Permission Denied Error: fopen('/usr/lib/ssl/openssl.cnf','rb')
2,139 views
Skip to first unread message
blueHandTalking
Aug 30, 2012, 12:53:16 AM8/30/12
to Capistrano
I am attempting to configure ssl in Nginx for the first time.
I am getting the following error from
cap deploy
Error:
[err :: 209.166.65.132] 15643:error:0200100D:system
library:fopen:Permission denied:bss_file.c:126:fopen('/usr/lib/ssl/
openssl.cnf','rb')
I have the following in my deploy.rb:
set :user, "deployer"
set :group, "staff"
set :use_sudo, false
/usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf,
group 'staff' , which 'deployer' is a member of, has read permission
for /etc/ssl/openssl.cnf,
and the symlink is root/root for user and group---with 777 permissions
which is normal.
However, I am unable to do a : less /etc/ssl/openss.cnf
when I am logged in as deployer.
So perhaps I do not have a good grasp of the permission system. I
realize that /etc and /etc/ssl
are owned by root---but I thought that if staff is the group for /etc/
ssl/openssl.cnf, deployer belongs
to staff, and the group permission for /etc/ssl/openssl.cnf is read---
I should be able to read that file?
Testing path:
sudo openssl verify -CApath /etc/ssl/certs server.pem
Error opening certificate file server.pem
***FAILED***
Testing Connection:
sudo openssl s_client -connect aceleathergoods.net:443 -CApath /etc/
ssl/
CONNECTED(00000003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
verify return:1
depth=0 /CN=aceleathergoods.net
verify return:1
---
Certificate chain
0 s:/CN=aceleathergoods.net
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
2 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
---
-----(truncated results)
o client certificate CA names sent
---
SSL handshake has read 5755 bytes and written 319 bytes
....(truncated results)
Start Time: 1346278528
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
End Result: Success connecting ( at least rest of report did not
seem to indicate any errors).
So if someone could straighten me out on where I am going wrong on
permissions I would really appreciate it.
Permissions are the default on my Debian Squeeze installation.
Thanks!
Jet
I am getting the following error from
cap deploy
Error:
[err :: 209.166.65.132] 15643:error:0200100D:system
library:fopen:Permission denied:bss_file.c:126:fopen('/usr/lib/ssl/
openssl.cnf','rb')
I have the following in my deploy.rb:
set :user, "deployer"
set :group, "staff"
set :use_sudo, false
/usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf,
group 'staff' , which 'deployer' is a member of, has read permission
for /etc/ssl/openssl.cnf,
and the symlink is root/root for user and group---with 777 permissions
which is normal.
However, I am unable to do a : less /etc/ssl/openss.cnf
when I am logged in as deployer.
So perhaps I do not have a good grasp of the permission system. I
realize that /etc and /etc/ssl
are owned by root---but I thought that if staff is the group for /etc/
ssl/openssl.cnf, deployer belongs
to staff, and the group permission for /etc/ssl/openssl.cnf is read---
I should be able to read that file?
Testing path:
sudo openssl verify -CApath /etc/ssl/certs server.pem
Error opening certificate file server.pem
***FAILED***
Testing Connection:
sudo openssl s_client -connect aceleathergoods.net:443 -CApath /etc/
ssl/
CONNECTED(00000003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
verify return:1
depth=0 /CN=aceleathergoods.net
verify return:1
---
Certificate chain
0 s:/CN=aceleathergoods.net
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
2 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/
emailAddress=sup...@cacert.org
---
-----(truncated results)
o client certificate CA names sent
---
SSL handshake has read 5755 bytes and written 319 bytes
....(truncated results)
Start Time: 1346278528
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
End Result: Success connecting ( at least rest of report did not
seem to indicate any errors).
So if someone could straighten me out on where I am going wrong on
permissions I would really appreciate it.
Permissions are the default on my Debian Squeeze installation.
Thanks!
Jet
Donovan Bray
Aug 30, 2012, 12:26:43 PM8/30/12
to capis...@googlegroups.com
Maybe gist your deploy.rb. Because I think your off in the weeds. The stuff your messing with I've never had to mess with including compiling nginx from scratch to support ssl.
