Forum OpenACS Q&A: nsssl Permission denied

Posted by Tyge Cawthon on 12/17/18 03:19 AM

NaviServer 4.99.17
OS ubuntu0.18.04.1
TCL 8.6.8

Error: /www/oacs-5-9-1/log/error.log
Notice: OpenSSL OpenSSL 1.1.0g 2 Nov 2017 initialized

Error: nsssl: certificate load error from cert /home/letsencrypt/certs/a21.highlandpiping.com/server.pem: error:0200100D:system library:fopen:Permission denied

Error: modload: /usr/local/ns/bin/nsssl.so: Ns_ModuleInit returned: -1
Fatal: modload: failed to load module '/usr/local/ns/bin/nsssl.so'

Background:
used the information here to installed:
https://openacs.org/xowiki/naviserver-openacs

First time, I forgot the build command. Deleted /usr/local/ns and /var/www/oacs-5-9-1

2nd time used the build command. No errors reported.

I do have a OpenACS 5-9 running currently successfully using Ubuntu 16.x with ssl

I have looked at all the permissions between the two systems and cannot find the problem.

Directories I compared:
/var/www/....
/usr/local/ns.....
/home/letsencrypt/....

Any suggestions where or what to look for would be greatly appreciated.

2: Re: nsssl Permission denied (response to 1)

Posted by Gustaf Neumann on 12/17/18 09:12 AM

The error message is from OpenSSL and is a "permission denied".

% openssl errstr 200100D
error:0200100D:system library:fopen:Permission denied

You have in your NaviServer configuration the certificate on a place which is the default of certbot. Since NaviServer is running per default with group nsadmin and user nsadmin it has no permissions to read the certificate from there. Check the certbot documentation on [1] and search for "permissions". You might wish to provide a deploy-hook-script to copy the certificate to a place where NaviServer can read it. The NaviServer plugin [2] places the certificates under "[ns_info home]/modules/nsssl" (openacs.org uses e.g. [3]). Don't forget to update the path specified by certificate in the NaviServer config file.

all the best
-g

[1] https://certbot.eff.org/docs/using.html#certbot-command-line-options
[2] https://bitbucket.org/naviserver/letsencrypt/
[3] /usr/local/ns/modules/nsssl/openacs.org.pem

3: Re: nsssl Permission denied (response to 1)

Posted by Tyge Cawthon on 12/18/18 08:32 PM

Thank you the fast reply and I appreciate your help. Still looking into this matter. When I find the root cause, I will be happy to share. Probably a user (me) problem.

4: Re: nsssl Permission denied (response to 1)

Posted by Jim Lynch on 12/21/18 04:37 PM

Hi, could you show the config setting in the nsssl setting, for "certificate"?

After I get that, I'll have another command to run. You're running this on linux or other unix-alike?

-Jim

5: Re: nsssl Permission denied (response to 1)

Posted by Tyge Cawthon on 01/11/19 10:17 PM

FYI - The error was caused by me not typing the NaviServer start command line properly.

Here is the correct command:
sudo /usr/local/ns/bin/nsd -t /usr/local/ns/config-5-9.tcl -u nsadmin -g nsadmin -b xxx.yyy.a.ccc:80,xxx.yyy.a.ccc:443

Notice no space between the port 80 and the command.

I had a space between the port and the comma that was causing the problem.

proper ;80,xxx
not proper: ;80 ,xxx

6: Re: nsssl Permission denied (response to 1)

Posted by Iuri Sampaio on 01/13/19 02:37 AM

Hi Tyge,
You may like to read about systemctl.

Furthermore, there's good information at: http://project-open.com/en/install-debian-stretch

There, you can easily automate NaviServer startup.

Create a new file /lib/systemd/system/oacs.service with the following content:

[Unit]

Description=NaviServer Web Server as user OACS
After=postgresql.service network.target
Wants=postgresql.service

[Service]
Type=forking
PIDFile=/var/www/oacs/log/nsd.pid

ExecStartPre=rm -f /var/www/oacs/log/nsd.pid
ExecStart=/usr/local/ns/bin/nsd -t /var/www/oacs/etc/config.tcl -u nsadmin -g nsadmin
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s 9 $MAINPID

Restart=always
# Restart=on-abort
# Restart=on-abnormal

KillMode=process

[Install]
WantedBy=multi-user.target

Please execute the following commands in order to activate the configuration:

systemctl daemon-reload
systemctl enable oacs.service
systemctl start oacs.service
You can check that NaviServer is running by monitoring it's error file (debugging is switched on by default):
tail -f /var/www/oacs/log/error.log