Solved ssl-cert group

vienuolis

vienuolis

Hi FreeBSD masters and daemons. I just installed mail/cyrus-imapd34 mail server and going to set it up according to its manual:
If your installation uses system locations for things like SSL certificates (i.e. /etc/ssl/certs /etc/ssl/private), then you should also add the cyrus user to the appropriate group to gain access to the PKI files. On Debian/Ubuntu systems, for example, this group is ssl-cert:
usermod -aG ssl-cert cyrus
Click to expand...
I am wondering why there is no such group named ssl-cert nor similar in /etc/group, while /usr/local/etc/ssl with cert.pm and /etc/ssl/certs with links to many certs in /usr/share/certs/trusted exist here since FreeBSD 13.0-RELEASE-p8 installation time.

Should I follow the port's manual and create GID ssl-cert with UID cyrus?
# pw groupadd ssl-cert
# pw groupmod ssl-cert -M cyrus
 
Philip B. D. "Digital" also suggest group named 'pki' to permit key access:
pw groupmod pki -M cyrus

Is not the same purpose of both 'pki' and 'ssl-cert'? Are they just arbitrary group names? Neither of them is yet in a fresh FreeBSD.
 
Cyrus IMAP works smoothly, together with Cyrus SASL authentication, SSL and STARTTLS encryption, OpenDKIM, OpenSPF and OpenDMARC milters. Encryption of default webserver, MX server, and Webmin are all certified by the same TLS certificate (from ZeroSSL CA).

Let's Encrypt issued another cert for a (still empty) virtual host of Nextcloud suite. Then I installed Nextcloud v24 (by its web installer). Installation, creation and connection to MySQL database was successful, although ended with a weird error message:

Code: 
Something is wrong with your openssl setup: error:0200100D:system library:fopen: Permission denied, …
RuntimeException","Message":"OpenSSL reported a problem","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":91,"function":"newToken", ...

Were is the right place of PKI files? What are its required permissions? Where to find docs about public key infrastructure: management, default settings, best practices? I have read “OpenSSL Cookbook”, FreeBSD Handbook (14. Security: 14.6 OpenSSL), FreeBSD man openssl, etc.
 
Noticed one item in a daily security report:
Checking for packages with mismatched checksums:
ca_root_nss-3.76: missing file /etc/ssl/cert.pem
Click to expand...
No such file cert.pem in /etc/ssl directory — who needs it? For what purpose?

ca_root_nss-3.76 apparently means a bundle of public X.509 CA root certificates /usr/local/share/certs/ca-root-nss.crt, which is extracted from nss-3.76

I have also put another bundle of CA root certs to /etc/ssl/ca-bundle.crt with cacert.pem, extracted from Mozilla's nss library.
 
vienuolis said:
Are they just arbitrary group names?
Click to expand...
They are, there's nothing 'special' about these names.

vienuolis said:
No such file cert.pem in /etc/ssl directory — who needs it? For what purpose?

ca_root_nss-3.76 apparently means a bundle of public X.509 CA root certificates /usr/local/share/certs/ca-root-nss.crt, which is extracted from nss-3.76
Click to expand...
Code: 
root@molly:~ # ll /etc/ssl/cert.pem
lrwxr-xr-x  1 root  wheel  43 May 30 03:20 /etc/ssl/cert.pem@ -> ../../usr/local/share/certs/ca-root-nss.crt
root@molly:~ # pkg which /etc/ssl/cert.pem
/etc/ssl/cert.pem was installed by package ca_root_nss-3.78
 
Thanks a lot for the hint, dear SirDice! The link really makes sense here. I am going to refresh ca_root_nss package and will try to reinstall Nextcloud then.
 
Unfortunately, the same refusal , with the same words and codes, in two long lines.

nxc-installed.png


nxcloud-2401.png

Code: 
{"reqId":"QW5LQZBraxkikLcYosIs","level":3,"time":"2022-06-15T11:00:40+00:00","remoteAddr":"88.223.203.93","user":"pacas","app":"no app in context","method":"POST","url":"/index.php","message":"Something is wrong with your openssl setup: error:0200100D:system library:fopen:Permission denied, error:2006D002:BIO routines:BIO_new_file:system lib, error:0E078002:configuration file routines:def_load:system lib, error:0200100D:system library:fopen:Permission denied, error:2006D002:BIO routines:BIO_new_file:system lib, error:0E078002:configuration file routines:def_load:system lib","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0","version":"24.0.1.1"}
{"reqId":"QW5LQZBraxkikLcYosIs","level":3,"time":"2022-06-15T11:00:40+00:00","remoteAddr":"88.223.203.93","user":"pacas","app":"index","method":"POST","url":"/index.php","message":"OpenSSL reported a problem","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0","version":"24.0.1.1","exception":{"Exception":"RuntimeException","Message":"OpenSSL reported a problem","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":91,"function":"newToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->"},{"file":"/usr/local/www/nextcloud/lib/private/User/Session.php","line":678,"function":"generateToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/lib/private/Setup.php","line":437,"function":"createSessionToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/core/Controller/SetupController.php","line":74,"function":"install","class":"OC\\Setup","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/lib/base.php","line":956,"function":"run","class":"OC\\Core\\Controller\\SetupController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/usr/local/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/usr/local/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":356,"CustomMessage":"--"}}
 
