Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 123316

Summary: net-nntp/inn ebuild installs invalid SSL certificate
Product: Gentoo Linux Reporter: Thomas Petersen <mendo>
Component: Current packagesAssignee: Gentoo Net-news project <net-news>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: 2005.0   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Petersen 2006-02-18 13:38:51 UTC
The INN ebuild installs an autogenerated selfsigned SSL certificate in /etc/news/cert (4 files). These are symlinked to /usr/lib/news/lib. nnrpd won't accept these symlinks as it thinks the files have wrong ownership and permissions and secondly the certificate seems to be corrupt in some way.

Steps to reproduce:
1. Start up inn and start nnrpd:
/usr/lib/news/bin/nnrpd -D -S -p 563
2. Connect to newsserver with a SSL enabled newsreader. I use mozilla.
3. Watch /var/log/news/news.err. It says:
Feb 18 18:11:39 localhost nnrpd[5142]: bad ownership or permissions on private key '/usr/lib/news/lib/cert.pem': private key must be mode 600 and owned by news
Feb 18 18:11:39 localhost nnrpd[5142]: error initializing TLS: [CA_file: ] [CA_path: /usr/lib/news/lib] [cert_file: /usr/lib/news/lib/cert.pem] [key_file: /usr/lib/news/lib/cert.pem]
4. Now fix this by copying the 4 files from /etc/news/cert to /usr/lib/news/lib or by hardlinking them instead of symlinks.
5. Connect to newsserver again. This time nothing is reported to news.err. Instead mozilla says:
Could not establish an encrypted connection because certificate presented by <server> is invalid or corrupted. Error Code: -8182

If i generate a new certificate by hand it works fine:
openssl req -new -x509 -nodes -days 365 -out cert.crt -keyout cert.key
cat cert.key cert.crt > cert.pem

I'm not sure why the autogenerated certificate won't work as it looks allright when printed out with:
openssl x509 -in cert.pem -text


emerge info:
Portage 2.0.54 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r2, 2.4.25-gentoo-r2 i686)
=================================================================
System uname: 2.4.25-gentoo-r2 i686 Pentium III (Coppermine)
Gentoo Base System version 1.6.14
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://mirror.esoft.dk/gentoo ftp://ftp.uninett.no/pub/linux/Gentoo http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://mirror.switch.ch/mirror/gentoo/"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://mirror.esoft.dk/gentoo-portage"
USE="x86 apache2 apm arts avi berkdb bitmap-fonts bzip2 crypt curl eds emboss encode expat flash foomaticdb fortran gd gdbm gif gpm gstreamer gtk2 icq imagemagick imap imlib innkeywords inntaggedhash ipv6 java jpeg kde lcms ldap libg++ libwww mad mhash mikmod ming motif mp3 mpeg msn mysql ncurses nls ogg oggvorbis oscar oss pam pcre pdflib perl png postgres python quicktime readline samba sasl slang snmp spell ssl tcpd tiff truetype truetype-fonts type1-fonts vorbis webdav wmf xml xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS
Comment 1 Roy Marples (RETIRED) gentoo-dev 2007-04-07 08:26:10 UTC

*** This bug has been marked as a duplicate of bug 164601 ***