Maybe check
https://github.com/donnoman/cap-recipes/blob/master/lib/cap_recipes/tasks/nginx/install.rb
To see how I install nginx.
> --
> * You received this message because you are subscribed to the Google Groups "Capistrano" group.
> * To post to this group, send email to capis...@googlegroups.com
> * To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
Maybe check
https://github.com/donnoman/cap-recipes/blob/master/lib/cap_recipes/tasks/nginx/install.rb
To see how I install nginx.
> * You received this message because you are subscribed to the Google Groups "Capistrano" group.
> * To post to this group, send email to capis...@googlegroups.com
> * To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
Michael Richardson
Aug 30, 2012, 4:40:05 PM8/30/12
to capis...@googlegroups.com
I don't think that your cap formula should be screwing with ssl at all.
If you are trying to automate the nginx config, I'd use puppet/chef/etc.
blueHandTalking
Aug 31, 2012, 1:22:09 AM8/31/12
to Capistrano
Hi Donovan, well definitely out in the weeds!
I did not compile nginx, not sure where you got that from, or I guess
you
are referring that you never had problems with openssl when you
compiled ssl from scratch?
Read thru your cap file. Thank you very much for posting it! That was
inspirational on what I could
be doing. Will be making significant modifications in future. However,
would like to try and get
my current one working at this point.
Anyway, my server was running O.K. before I tried to implement ssl.
As I mentioned, my certificate is installed correctly, and readable by
the system.
I am doing something that may be somewhat different: deploying from a
git repository that is on the same remote machine as my web server.
Anyway, if something is a glaring mistake, please point it out to me!
Oh, and my cap file is not doing anything with ssl, Michael. Just
reporting
errors I was getting
Here is gist of my deploy.rb:
git://gist.github.com/3548088.git
Here is gist of my nginx server block:
git://gist.github.com/3549195.git
Thanks!
Jet
On Aug 30, 9:26 am, Donovan Bray <donno...@gmail.com> wrote:
> Maybe gist your deploy.rb. Because I think your off in the weeds. The stuff your messing with I've never had to mess with including compiling nginx from scratch to support ssl.
>
> Maybe check
>
> https://github.com/donnoman/cap-recipes/blob/master/lib/cap_recipes/t...
> > Authority/emailAddress=supp...@cacert.org
> > 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcertClass 3 Root
> > 2 s:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
> > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
I did not compile nginx, not sure where you got that from, or I guess
you
are referring that you never had problems with openssl when you
compiled ssl from scratch?
Read thru your cap file. Thank you very much for posting it! That was
inspirational on what I could
be doing. Will be making significant modifications in future. However,
would like to try and get
my current one working at this point.
Anyway, my server was running O.K. before I tried to implement ssl.
As I mentioned, my certificate is installed correctly, and readable by
the system.
I am doing something that may be somewhat different: deploying from a
git repository that is on the same remote machine as my web server.
Anyway, if something is a glaring mistake, please point it out to me!
Oh, and my cap file is not doing anything with ssl, Michael. Just
reporting
errors I was getting
Here is gist of my deploy.rb:
git://gist.github.com/3548088.git
Here is gist of my nginx server block:
git://gist.github.com/3549195.git
Thanks!
Jet
On Aug 30, 9:26 am, Donovan Bray <donno...@gmail.com> wrote:
> Maybe gist your deploy.rb. Because I think your off in the weeds. The stuff your messing with I've never had to mess with including compiling nginx from scratch to support ssl.
>
> Maybe check
>
> > verify return:1
> > depth=0 /CN=aceleathergoods.net
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/CN=aceleathergoods.net
> > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
> > depth=0 /CN=aceleathergoods.net
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/CN=aceleathergoods.net
> > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcertClass 3 Root
> > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
> > 2 s:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
> > i:/O=Root CA/OU=http://www.cacert.org/CN=CACert Signing Authority/
> > emailAddress=supp...@cacert.org
Reply all
Reply to author
Forward
0 new messages