[dnsdist] Permission denied - SSL certificates

Remi Gacogne remi.gacogne at powerdns.com
Fri May 15 09:10:41 UTC 2020 

Hi Mark,

On 5/15/20 11:03 AM, Mark Smith via dnsdist wrote:
> It sounds like a trivial problem, but I just can't get to the bottom of
> it. I am getting errors as shown below when restarting dnsdist after
> upgrading to the latest build (1.5rc2)
> 
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:0200100D:system library:fopen:Permission
> denied:../crypto/bio/bss_file.c:288:fopen('/etc/ssl/pri>
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:20074002:BIO routines:file_ctrl:system
> lib:../crypto/bio/bss_file.c:290:
> May 15 08:13:40 resolver dnsdist[871574]:
> 140035959995712:error:140B0002:SSL
> routines:SSL_CTX_use_PrivateKey_file:system lib:../ssl/ssl_rsa.c:540:
> May 15 08:13:40 resolver dnsdist[871574]: Fatal error: An error
> occurred while trying to load the TLS server private key file:
> /etc/ssl/private/server.key
> May 15 08:13:40 resolver systemd[1]: dnsdist.service: Main process
> exited, code=exited, status=1/FAILURE
> 
> The obvious would be that something is wrong with permissions of those
> files, but I can't see the issue.
> 
> The system runs fine using build 1.4
> All I did was to add the repo to the sources list and do a
> update/upgrade.
> On restart we get the above from journalctl -xe
> 
> extract  of config file is
> addTLSLocal("0.0.0.0", "/etc/ssl/certs/server.crt",
> "/etc/ssl/private/server.key")
> addTLSLocal("[::]", "/etc/ssl/certs/server.crt",
> "/etc/ssl/private/server.key")
> 
> Looking at that private key;
> 
>  ls -l /etc/ssl/private/
> 
> -rw-rw-rw- 1 root root 1679 Apr 26 23:35 server.key
> 
> Which looks fine.
> 
> Runs okay using the same config and version 1.4 (running on Ubuntu
> 20.04LTS)
> Anyone have any ideas? Looks like the above errors are coming from the
> code within dnsdist.
> 
> Note: If I uninstall 1.5rc2, and reinstall 1.40 it seems to run fine.

That comes from dnsdist 1.5-rc2 not being started as root anymore, and
therefore likely not being able to enter the /etc/ssl/private directory.
Please read the upgrade guide at [1].

Several options exist there, you could copy the necessary files in
/etc/dnsdist and set the ownership of these files to dnsdist, or perhaps
the dnsdist user could be added to the group owning the /etc/ssl/private
directory (ssl-cert on Debian, if I'm not mistaken), for example.

[1]: https://dnsdist.org/upgrade_guide.html#to-1-5-x

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200515/8d9b642a/attachment.sig>

More information about the dnsdist mailing list