Forum OpenACS Q&A: nsssl Permission denied

Collapse
Posted by Tyge Cawthon on
NaviServer 4.99.17
OS ubuntu0.18.04.1
TCL 8.6.8

Error: /www/oacs-5-9-1/log/error.log
Notice: OpenSSL OpenSSL 1.1.0g 2 Nov 2017 initialized

Error: nsssl: certificate load error from cert /home/letsencrypt/certs/a21.highlandpiping.com/server.pem: error:0200100D:system library:fopen:Permission denied

Error: modload: /usr/local/ns/bin/nsssl.so: Ns_ModuleInit returned: -1
Fatal: modload: failed to load module '/usr/local/ns/bin/nsssl.so'

Background:
used the information here to installed:
https://openacs.org/xowiki/naviserver-openacs

First time, I forgot the build command. Deleted /usr/local/ns and /var/www/oacs-5-9-1

2nd time used the build command. No errors reported.

I do have a OpenACS 5-9 running currently successfully using Ubuntu 16.x with ssl

I have looked at all the permissions between the two systems and cannot find the problem.

Directories I compared:
/var/www/....
/usr/local/ns.....
/home/letsencrypt/....

Any suggestions where or what to look for would be greatly appreciated.

Collapse
Posted by Gustaf Neumann on

The error message is from OpenSSL and is a "permission denied".

% openssl errstr 200100D
error:0200100D:system library:fopen:Permission denied

You have in your NaviServer configuration the certificate on a place which is the default of certbot. Since NaviServer is running per default with group nsadmin and user nsadmin it has no permissions to read the certificate from there. Check the certbot documentation on [1] and search for "permissions". You might wish to provide a deploy-hook-script to copy the certificate to a place where NaviServer can read it. The NaviServer plugin [2] places the certificates under "[ns_info home]/modules/nsssl" (openacs.org uses e.g. [3]). Don't forget to update the path specified by certificate in the NaviServer config file.

all the best
-g

[1] https://certbot.eff.org/docs/using.html#certbot-command-line-options
[2] https://bitbucket.org/naviserver/letsencrypt/
[3] /usr/local/ns/modules/nsssl/openacs.org.pem

Collapse
Posted by Tyge Cawthon on
Thank you the fast reply and I appreciate your help. Still looking into this matter. When I find the root cause, I will be happy to share. Probably a user (me) problem.
Collapse
Posted by Jim Lynch on
Hi, could you show the config setting in the nsssl setting, for "certificate"?

After I get that, I'll have another command to run. You're running this on linux or other unix-alike?

-Jim

Collapse
Posted by Tyge Cawthon on
FYI - The error was caused by me not typing the NaviServer start command line properly.

Here is the correct command:
sudo /usr/local/ns/bin/nsd -t /usr/local/ns/config-5-9.tcl -u nsadmin -g nsadmin -b xxx.yyy.a.ccc:80,xxx.yyy.a.ccc:443

Notice no space between the port 80 and the command.

I had a space between the port and the comma that was causing the problem.

proper ;80,xxx
not proper: ;80 ,xxx

Collapse
Posted by Iuri Sampaio on
Hi Tyge,
You may like to read about systemctl.

Furthermore, there's good information at: http://project-open.com/en/install-debian-stretch

There, you can easily automate NaviServer startup.

Create a new file /lib/systemd/system/oacs.service with the following content:

[Unit]

Description=NaviServer Web Server as user OACS
After=postgresql.service network.target
Wants=postgresql.service

[Service]
Type=forking
PIDFile=/var/www/oacs/log/nsd.pid

ExecStartPre=rm -f /var/www/oacs/log/nsd.pid
ExecStart=/usr/local/ns/bin/nsd -t /var/www/oacs/etc/config.tcl -u nsadmin -g nsadmin
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s 9 $MAINPID

Restart=always
# Restart=on-abort
# Restart=on-abnormal

KillMode=process

[Install]
WantedBy=multi-user.target

Please execute the following commands in order to activate the configuration:

systemctl daemon-reload
systemctl enable oacs.service
systemctl start oacs.service
You can check that NaviServer is running by monitoring it's error file (debugging is switched on by default):
tail -f /var/www/oacs/log/error.log