Archive for April, 2009

stunnel4

Dienstag, April 7th, 2009

I got some annoying error messages and my newly set up stunnel4 stopped working.
And this was all connected somehow. At first I will describe the single errors and warnings and their solutions.

1) Corrent permission on certs file
Part of my config in /etc/stunnel/stunnel.conf:

cert = /etc/stunnel/stunnel.pem
setuid = stunnel4
setgid = stunnel4

With too high file permissions (owner root:root) stunnel could not read the file, because it is running as user stunnel4:

LOG3[…]: Error reading certificate file: /etc/stunnel/stunnel.pem

With too low file permissions (644 or higher) other could read the secret key:

LOG4[…]: Wrong permissions on /etc/stunnel/stunnel.pem

Correct permissions without warning about read errors are for me
-rw——- 1 stunnel4 stunnel4 3458 17. Jan 14:52 /etc/stunnel/stunnel.pem
Set them with
chown stunnel4:stunnel4 /etc/stunnel/stunnel.pem
chmod 400 /etc/stunnel/stunnel.pem

2) logrotate becomes a zombie and ps aux shows:
root 24126 24125 0 06:25 ? 00:00:00 /bin/sh -c test -x
/usr/sbin/anacron || run-parts –report /etc/cron.daily
root 24129 24126 0 06:25 ? 00:00:00 run-parts –report
/etc/cron.daily
root 24169 24129 0 06:28 ? 00:00:00 [logrotate]

The error is somehow connected in logrotate. It seems to hang if there is output on STDERR from a restarted service.
The solution is to add a simple „2>&1“ to the logrotate postrotate entry in
/etc/logrotate.d/stunnel4:

/var/log/stunnel4/*.log {
daily
missingok
rotate 356
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
/etc/init.d/stunnel4 restart > /dev/null 2>&1
endscript
}

Another solution would be to set up stunnel correctly that it does not show any errors if started with /etc/init.d/stunnel4 start.
After that you have to restart stunnel to get lost of the zombie logrotate process.

3) stunnel did not accept a connection it previously had accepted. The log entry is:
LOG3[…]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

This error was gone when I restarted stunnel to solve error 2. This all is somehow connected:
– The error starts with the permissions on the cert-file.
– This leads to output on STDERR when logrotate was started.
– This again leads to a logrotate zombie.
– And because logrotate is a zombie, anacron is blocked and not working any more.
– I think the failed SSL acceptance has its source somewhere behind the restart by logrotate or the wrong file permissions which had a first effect after the restart.