I installed stunnel4 from the program manager. When I try to run stunnel on either of Ubuntu 14 or Linux Mint 17, I get the message below. I have this working on CentOS6.5 and on MacOS X Mavericks. Not sure what to try next. Rebuilding openssl is a mess, if that is even the problem.
idf#idf-ZBOX-ID42-BE ~ $ sudo stunnel
Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from descriptor 3
Compression not enabled
PRNG seeded successfully
Initializing inetd mode configuration
Section stunnel: SSL server needs a certificate
str_stats: 2 block(s), 10 data byte(s), 116 control byte(s)
idf#idf-ZBOX-ID42-BE ~ $
my conf file looks like this:
idf#idf-ZBOX-ID42-BE ~ $ more /etc/stunnel/stunnel.conf
;Example stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
;cert = stunnel.pem
;key = stunnel.pem
cert = /home/idf/Downloads/cert.pem
key = /home/idf/Downloads/key.pem
fips = no
libwrap=no
;
;Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = all
sslVersion = all
ciphers = ALL
;
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /home/idf/stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = cacerts.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[xxxxxxx-xxx-xxxxx]
client = yes
accept = 127.0.0.1:9099
connect= xx.xx.xx.xx:2506
; vim:ft=dosini
idf#idf-ZBOX-ID42-BE ~ $
If I uninstall the stunnel that is in the repository and replace it with this one:
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
I still get even if I disable compression. I don't understand why it is telling me about the "Service [stunnel]: SSL server needs a certificate" since I am trying to use it only in client mode. Also, the other end does not need a certificate.
idf#idf-ZBOX-ID42-BE ~/Downloads $ sudo stunnel
[ ] Clients allowed=500
[.] stunnel 5.01 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
[.] Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from descriptor 3
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing inetd mode configuration
[!] Service [stunnel]: SSL server needs a certificate
idf#idf-ZBOX-ID42-BE ~/Downloads $ ps ax | grep stunnel
i just beat my way thru this the other day.
you want stunnel4_5.01-3_amd64.deb - you'll have to download that - not in the repos yet. i believe someone made it work with 4.53, but i didn't manage it.
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
openssl 1.0.1f and libssl.1.0.0 and libssl.1.0.0:i386 1.0.1f (they're the current versions) are good. but note this from your start output:
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
i think updating stunnel as described above will sort that for you.
and the other thing you need to do is turn off compression in your stunnel.conf - none of the different types of compression i tried currently work. hopefully, that's temporary.
regards,
hth
(I'm the same guys as above user3694589 - finally bothered to create an account.)
FYI, I just subscribed myself to this related bug and marked it as affecting me on launchpad.net:
https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1315844
You might want to add yourself as well. Several minutes later, I got this email:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: stunnel4 (Ubuntu)
Status: New => Confirmed
-- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1315844 Title: won't start with compression on
Related
I use google cloud shell to execute this program
Linux version
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Tor version 0.3.5.10.
When I tried restarting "sudo service tor restart" Tor I received an error
[ ok ] Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
[....] Starting tor daemon...Jun 27 01:51:04.132 [warn] Directory /var/lib/tor cannot be read: Permission denied
Jun 27 01:51:04.132 [warn] Failed to parse/validate config: Couldn't create private data directory "/var/lib/tor"
Jun 27 01:51:04.132 [err] Reading config failed--see warnings above.
failed.
So I set full permissions for the tor directory sudo chmod -R 777 /var/lib/tor
[FAIL] Checking if tor configuration is valid ... failed!
Jun 27 01:53:59.685 [notice] Tor 0.3.5.10 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Jun 27 01:53:59.685 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 27 01:53:59.685 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jun 27 01:53:59.685 [notice] Read configuration file "/etc/tor/torrc".
Jun 27 01:53:59.688 [warn] Error setting groups to gid 114: "Operation not permitted".
Jun 27 01:53:59.688 [warn] If you set the "User" option, you must start Tor as root.
Jun 27 01:53:59.688 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
Jun 27 01:53:59.688 [err] Reading config failed--see warnings above.
I use root privileges sudo su
[ ok ] Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
[....] Starting tor daemon...Jun 27 01:58:58.455 [warn] Directory /var/lib/tor cannot be read: Permission denied
Jun 27 01:58:58.455 [warn] Failed to parse/validate config: Couldn't create private data directory "/var/lib/tor"
Jun 27 01:58:58.455 [err] Reading config failed--see warnings above.
