Bug#913234: shibboleth-sp2-utils: systemd service does not warn if certs not accessible as _shibd (like init.d did)
Andreas.Ley at kit.edu
Thu Nov 8 14:52:43 GMT 2018
* What led up to the situation?
Migrated shibboleth x.509 keys (root owned, mode 400) from a jessie system to stretch.
* What exactly did you do (or not do) that was effective (or
Did not realize there now is a _shibd user that needs to access the keys since on jessie, shibd automatically runs as root in such a situation.
* What was the outcome of this action?
2018-11-08 08:30:59 ERROR OpenSSL : error code: 33558541 in bss_file.c, line 406
2018-11-08 08:30:59 ERROR OpenSSL : error data: fopen('.../conf/ssl/sp.key','r')
2018-11-08 08:30:59 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 408
* What outcome did you expect instead?
Either the same logic as on jessie or a more prominent hint for the admin to adapt to the new situation.
* What caused the problem?
On jessie, there is no explict systemd service file but one is generated from /etc/init.d/shibd as /run/systemd/generator.late/shibd.service
so the whole init.d logic is also available to systemd. This logic has been amended by debian/patches/Improve-shibd-init-script.patch's
prepare_environment() which runs shibd in test mode, looks for the error above and then automatically disables running as $DAEMON_USER
The associated warning is easily overseen as the logs are noisy and everything is fine.
On stretch, there is a /lib/systemd/system/shibd.service which misses both the automatism and the warning.
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages shibboleth-sp2-utils depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u3
ii libfcgi0ldbl 2.4.0-8.4+b1
ii libgcc1 1:6.3.0-18+deb9u1
ii liblog4shib1v5 1.0.9-3
ii libsaml9 2.6.0-4+deb9u1
ii libshibsp-plugins 2.6.0+dfsg1-4+deb9u1
ii libshibsp7 2.6.0+dfsg1-4+deb9u1
ii libstdc++6 6.3.0-18+deb9u1
ii libsystemd0 232-25+deb9u4
ii libxerces-c3.1 3.1.4+debian-2+deb9u1
ii libxmltooling7 1.6.0-4+deb9u1
ii lsb-base 9.20161125
Versions of packages shibboleth-sp2-utils recommends:
ii openssl 1.1.0f-3+deb9u2
shibboleth-sp2-utils suggests no packages.
-- debconf-show failed
More information about the Pkg-shibboleth-devel