Hi Mark,
On 5/15/20 11:03 AM, Mark Smith via dnsdist wrote:
> It sounds like a trivial problem, but I just can't get to the bottom of
> it. I am getting errors as shown below when restarting dnsdist after
> upgrading to the latest build (1.5rc2)
>
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:0200100D:system library:fopen:Permission
> denied:../crypto/bio/bss_file.c:288:fopen('/etc/ssl/pri>
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:20074002:BIO routines:file_ctrl:system
> lib:../crypto/bio/bss_file.c:290:
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:140B0002:SSL
> routines:SSL_CTX_use_PrivateKey_file:system lib:../ssl/ssl_rsa.c:540:
> May 15 08:13:40 resolver dnsdist[871574]: Fatal error: An error
> occurred while trying to load the TLS server private key file:
> /etc/ssl/private/server.key
> May 15 08:13:40 resolver systemd[1]: dnsdist.service: Main process
> exited, code=exited, status=1/FAILURE
>
> The obvious would be that something is wrong with permissions of those
> files, but I can't see the issue.
>
> The system runs fine using build 1.4
> All I did was to add the repo to the sources list and do a
> update/upgrade.
> On restart we get the above from journalctl -xe
>
> extract of config file is
> addTLSLocal("0.0.0.0", "/etc/ssl/certs/server.crt",
> "/etc/ssl/private/server.key")
> addTLSLocal("[::]", "/etc/ssl/certs/server.crt",
> "/etc/ssl/private/server.key")
>
> Looking at that private key;
>
> ls -l /etc/ssl/private/
>
> -rw-rw-rw- 1 root root 1679 Apr 26 23:35 server.key
>
> Which looks fine.
>
> Runs okay using the same config and version 1.4 (running on Ubuntu
> 20.04LTS)
> Anyone have any ideas? Looks like the above errors are coming from the
> code within dnsdist.
>
> Note: If I uninstall 1.5rc2, and reinstall 1.40 it seems to run fine.That comes from dnsdist 1.5-rc2 not being started as root anymore, and therefore likely not being able to enter the /etc/ssl/private directory. Please read the upgrade guide at [1]. Several options exist there, you could copy the necessary files in /etc/dnsdist and set the ownership of these files to dnsdist, or perhaps the dnsdist user could be added to the group owning the /etc/ssl/private directory (ssl-cert on Debian, if I'm not mistaken), for example. [1]: https://dnsdist.org/upgrade_guide.html#to-1-5-x Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
