Hi Donovan, well definitely out in the weeds! I did not compile nginx, not sure where you got that from, or I guess you are referring that you never had problems with openssl when you compiled ssl from scratch?
Read thru your cap file. Thank you very much for posting it! That was inspirational on what I could be doing. Will be making significant modifications in future. However, would like to try and get my current one working at this point. Anyway, my server was running O.K. before I tried to implement ssl. As I mentioned, my certificate is installed correctly, and readable by the system. I am doing something that may be somewhat different: deploying from a git repository that is on the same remote machine as my web server. Anyway, if something is a glaring mistake, please point it out to me! Oh, and my cap file is not doing anything with ssl, Michael. Just reporting errors I was getting Here is gist of my deploy.rb: git://gist.github.com/3548088.git Here is gist of my nginx server block: git://gist.github.com/3549195.git Thanks! Jet On Aug 30, 9:26 am, Donovan Bray <[email protected]> wrote: > Maybe gist your deploy.rb. Because I think your off in the weeds. The stuff > your messing with I've never had to mess with including compiling nginx from > scratch to support ssl. > > Maybe check > > https://github.com/donnoman/cap-recipes/blob/master/lib/cap_recipes/t... > > To see how I install nginx. > > On Aug 29, 2012, at 9:53 PM, blueHandTalking <[email protected]> wrote: > > > I am attempting to configure ssl in Nginx for the first time. > > > I am getting the following error from > > > cap deploy > > > Error: > > > [err :: 209.166.65.132] 15643:error:0200100D:system > > library:fopen:Permission denied:bss_file.c:126:fopen('/usr/lib/ssl/ > > openssl.cnf','rb') > > > I have the following in my deploy.rb: > > > set :user, "deployer" > > set :group, "staff" > > set :use_sudo, false > > > /usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf, > > > group 'staff' , which 'deployer' is a member of, has read permission > > for /etc/ssl/openssl.cnf, > > and the symlink is root/root for user and group---with 777 permissions > > which is normal. > > > However, I am unable to do a : less /etc/ssl/openss.cnf > > > when I am logged in as deployer. > > > So perhaps I do not have a good grasp of the permission system. I > > realize that /etc and /etc/ssl > > are owned by root---but I thought that if staff is the group for /etc/ > > ssl/openssl.cnf, deployer belongs > > to staff, and the group permission for /etc/ssl/openssl.cnf is read--- > > I should be able to read that file? > > > Testing path: > > > sudo openssl verify -CApath /etc/ssl/certs server.pem > > Error opening certificate file server.pem > > > ***FAILED*** > > > Testing Connection: > > > sudo openssl s_client -connect aceleathergoods.net:443 -CApath /etc/ > > ssl/ > > CONNECTED(00000003) > > depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CACert Signing > > Authority/[email protected] > > verify return:1 > > depth=0 /CN=aceleathergoods.net > > verify return:1 > > --- > > Certificate chain > > 0 s:/CN=aceleathergoods.net > > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/ > > [email protected] > > 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcertClass 3 Root > > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/ > > [email protected] > > 2 s:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/ > > [email protected] > > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/ > > [email protected] > > --- > > -----(truncated results) > > > o client certificate CA names sent > > --- > > SSL handshake has read 5755 bytes and written 319 bytes > > > ....(truncated results) > > > Start Time: 1346278528 > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > read:errno=0 > > > End Result: Success connecting ( at least rest of report did not > > seem to indicate any errors). > > > So if someone could straighten me out on where I am going wrong on > > permissions I would really appreciate it. > > Permissions are the default on my Debian Squeeze installation. > > > Thanks! > > > Jet > > > -- > > * You received this message because you are subscribed to the Google Groups > > "Capistrano" group. > > * To post to this group, send email to [email protected] > > * To unsubscribe from this group, send email to > > [email protected] For more options, visit this group > > athttp://groups.google.com/group/capistrano?hl=en -- * You received this message because you are subscribed to the Google Groups "Capistrano" group. * To post to this group, send email to [email protected] * To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