Is there any way that can help me solve my problem or how can i be able to install tor version 2.9.14?
You might have already solved the problem by now, if not I hope this can help.
Is there any way that can help me solve my problem?
OPTION 1
Let's take a look at these warnings:
[warn] Error setting groups to gid 114: "Operation not permitted".
[warn] If you set the "User" option, you must start Tor as root.
[warn] Failed to parse/validate config: Problem with User value.
To get a log of all users run cat /etc/passwd and you'll see debian-tor listed:
...
debian-tor:x:108:114::/var/lib/tor:/bin/false
...
The folder /var/lib/tor is owned by user debian-tor, so sudo -u debian-tor tor will work.
Alternatively, you can run this for your current user: (or chmod 777 for all)
chmod 700 -R /var/lib/tor/*
chown -R tor /var/lib/tor/
sudo service tor restart
You actually should run tor as non-root, else you get this message:
You are running Tor as root. You don't need to, and you probably shouldn't.
OPTION 2
As the warning suggests to see logs for details you should check for a message within dsmeg and /var/log/syslog. If you find anything then it can be AppArmor or SELinux blocking tor. Both SELinux and AppArmor provide a set of tools to isolate applications from each other to protect the host system from being compromised, so it's not recommended disabling them permanently but temporarily for debugging.
According to Debian SELinux support:
The Debian packaged Linux kernels have SELinux support compiled in,
but disabled by default.
Check the SELinux state with getenforce, if the output is Permissive or Disabled then you're set.
Moreover, looking at AppArmor/Progress:
Since Debian 10 (Buster), AppArmor is enabled by default.
To disable AppArmor on your system run: (reference)
sudo mkdir -p /etc/default/grub.d
echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
| sudo tee /etc/default/grub.d/apparmor.cfg
sudo update-grub
sudo reboot
There's a chance that either one's the culprit. Users have reported similar issue here.
How can i be able to install tor version 2.9.14?
Downgrading the tor package is as simple as this:
sudo apt-get install tor=0.2.9.14
But why would you want do that?
tor v2 will be deprecated soon. You'll see warnings like:
[warn] At least one protocol listed as required in the consensus is
not supported by this version of Tor. You should upgrade. This version
of Tor will not work as a client on the Tor network. The missing
protocols are: DirCache=2 HSDir=2 HSIntro=4 Link=4-5
NB: Post on tor.stackexchange for tor related issues.
I'm installing slurm for the first time. I've installed the 19.05.1-2 tarball and used the configurator to make a very simple two node cluster. Control node is sdc, compute nodes (running slurmd) are sdc and sdc1. Both rebuilt with Ubuntu 18.04
I can start the controller, and the compute node sdc and also successfully submit jobs with srun. That's great. However, when I start slurmd on the second node, SDC1, I get:
slurmd: error: Unable to register: Zero Bytes were transmitted or received
That quickly led me to my munge configuration. Munge.log on the controller (sdc) shows "Invalid credential" every second. I triple checked that munge.key on both hosts are identical. I verified that ntp is running too.
So by hand I did munge -s foobar | unmunge on SDC1 and of course that worked locally. Then I saved the munged text from SDC1 to a file on SDC and tried unmunge. That did give me the error "Invalid credential" again.
Because of this I uninstalled and reinstalled munge on both systems, distributed the key and repeated that test with the same result.
I guess I'm missing something simple. I don't know what else to do to properly install munge.
It was UID/GID mismatch between nodes. Of course it's mentioned in the installation guide.
Did you remember to restart the munge daemon after copying the munge.key to /etc/munge? I got the same error doing
1: install slurm:
$ apt install -y slurm-client
2: copy slurm.conf
(perhaps create slurm-llnl beforehand):
$ cp slurm.conf /etc/slurm-llnl
3: copy munge key to client
(munge.key copied before from slurm server/slurmctld)
$ cp munge.key /etc/munge
and then I got all the invalid credetial errors and problems reported here and in reports including the 'Zero Bytes' error on the client side
[CLIENT]$ sinfo
slurm_load_partitions: Zero Bytes were transmitted or received
with corresponding entries in the Slurm SERVER/slurmctld logs ala
[SERVER]$ tail /var/log/munge/munged.log
2022-12-30 22:57:23 +0100 Notice: Running on ..
