Nut upsuser - Jul 2018 - Invalid directive CERTFILE /etc/nut/keys/gold.pem on Debian stretch

I tried adding SSL/TLS support to NUT following the User Manual chapter 9.5 
"Configuring SSL".  I got as far as generating a self-signed private
key and a
certificate (public key) in a single file gold.pem which has the form

   -----BEGIN CERTIFICATE-----
   MIID3DCCA...
   -----END CERTIFICATE-----
   -----BEGIN PRIVATE KEY-----
   MIIEvQIBA...
   -----END PRIVATE KEY-----

I updated upsd.conf to

   # upsd.conf
   LISTEN 0.0.0.0 3493
   CERTFILE /etc/nut/keys/gold.pem

but when I restart nut-server.service I get the message

   Jul 04 10:49:05 maria upsd[4744]: upsd.conf: invalid directive CERTFILE
                                     /etc/nut/keys/gold.pem
   Jul 04 10:49:05 maria upsd[4744]: listening on 0.0.0.0 port 3493

My first reaction was to check the spelling of CERTFILE, but it looks ok.  I 
then checked that nut 2.7.4 on Debian is compiled with SSL/TLS support

   DEB_CONFIGURE_EXTRA_FLAGS := --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
    	                     --with-ssl --with-nss \
   	                     --with-cgi \
   ...

so now I'm stuck for ideas.  Any suggestion would be much appreciated.

Roger

On Wed, 4 Jul 2018, Roger Price wrote:
> I tried adding SSL/TLS support to NUT following the User Manual chapter 9.5
> "Configuring SSL".
>   Jul 04 10:49:05 maria upsd[4744]: upsd.conf: invalid directive CERTFILE
>                                     /etc/nut/keys/gold.pem
I tried again with openSUSE 42.3 and could not reproduce this error.  All went 
well and I saw the desired SSL/TLS activation:

  ● nut-server.service - Network UPS Tools - power devices information server
  Jul 07 11:01:40 titan upsd[2926]: User upsmaster at 127.0.0.1 logged into UPS
[Eaton] (SSL)
  Jul 07 11:01:40 titan upsd[2926]: User upsmaster at 127.0.0.1 logged into UPS
[heartbeat] (SSL)

  ● nut-monitor.service - Network UPS Tools - power device monitor and shutdow
controller
  Jul 07 11:01:40 titan upsmon[2931]: Connected to localhost in SSL
  Jul 07 11:01:40 titan upsmon[2931]: Connected to localhost in SSL

It looks as if Debian has a theological problem with the OpenSSL license seen as
tainting GNU GPL.

See

  1. Debian bug report 871951 Aug 2017: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871951 "nut: Invalid SSL 
directives", which refers to Ubuntu bug 1014347 June 2012: 
https://bugs.launchpad.net/ubuntu/+source/nut/+bug/1014347 "NUT License
prevents
distribution of SSL-enabled builds".

  2. Source file debian/nut.README.Debian says:

  SECURITY CONSIDERATIONS
  -----------------------
... the TCP communications between ... UNENCRYPTED.  ... sniff the username and 
password.  A version that encrypts the connection using SSL should be available 
someday.

Since it looks as if this will never be fixed on Debian, I suggest

  * The User Manual section 9.5 should include a « Not on Debian » warning.

  * The "invalid directive CERTFILE" should be changed to something
like
    "CERTFILE, OpenSSL not available".

Roger

On Jul 7, 2018, at 6:47 AM, Roger Price <roger at rogerprice.org>
wrote:
> 
> * The User Manual section 9.5 should include a « Not on Debian » warning.
The section nesting is a bit deep, but further down in Section 9.5 is the
following, which should work (at least, NSS appears to be linked in on Debian
jessie, and the PDB indicates it is linked on stretch as well):

https://networkupstools.org/docs/user-manual.chunked/ar01s09.html#_nss_backend_usage
> 
> * The "invalid directive CERTFILE" should be changed to something
like
>   "CERTFILE, OpenSSL not available".
Agreed. https://github.com/networkupstools/nut/issues/570