Use obhttpd with TLS

[pirmd]

I have www/obhttpd installed and working perfectly with static files.

I now like to add tls support to this working static site but it fails with the following error message:

# obhttpd -d -v
startup
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
logger exiting, pid 7050
lost child: pid 7047 terminated; signaled 11
server exiting, pid 7049
server exiting, pid 7048
parent terminating, pid 7046

I'm runing obhttpd installed from pkg (version obhttpd-6.3.20180803_2) in a jail running 11.2-STABLE.
obhttpd.conf is:

chroot "/mnt/www"

server "default" {
    listen on "*" port 80
    listen on "*" tls port 443
    tls {
        key "/etc/ssl/private/server.key"
        certificate "/etc/ssl/server.cert"
    }
    root "/htdocs/mysite"
}

 

[Martin Paredes]

I may be wrong, but, Did you mount devfs inside chroot?

 

[pirmd]

Thank you Martin for your input. Unfortunatly it doesn't seem to help.

 

[Martin Paredes]

I use obhttpd, but without TLS, review the log file to see if there are more clues (it's inside the chroot, in /mnt/www/logs/error.log).

Is httpd allowed to read TLS files?

# ls -lhart /etc/ssl/server.crt
# ls -lhart /etc/ssl/private/server.key

The obhttp.conf(5) specify that the key file is outside chroot, maybe the certificate file should be inside the chroot ls -lhart /mnt/www/etc/ssl/server.crt

 

[pirmd]

For some reason, /mnt/www/logs/error.log is empty.

I've tried several configurations for permissions of the different TLS files: own by root and world readable, owned by www (which is the obhttpd user) and only readable by it.

Adding server.crt inside the root does not change the behavior nor the error messages.

I've discovered that verbose level for obhttpd can be increase, if it can help, here is what I get at this point of time:

startup
server_tls-load_keypair: using certificate /mnt/www/ssl/server.crt
socket_rlimit: max open files 290043
server_tls_load_keypair: using key /etc/ssl/private/server.key
server_tls-load_keypair: using certificate /mnt/www/ssl/server.crt
server_tls_load_keypair: using key /etc/ssl/private/server.key
server_privinit: adding server default
socket_rlimit: max open files 290043
socket_rlimit: max open files 290043
server_privinit: adding server default
server_privinit: adding server default
config_setserver_tls: configuring tls for default
server_privinit: adding server default
config_setserver_tls: configuring tls for default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default
server_launch: configuring server default
server_tls_init: setting up tls for default
server_tls_init: failed to initialise tls
server_launch: running server default

 

[justinnoor]

I had a similar issue and never figured it out. I suspect it was the usual OpenSSL/LibreSSL dilemma, but I can’t prove it. I built obhttpd from ports with LibreSSL, and it wouldn’t work unless I disabled TLS. I am planning to try it again, but if it doesn’t work I’m switching to Nginx or Lighttpd with OpenSSL. Overall I’ve had better luck avoiding LibreSSL on FreeBSD. Nobody can deny the ugly aspects of OpenSSL, but I do not know anyone who has been a victim of the heart bleed, or experienced any other catastrophes with OpenSSL.

 

[jgod]

Did the latest patch fix it?

 

[SirDice]

but I do not know anyone who has been a victim of the heart bleed, or experienced any other catastrophes with OpenSSL.

As long as you follow some basic rules (disable old SSL versions, tweak some options) then you won't be vulnerable. You can test your SSL here: https://www.ssllabs.com/ssltest/index.html The nice thing about those tests is that they also tell you how to fix things to get an A+ rating.

 

[Dnz]

Did the latest patch fix it?

Started using OpenBSD 6.6.20191023 on FreeBSD 12.1 today and came across the same issue:

server_tls_load_keypair: using certificate /usr/local/etc/letsencrypt/live/www.domain.com/fullchain.pem
server_tls_load_keypair: using private key /usr/local/etc/letsencrypt/live/www.domain.com/privkey.pem
server_privinit: adding server www.domain.com
socket_rlimit: max open files 116739
socket_rlimit: max open files 116739
socket_rlimit: max open files 116739
server_privinit: adding server www.domain.com
config_setserver_tls: configuring tls for www.domain.com
server_launch: configuring server www.domain.com
server_launch: configuring server www.domain.com
server_launch: running server www.domain.com
server_launch: running server www.domain.com
server_launch: configuring server www.domain.com
server_launch: configuring server www.domain.com
server_tls_init: setting up tls for www.domain.com
server_tls_init: setting up tls for www.domain.com
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_launch: running server www.domain.com
server_launch: running server www.domain.com
server_launch: configuring server www.domain.com
server_launch: running server www.domain.com
server_launch: configuring server www.domain.com
server_tls_init: setting up tls for www.domain.com
server_tls_init: failed to initialise tls
server_launch: running server www.domain.com
logger exiting, pid 34456
lost child: pid 34453 terminated; signal 11
server exiting, pid 34454
server exiting, pid 34455
parent terminating, pid 34452

So I guess the patch fixed another issue?

 

[Little Joe]

I have also noticed this problem, with the same or nearly similar log output reported above. Forgive me for what is probably not a reply to the actual meat of the original post, but I have worked around this problem by having stunnel listen on port 443 and directing that traffic to localhost:80. I do notice some peculiar behavior with this arrangment, namely URLs ending on a dir but without the trailing "/" eventually time out. I'm assuming this is more related to stunnel than to obhttpd -- anyway, some location matches and accompanying block returns in obhttpd.conf seem to solve that issue. This issue does not appear on this machine on direct to obhttpd unencrypted connections (with our without the matches and returns), and does not happen on my more conventional httpd setup on an OpenBSD box (in which tls works perfectly well in httpd). All that said, I do this in a proof-of-concept/dev/test environment, and would probably not take this arrangement to production.

 

[koue]

The issue is caused by statically linked LibreSSL. I've submitted patch: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249894
As obhttpd port maintainer I'm encouraging you to contact me directly if there are issues. I found this thread by accident.