[Nut-upsuser] SSL only working in DEBUG mode

Melkor Lord melkor.lord at gmail.com
Sun Mar 1 18:11:05 UTC 2015 

Hi,

I spent quite some time pulling my hair out and trying to figure out why
NUT wasn't working properly with SSL enabled. I tried several approaches
until I found something interesting.

I'm using NUT 2.7.1 in Ubuntu Server 14.04 Trusty Tahr

After properly configuring a self signed certificate with "certutil" from
libnss3-tools, there was no way to get proper SSL connection eventhough
upsd didn't complain in logs.

Shell# upsc TEST
Init SSL without certificate database
Connecting in SSL to 'localhost' (no certificate name specified)
Error while connecting to localhost, disconnect
Error: Unknown error

I then tried, for the sake of understanding, to compile the package in a
test environment with OpenSSL support instead of LibNSS and it worked right
away without trouble, provided I supplied the PEM "crt + key" combo file.

Back to the regular distro packages, I really tried hard to understand what
was wrong until I managed to get it working!

Putting - UPSD_OPTIONS="-D" - in /etc/nut/nut.conf and "service nut-server
restart" (which does not detach from the shell of course) made the whole
system work! "upsmon" was happy as well as "upsc TEST" too!

Shell# upsc TEST
Init SSL without certificate database
Connecting in SSL to 'localhost' (no certificate name specified)
Do not intend to authenticate server localhost
SSL handshake done successfully with server localhost
Connected to localhost in SSL
Certificate verification is disabled
[...]

I first thought this was "start-stop-daemon" fault so I tried in standalone
mode.

Shell# /lib/nut/dummy-ups -a TEST
Shell# upsd

Shell# ps axu
[...]
nut      19116  0.0  0.0  37688   772 ?        Ss   18:35   0:00
/lib/nut/dummy-ups -a APC
nut      19119  0.0  0.0  77296  6548 ?        Ss   18:36   0:00 upsd

Here, trying "upsc TEST" fails again!

So, there's definitely something wrong here when "upsd" detaches itself
from the calling shell which makes SSL choke, at least with LibNSS!

I've browsed the GIT commit history from release 2.7.1 to current state and
I didn't see any commit that would make me think the problem was already
addressed.

Could someone look into it please? :-)

-- 
Unix _IS_ user friendly, it's just selective about who its friends are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20150301/d602ef71/attachment.html>

More information about the Nut-upsuser mailing list