[Bug 1017301] [NEW] SSL certificates cause server start failure

TJ 1017301 at bugs.launchpad.net
Mon Jun 25 01:15:20 UTC 2012


Public bug reported:

After installing a server digital certificate from a public certicate
authority (CA) into the preferred server-wide location for such files:

# ls -l /etc/ssl/certs/iam.tj.pem  /etc/ssl/private/iam.tj.key
-r--r--r-- 1 root root 1948 2012-06-25 01:15 /etc/ssl/certs/iam.tj.pem
-rw-r----- 1 root root 1679 2012-06-25 01:10 /etc/ssl/private/iam.tj.key

the mumble-server fails to start, reporting:

# service mumble-server start
<W>2012-06-25 01:51:20.111 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<C>2012-06-25 01:51:20.113 Failed to read /etc/ssl/private/iam.tj.key
<F>2012-06-25 01:51:20.113 No private key found in certificate or key file.

This is caused by the service start-up script '/etc/init.d/mumble-
server' setting the user ID of the daemon process to "mumble-server"
rather than letting it start is "root".

The daemon drops privileges itself to the user ID configured in '/etc
/mumble-server.ini' once it has read the SSL key file and (potentially)
connected to a privileged port number (les than 1024):

uname=mumble-server

The workaround is to add the following to the end of '/etc/defaults
/mumble-server'

# If the server is using SSL certificates installed in a root-only location such as
# /etc/ssl/certs/ and etc/ssl/private/ then the daemon must start as root in order
# to read these files - especially to read the key.
# the daemon drops privileges itself later based on the /etc/mumble-server.ini "uname" setting
USER=root

** Affects: mumble (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Debian
VoIP Team, which is subscribed to mumble in Ubuntu.
https://bugs.launchpad.net/bugs/1017301

Title:
  SSL certificates cause server start failure

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1017301/+subscriptions



More information about the Pkg-voip-maintainers mailing list