2022-12-30 23:01:11 +0100 Info: Invalid credential ...
and
[SERVER]$ tail /var/log/slurm-llnl/slurmctld.log
[2022-12-30T23:01:11.440] error: Munge decode failed: Invalid credential
[2022-12-30T23:01:11.440] ENCODED: Thu Jan 01 01:00:00 1970
[2022-12-30T23:01:11.440] DECODED: Thu Jan 01 01:00:00 1970
[2022-12-30T23:01:11.440] error: slurm_unpack_received_msg: REQUEST_PARTITION_INFO has authentication error: Invalid authentication credential
[2022-12-30T23:01:11.440] error: slurm_unpack_received_msg: Protocol authentication error
All of this is fixed by rebooting the client, as suggested by other here, or slightly less intrusive, just to restart the client munge daemon
(CLIENT)$ sudo systemctl restert munge.service
and then munge on client / unmunge on server works, but it also fixes my main problem of getting client to see the slurm server without the dreaded 'Zero Bytes' error
[CLIENT]$ sinfo
slurm_load_partitions: Zero Bytes were transmitted or received
with server log entries
[SERVER]$ tail /var/log/slurm-llnl/slurmctld.log
...
[2022-12-30T23:17:14.017] error: slurm_unpack_received_msg: Invalid Protocol Version 9472 from uid=-1 at XX.XX.XX.XX:44150
[2022-12-30T23:17:14.017] error: slurm_unpack_received_msg: Incompatible versions of client and server code
[2022-12-30T23:17:14.027] error: slurm_receive_msg [XX.XX.XX.XX:44150]: Unspecified error
And, after munge restart, voilĂ :
[CLIENT] $ sinfo
PARTITION AVAIL TIMELIMIT NODES STATE NODELIST
LocalQ* up infinite 1 idle XXX
for the examples: SERVER Ubuntu 20.04, CLIENTS Ubuntu 20.04 (and 22.04 that seem to be incompatible with the SERVER slurm version, says the log)
I want to enable TLS 1.2 on the linux server to access third party ERP system. Please guide me through the steps and commands that I have to follow.
My Apache version: Apache/2.2.9 (Unix)
My OpenSSL version: OpenSSL 0.9.8b 04 May 2006
Thanks in advance.
Unless Fedora provides backports for TLS 1.2, the versions you mention are too old:
OpenSSL: Supported since version
1.0.1
Apache httpd: Introduced in
2.2.23
Anyway you can check if it actually is supported. Restrict the allowed protocols to TLS 1.2 only and try connecting with a recent browser. Edit your httpd.conf to:
SSLProtocol TLSv1.2
I am trying to configure Zimbra on my Linode (ubuntu). It's been more than 12 continuous hours but I am unable to get it configured correctly. I have followed too many guides from internet already. For the last try, I was trying this: Configure Zimbra and as usual the same error occured. This is the error:
Installing Proxy SSL certificate...done.
Initializing ldap...failed. (28416)
ERROR
Configuration failed
Please address the error and re-run /opt/zimbra/libexec/zmsetup.pl to
complete the configuration.
Errors have been logged to /tmp/zmsetup05102015-071817.log
And this is the last few lines of log file:
Sun May 10 07:22:20 2015 done.
Sun May 10 07:22:20 2015 Installing LDAP SSL certificate...
Sun May 10 07:22:20 2015 *** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Sun May 10 07:22:25 2015 done.
Sun May 10 07:22:25 2015 Installing Proxy SSL certificate...
Sun May 10 07:22:25 2015 *** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Sun May 10 07:22:30 2015 done.
Sun May 10 07:22:30 2015 checking isEnabled zimbra-ldap
Sun May 10 07:22:30 2015 zimbra-ldap is enabled
Sun May 10 07:22:30 2015 Initializing ldap...
Sun May 10 07:22:30 2015 *** Running as zimbra user: /opt/zimbra/libexec/zmldapinit
Connection refused at /opt/zimbra/libexec/zmldapinit line 138.
Sun May 10 07:23:13 2015 failed. (28416)
Sun May 10 07:23:13 2015
ERROR
I am not sure, what can be wrong or how to fix it. If any of you have ever faced such problem and know the solution, please let me know.
Thanks
Begin by checking the /tmp/zmsetup05102015-071817.log and then do you have any services that could prevent ldap starting? moreover any ports that may already be in use preventing this?