Are you using MySQL as database for NextCloud? The second error is about the creation of the token inside the database. I would check the database permissions of the user under which the NextCloud connects to the database.

Example:
NextCloud database = nc
NextCloud dbuser = nextc

mysql
CREATE DATABASE nc;
CREATE USER 'nextc'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON nc.* to 'nextc'@'localhost';
FLUSH PRIVILEGES;
quit

After installing the nextcloud from ports or pkg change the permission of config.php and CAN_INSTALL

chown www:www /usr/local/www/nextcloud/config/config.php
chown www:www /usr/local/www/nextcloud/config/CAN_INSTALL

After finishing the installation via web it's open just fine in my test under VM with php80
 
VladiBG said:
Are you using MySQL as database for NextCloud?
Click to expand...
Yes.
check the database permissions
Click to expand...
All privileges to the database 'cloud' are granted for Nextcloud user 'cloud' (the same name).
chown ww:www /usr/local/www/nextcloud/config/config.php
Click to expand...
Both config.php and CAN_INSTALL are owned by www:wheel. The last is readable for all, and config.php for wheel group only (apparently because it contains a plain password). Both are read and write accessible for www daemon (640 and 644).

I will investigate config.php tuning possibilities tomorrow, thank you very much, dear VladiBG!
 
chown www:www /usr/local/www/nextcloud/config
chmod 755 /usr/local/www/nextcloud/config
chown www:www /usr/local/www/nextcloud/config/config.php
chmod 640 /usr/local/www/nextcloud/config/config.php
 
Neither 'openssl' => ['config' => '/etc/ssl/openssl.cnf'] nor chown www:www (instead of www:wheel) did not help. I also tried a number of other config.php options — still without success.

Also learned openssl.cnf and its manual — nothing important there, should work with default settings. But I noticed weird No package(s) matching openssl in answer to pkg info openssl, so decided to sudo pkg install openssl despite of /usr/bin/openssl working flawlessly. /etc/ssl/openssl.cnf left old after installation, linked from /usr/local/openssl/@openssl.cnf. This update did not satisfy Nextcloud — the same “Something is wrong with your openssl setup…”

Oddities increased today. I tried to leave data folder inside Nextcloud — which is strongly discouraged, although the default location. Since installation still failed, I returned the warehouse to the right place outside Nextcloud root. And the warning about incorrect OpenSSL gone away! It is replaced by even more weird warning — “Could not detect any host in http:///data/htaccesstest.txt”:
Code: 
{"reqId":"pbVkiF4Erq1p6dM96ERs","level":2,"time":"2022-06-18T12:45:32+00:00","remoteAddr":"88.223.203.93","user":"--","app":"no app in context","method":"GET","url":"/","message":"Could not detect any host in http:///data/htaccesstest.txt","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0","version":""}
{"reqId":"1LwQMBGKpEoK9G0i4sCy","level":2,"time":"2022-06-18T12:46:40+00:00","remoteAddr":"88.223.203.93","user":"--","app":"no app in context","method":"POST","url":"/index.php","message":"Could not detect any host in http:///data/htaccesstest.txt","userAgent":"Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0","version":""}

No such file htaccesstest.txt, and .htaccess is placed in the data folder by Nextcloud installer itself. It is unusual here, because HTTP requests are handled by Hiawatha webserver, I never use Apache.

VladiBG, where Nextcloud also stores settings and private data? I am forced to change my name every time, because The username is already being used. while both Nextcloud and data directories are always wiped empty before installation. A browser cache and history cleaned too, with shutting down.

isbeingused.png

All such messages seem to me like false warnings, so I should rather ask Nextcloud community for help. Required PHP extensions are installed and loaded, the installer states that it does not lack any dependencies here in FreeBSD:

nxc-depends.png
 
/etc/ssl/ must be owned by www daemon, with all permissions — nowhere documented requirement, found through many trials and errors. Nextcloud finally works properly, thanks for the help.
 
You must log in or register to reply here.
Back
Top