[Nut-upsuser] Invalid directive CERTFILE /etc/nut/keys/gold.pem on Debian stretch

Sat Jul 7 11:47:30 BST 2018

On Wed, 4 Jul 2018, Roger Price wrote:

> I tried adding SSL/TLS support to NUT following the User Manual chapter 9.5 
> "Configuring SSL".

>   Jul 04 10:49:05 maria upsd[4744]: upsd.conf: invalid directive CERTFILE
>                                     /etc/nut/keys/gold.pem

I tried again with openSUSE 42.3 and could not reproduce this error.  All went 
well and I saw the desired SSL/TLS activation:

  ● nut-server.service - Network UPS Tools - power devices information server
  Jul 07 11:01:40 titan upsd[2926]: User upsmaster at 127.0.0.1 logged into UPS [Eaton] (SSL)
  Jul 07 11:01:40 titan upsd[2926]: User upsmaster at 127.0.0.1 logged into UPS [heartbeat] (SSL)

  ● nut-monitor.service - Network UPS Tools - power device monitor and shutdow controller
  Jul 07 11:01:40 titan upsmon[2931]: Connected to localhost in SSL
  Jul 07 11:01:40 titan upsmon[2931]: Connected to localhost in SSL

It looks as if Debian has a theological problem with the OpenSSL license seen as 
tainting GNU GPL.

See

  1. Debian bug report 871951 Aug 2017: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871951 "nut: Invalid SSL 
directives", which refers to Ubuntu bug 1014347 June 2012: 
https://bugs.launchpad.net/ubuntu/+source/nut/+bug/1014347 "NUT License prevents 
distribution of SSL-enabled builds".

  2. Source file debian/nut.README.Debian says:

  SECURITY CONSIDERATIONS
  -----------------------
... the TCP communications between ... UNENCRYPTED.  ... sniff the username and 
password.  A version that encrypts the connection using SSL should be available 
someday.

Since it looks as if this will never be fixed on Debian, I suggest

  * The User Manual section 9.5 should include a « Not on Debian » warning.

  * The "invalid directive CERTFILE" should be changed to something like
    "CERTFILE, OpenSSL not available".

Roger