On Saturday, September 5, 2015 at 11:30:06 PM UTC, Christoph Larsen wrote:
>
> On Friday, September 4, 2015 at 4:50:04 PM UTC, Cédric Krier wrote:
>>
>> On 2015-09-04 08:30, Christoph Larsen wrote:
>> > Dear All,
>> > Does the SAO web client SSL connections to the trytond backend? I had
>> this
>> > working before from both the GTK client AND the SAO webclient before,
>> but
>> > nowadays I get the following error message, as soon as I use the SAO
>> web
>> > client, ONLY (GTK client works well):
>> >
>> > Exception happened during processing of request from
>> > ('197.157.233.82',39772)
>> > Traceback (most recent call last):
>> > File "/usr/local/lib/python2.7/SocketServer.py", line 599, in
>> > process_request_thread self.finish_request(request, client_address)
>> > File "/usr/local/lib/python2.7/SocketServer.py", line 334, in
>> > finish_request self.RequestHandlerClass(request, client_address, self)
>> > File "/usr/local/lib/python2.7/SocketServer.py", line 653, in
>> > __init__self.setup()
>> > File
>> >
>> "/usr/local/trytond_erp_synalinq/lib/python2.7/site-packages/trytond/protocols/jsonrpc.py",
>>
>>
>> > line 297, in setup self.request = SSLSocket(self.request)
>> > File
>> >
>> "/usr/local/trytond_erp_synalinq/lib/python2.7/site-packages/trytond/protocols/sslsocket.py",
>>
>>
>> > line 13, in SSLSocket ssl_version=ssl.PROTOCOL_SSLv23)
>> > File "/usr/local/lib/python2.7/ssl.py", line 911, in wrap_socket
>> > ciphers=ciphers)
>> > File "/usr/local/lib/python2.7/ssl.py", line 522, in
>> > __init__self._context.load_cert_chain(certfile, keyfile)IOError: [Errno
>> 13]
>> > Permission denied
>> >
>> > This is a bit confusing, as permissions seem to be fine - the GTK
>> client
>> > continues to work well.
>> > There is, of course, the Nginx as reverse proxy workaround, but it is
>> still
>> > interesting to know.
>>
>> Prety sure that the user running trytond has no access right to the SSL
>> certificates.
>> Maybe it is your ngnix server that run the trytond code.
>>
>> Alas, it is not. Permissions are fine. Strange enough, this worked prior
> to the last upgrade done three days ago. Admittedly, I have been running an
> old version of SAO for a while.
> Given the rather cryptic causes of this is why I ask the list.
> Thanks,
> Chris
>
And here is the resolution: Permission for users and group were indeed
fine. However, daemontools' setuidgid does not do the trick and does not
respect additional group memberships (unlike su), and does, in this case,
not add the required additional group membership, e.g. "ssl-cert", needed
for private key access. su solves this issue.
Thanks!
