Nut upsuser - Jun 2018 - upsmon Can not initialize SSL context (letsencrypt) #563

Hello all.


Thx for the log-tip.


It was a access right violation on /etc.../letsencrypt/....cert . The folder was
own by root:root

Had to create a group nutusers including root and my nut users. After that, had
to change the chmod for the folder from 755 to 775


Now, running upsc -l

Init SSL without certificate database
850PRO

Witch is better. But still problématic wuth the init ssl database warning.


________________________________
De : Nut-upsuser <nut-upsuser-bounces+tech=rkn.ovh at
alioth-lists.debian.net> de la part de Roger Price <roger at
rogerprice.org>
Envoyé : lundi 25 juin 2018 16:54
À : nut-upsuser Mailing List
Objet : Re: [Nut-upsuser] upsmon Can not initialize SSL context (letsencrypt)
#563

On Tue, 19 Jun 2018, tech wrote:
> Jun 19 16:34:55 REDACTED upsmon[7389]: Can not initialize SSL context
> I am lost. Comments and Help welcome.
It's only a comment, but, this message comes from NUT program netssl.c

                 status = NSS_NoDB_Init(NULL);
         if (status != SECSuccess) {
                 upslogx(LOG_ERR, "Can not initialize SSL context");
                 nss_error("upscli_init / NSS_[NoDB]_Init");
                 return;
         }

which does not call PR_GetError to retrieve the error code when NSS_NoDB_Init
fails.  To find out more, you could add the PR_GetError call, complete the error
message, recompile, re-install and try again.

Roger

_______________________________________________
Nut-upsuser mailing list
Nut-upsuser at alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20180627/7ee19f4f/attachment.html>

On Wed, 27 Jun 2018, tech wrote:
> It was a access right violation on /etc.../letsencrypt/....cert . The
folder was own by root:root  
> Had to create a group nutusers including root and my nut users. After that,
had to change the chmod for the folder from 755 to 775
> 
> Now, running upsc -l
> 
> Init SSL without certificate database
> 850PRO
> 
> Witch is better. But still problématic wuth the init ssl database warning.
Without using SSL certificates, command "upsc -l" always gives me the
STDERR
message "Init SSL without certificate database". It means that the
client cannot
find the certificate, and is falling back to plaintext transmission of the 
password.  Perhaps this is not what you need.

Roger

On Jun 28, 2018, at 4:30 AM, Roger Price <roger at rogerprice.org>
wrote:
> 
> On Wed, 27 Jun 2018, tech wrote:
> 
>> It was a access right violation on /etc.../letsencrypt/....cert . The
folder was own by root:root
>> Had to create a group nutusers including root and my nut users. After
that, had to change the chmod for the folder from 755 to 775
>> Now, running upsc -l
>> Init SSL without certificate database
>> 850PRO
>> Witch is better. But still problématic wuth the init ssl database
warning.
> 
> Without using SSL certificates, command "upsc -l" always gives me
the STDERR message "Init SSL without certificate database". It means
that the client cannot find the certificate, and is falling back to plaintext
transmission of the password.  Perhaps this is not what you need.
upsc does not send a password when querying an UPS (or listing them with
"-l"). For upsmon, you can select (via FORCESSL) whether it will fall
back to plaintext if it cannot establish a SSL session.

I would definitely recommend starting with a dummy password, and using tcpdump
or Wireshark to verify that the password is not being sent in the clear.