I tried to setup NAS (Network Audio System ) in RHEL 6 by two methods:
First, by RPM install,
[root#localhost ~]# rpm -Uvh nas-1.9.2-1.el6.x86_64.rpm nas-libs-1.9.2-1.el6.x86_64.rpm
it gets installed, but I cannot find the service in /etc/init.d/ directory.
only /etc/nas/nasd.conf file gets created. And if I run the command
[root#localhost ~]# nasd
Network Audio System Release 1.9.2
Network Audio System Release 1.9.2
Init: Output open(/dev/dsp) failed: No such file or directory
Fatal server error:
could not create audio connection block info
Secondly, by Configuring latest tar-ball nas-1.9.3.src.tar.gz provided by NAS site.
but the problem is same.
Please help me to install this properly, as I want to get enable the audio for qt based applications, and qt uses NAS for its audio functionalities.
Tried Very much by NAS but not succeed to resolve my problem.
Then i used Phonon library to resolve sound issue !!
Thanx anyways for helping me! :)
okay. well it's been a while but...
you dont have enough perms to open the underlying socket.
me#dev $ strace -o ./nasd.txt nasd -aa -config ./nasd.conf
Network Audio System Release 1.9.3
Network Audio System Release 1.9.3
Error binding unix socket: /var/run/nasd/audio0
: Address already in use
Fatal server error:
Cannot establish unix listening socket
the appropriate bit is here from the strace
ioctl(0, SIOCGIFCONF, {96, {{"lo", {AF_INET, inet_addr("127.0.0.1")}}, {"wlan0", {AF_INET, inet_addr("192.168.1.69")}}, {"usb0", {AF_INET, inet_addr("192.168.15.100")}}}}) = 0
umask(0) = 022
mkdir("/var/run/nasd", 0777) = -1 EEXIST (File exists)
unlink("/var/run/nasd/audio0") = -1 EPERM (Operation not permitted)
socket(PF_FILE, SOCK_STREAM, 0) = 1
bind(1, {sa_family=AF_FILE, path="/var/run/nasd/audio0"}, 22) = -1 EADDRINUSE (Address already in use)
The unlink("/var/run/nasd/audio0") = -1 EPERM (Operation not permitted) is the clue.
if we copy the nasd.conf locally and tweak the debug value to 1 and run it as root
me#dev $ sudo nasd -aa -config ./nasd.conf
config: Maxfrags set to 3
config: Minfrags set to 2
config: Fragsize set to 256
config: Maxfrags set to 3
config: Minfrags set to 2
config: Fragsize set to 256
Network Audio System Release 1.9.3
Network Audio System Release 1.9.3
AuInitPhysicalDevices();
Init: will close device when finished with stream.
Init: will keep mixer device open.
Init: Leaving the mixer device options alone at startup.
Init: openDevice OUT /dev/snd/pcmC1D0p mode 1
Init: openDevice(1) IN /dev/snd/pcmC1D0c mode 0
setupSoundcard(...);
++ Setting up Output device (/dev/snd/pcmC1D0p)
+++ requesting wordsize of 16, got 8
+++ requesting 2 channel(s), got 1 channel(s)
+++ Requesting minimum sample rate of 5000, got 5000
+++ Requesting maximum sample rate of 44100, got 44100
setupSoundcard(...);
++ Setting up Input device (/dev/snd/pcmC1D0c)
+++ requesting wordsize of 8, got 8
+++ requesting 2 channel(s), got 1 channel(s)
+++ Requesting minimum sample rate of 4000, got 4000
+++ Requesting maximum sample rate of 44100, got 44100
initMixer: could not open output mixer device /dev/mixer: No such file or directory
Init: initMixer failed
createServerComponents(...);
closeDevice: out
closeDevice OUT /dev/snd/pcmC1D0p mode 1
closeDevice: in
closeDevice IN /dev/snd/pcmC1D0c mode 0
closeDevice: mixer
closeDevice: leaving mixer device(s) open
in my case looks like I need to setup the mixer section but that should nerf your error.
EDIT: initMixer: could not open output mixer device /dev/mixer: No such file or directory
This can be fixed by placing mixer ="" in the nasd.conf (even though the docs state it won't be honoured, it is)
Also: remember to set your AUDIOSERVER env variable
export AUDIOSERVER=tcp/localhost:8000
Is the default but never hurts to be certain...
Final thoughts:
by default many x server now -nolisten tcp and that could be an issue in implementation to consider.
nmap is your friend.
And, for the record, I still haven't actually got an end-to-end system working...
Hopefully some other kind soul will jump in and point out anything I have missed.
Hope it helps.
I don't have a rhel box... but it's probably the same perms issue.
The docs are "thin" at best