutils gcc mysql-server libappconfig-perl libdate-calc-perl libtemplate-perl libmime-perl build-essential libdatetime-timezone-perl libdatetime-perl libemail-send-perl libemail-mime-perl libemail-mime-modifier-perl libdbi-perl libdbd-mysql-perl libcgi-pm-perl -y
Note: Set the password for your mysql-server root user during the setup of mysql during installation. Also, by installing the packages above, you will also get the ssl-cert package, which will automatically generate a self-signed cert for your https server. At this point you should be able to open http on your website. e.g., http://192.168.1.100 (per the example configuration above) should show a page that says "It works!". Very simple eh? Now we need to enable ssl in Apache2 by running this simple command:
a2enmod ssl
Now, since we'll be using HTTPS for the site, we need to link the default-ssl website profile in the /etc/apache2/sites-available to the /etc/apache2/sites-available using the a2ensite command:
a2ensite default-ssl
This is basically the same as running the command: ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl Now restart the apache2 to refresh the running apache2 server configuration:
service apache2 restart
At this point you should be able to open http on your website. e.g., https://192.168.1.100 (per the example configuration above) should show a page that says "It works!". Note: By default the "snake-oil" self-signed cert is being used from the ssl-cert package for your https capability. If you don't have a remote machine to test access with, use this command from the server itself to test connectivity.
telnet localhost 443
Note:You should see something like below (notice it says connected to localhost):
Trying ::1...
Trying 127.0.0.1
Connected to localhost
Escape character is '^]'.
So now that we have Apache up and running, let's configure our http page to automatically redirect the user to https (this uses mod_rewrite), and then enable CGI for the bugzilla. Enable mod_rewrite - so we can redirect http to https
a2enmod rewrite
Now modify the http configuration file at /etc/apache2/sites-enabled/000-default for redirect to https. Simply add the redirect to HTTPS lines noted in /var/www section as shown below:
vi /etc/apache2/sites-enabled/000-default
<Directory /var/www>
 #Enable redirect to HTTPS - added 3 lines below
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 

 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from none
</Directory>
Now, since we are modifying the apache2 configuration, let's modify /etc/apache2/sites-enabled/000-default-ssl to enable CGI script capability for the bugzilla website. See below.
vi /etc/apache2/sites-enabled/000-default-ssl
<Directory /var/www>
 Options +ExecCGI Indexes FollowSymLinks MultiViews
 AddHandler cgi-script cgi pl
 AllowOverride Limit
 DirectoryIndex index.cgi
 Order allow,deny
 allow from all
</Directory>
Then restart apache2 with
service apache2 restart
Now let's harden mysql and do some other database admin stuff. Run the command
mysql_secure_installation
Be sure to remove the guest user, disable remote access, and remove the test database. Then, create the database for bugzilla:
mysql -u root -p
Note: Your mysql root password will be required at this point.
mysql>CREATE DATABASE bugs;
GRANT ALL ON bugs.*
TO bugs@localhost IDENTIFIED BY 'bugs';

mysql>quit
Now let's make some needed additional configuration points for mysql:
vi /etc/my.cnf and add:
[mysqld]
# Allow packets up to 4MB
max_allowed_packet=4M
# Allow small words in full-text indexes
ft_min_word_len=2
Ok, restart mysql to load the my.cnf changes:
service mysql restart
Now download/install bugzilla. Download the bugzilla package:
wget http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-4.0.2.tar.gz
Extract it:
tar xvf bugzilla-4.0.2.tar.gz
Move it (and hidden files) to the /var/www directory:
mv bugzilla-4.0.2/* bugzilla-4.0.2/.??* /var/www
Set ownership of /var/www to the www-data (apache2) user/group
chown -R root:www-data /var/www
chown -R root:www-data /var/www/.??*
cd /var/www 
Now enable perl modules for bugzilla
perl -MCPAN -e install
Or you can use this (much longer) method:
/usr/bin/perl install-module.pl --all
Check to ensure modules are enabled for bugzilla - some will show as not loaded.
./checksetup.pl --check-modules
Now run the setup for bugzilla, for the first time, to create the localconf file in the /var/www directory
.checksetup.pl
Now make some changes to /var/www/localconfig for bugzilla: Enter a password for $db_pass in /var/www/localconfig Ensure $db_driver in /var/www/localconfig shows mysql Ensure $webservergroup shows www-data (this is the Ubuntu group for apache2) Now Configure mysql for bugzilla use: Login to mysql with your root password - mysql -u root -p Set the permissions for the bugs user
mysql> GRANT SELECT, INSERT,
       UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES,
       CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.*
       TO bugs@localhost IDENTIFIED BY '$db_pass';
mysql> FLUSH PRIVILEGES;
Set the password for the bugs user:
mysql> SET PASSWORD FOR 'bugs'@'localhost' = PASSWORD(' some password');
mysql> FLUSH PRIVILEGES;
mysql>quit
At this point you should move or delete the index.html in the /var/www so that bugzilla doesn't complain about it. I chose to move it.
mv /var/www/index.html ~
Now run the setup for bugzilla for the second time and it should add a bunch of tables and prompt you for the admin-email/password/name.
.checksetup.pl
Now bugzilla should be up and running. Test it out in your web browser. If you need to reset your admin password for bugzilla, do so with:
./checksetup.pl --reset-password=user@domain
If you need to create an admin user for bugzilla, do so with:
./checksetup.pl --reset-password=user@domain
Finally, to setup email for your bugzilla, run this command:
dpkg-reconfigure exim4-config
Select OK to continue, then follow the prompts and make the selections for the way you would like to have your bugzilla server email you. **To disable root login for your bugzilla OpenSSH server (so you have to login as a regular user, then sudo -s for root), simply set 'PermitRootLogin no' in /etc/ssh/sshd_config and then restart the ssh server with service ssh restart. That's it! Hope this helps someone. Shannon VanWagner 12 December 2011
You can test email functionality from the server with:
echo "This is a test" | mail -s "Test email" working-email-addr@your-valid-domain.com
If email is not working, try this diagnostic test:
exim -bt working-email-addr@your-valid-domain.com
If the above step produces an error, e.g. /var/log/exim4/mainlog shows "Unroutable address", and your bugzilla server is inside a domain with local DNS, check to ensure your MX records are configured correctly on your DNS server.