Bug#1056193: is actually a bug, sorry

[Patrick Matthäi]

tag #1056193 + pending
thanks

Hey,

I will upload the attached patch with my next upload. But this is 
nothing I can fix in stable => since an update will break again now 
working setups using /usr/lib/ssl/..


The best option would be if gluster would make the paths configureable

btw I may also upload 11.x this year to bookworm-backports

Am 03.12.2023 um 01:40 schrieb David Bremner:

That's all very well, but glusterd is not looking in a subdirectory of
/usr/lib/ssl it is looking for /usr/lib/ssl/glusterfs.pem, as pointed
out above.

FYI, upstreams docs [1] show gluster looking in /etc/ssl, not in a
subdirectory.

https://docs.gluster.org/en/latest/Administrator-Guide/SSL/



*# On Debian like systems the output of openssl version -d is /usr/lib/ssl,
# where are symlinks in it to the correct directories in /etc/ssl.
# But glusterfs hardcodes the certificate files to be placed directly in
# /usr/lib/ssl, without the correct subdirectories. So that it is possible
# again to store the certificate data in /etc/ssl/ we hardcode the path now.
# A better solution would be to configure the paths in the volfiles, but 
that

# is not possible, yet.
# Closes: #1056193

diff -Naur glusterfs-11.1.orig/configure glusterfs-11.1/configure
--- glusterfs-11.1.orig/configure   2023-11-06 16:24:29.990040453 +0100
+++ glusterfs-11.1/configure    2023-12-12 11:59:03.930931968 +0100
@@ -14553,7 +14553,7 @@

 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL trusted 
certificates path" >&5

 $as_echo_n "checking for OpenSSL trusted certificates path... " >&6; }
-SSL_CERT_PATH=$(openssl version -d | sed -e 's|OPENSSLDIR: "\(.*\)".*|\1|')
+SSL_CERT_PATH=/etc/ssl
 if test -d "${SSL_CERT_PATH}" 1>/dev/null 2>&1; then
    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SSL_CERT_PATH" >&5
 $as_echo "$SSL_CERT_PATH" >&6; }
diff -Naur glusterfs-11.1.orig/configure.ac glusterfs-11.1/configure.ac
--- glusterfs-11.1.orig/configure.ac    2023-11-06 16:24:25.401026631 +0100
+++ glusterfs-11.1/configure.ac 2023-12-12 11:59:20.278889134 +0100
@@ -803,7 +803,7 @@

 dnl Find out OpenSSL trusted certificates path
 AC_MSG_CHECKING([for OpenSSL trusted certificates path])
-SSL_CERT_PATH=$(openssl version -d | sed -e 's|OPENSSLDIR: "\(.*\)".*|\1|')
+SSL_CERT_PATH=/etc/ssl
 if test -d "${SSL_CERT_PATH}" 1>/dev/null 2>&1; then
    AC_MSG_RESULT([$SSL_CERT_PATH])
    AC_DEFINE_UNQUOTED(SSL_CERT_PATH, ["$SSL_CERT_PATH"], [Path to 
OpenSSL trusted certificates.])

*

Bug#1056193: is actually a bug, sorry

[David Bremner]

Control: reopen -1
"Debian Bug Tracking System"  writes:

> This is an automatic notification regarding your Bug report
> which was filed against the glusterfs-client package:
>
> Am 18.11.2023 um 17:37 schrieb Xan Charbonnet:

>> I recently upgraded the backup machine to bookworm.  Suddenly I was unable to
>> mount the cluster.  The key error in the logs was:
>>
>> E [socket.c:4405:ssl_setup_connection_params] 0-glusterfs: could not load our
>> cert at /usr/lib/ssl/glusterfs.pem
>>
[snip]

>
> But if you look in /usr/lib/ssl =>
>
> $ ls -l /usr/lib/ssl/ insgesamt 4 lrwxrwxrwx 1 root root 34 23. Okt 
> 19:52 cert.pem -> /etc/ssl/certs/ca-certificates.crt lrwxrwxrwx 1 root 
> root 14 13. Mär 2012 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 
> 25. Okt 06:25 misc lrwxrwxrwx 1 root root 20 23. Okt 19:52 openssl.cnf 
> -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 13. Mär 2012 private 
> -> /etc/ssl/private
>
> So if you use the subdirectories the paths are correct (in /etc)

That's all very well, but glusterd is not looking in a subdirectory of
/usr/lib/ssl it is looking for /usr/lib/ssl/glusterfs.pem, as pointed
out above.

FYI, upstreams docs [1] show gluster looking in /etc/ssl, not in a
subdirectory.

https://docs.gluster.org/en/latest/Administrator-Guide/SSL/