Author Topic: Fresh Install - Certificate Problem  (Read 350 times)

Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Fresh Install - Certificate Problem
« on: November 25, 2022, 08:59:17 pm »
Hi

O/S: Ubuntu 9.4.0-1ubuntu1~20.04.1
Zentyal: 7.0.5

I've been attempting to install Zentyal to a vanilla Linux instance using the following steps:-

sudo apt-get update
sudo apt dist-upgrade
wget https://zentyal.com/zentyal_installer.sh
sudo chmod u+x zentyal_installer.sh
sudo ./zentyal_installer.sh

Unfortunately I was unable to access the web admin page @ port 8443 so I started to look around.

In the var/log/nginx/error.log  I discovered the the following:-

Code: [Select]
2022/11/25 19:29:41 [emerg] 28204#28204: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:41 [emerg] 28246#28246: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:42 [emerg] 28278#28278: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:42 [emerg] 28312#28312: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:42 [emerg] 28331#28331: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:43 [emerg] 28359#28359: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:43 [emerg] 28360#28360: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2022/11/25 19:29:43 [emerg] 28362#28362: cannot load certificate "/var/lib/zentyal/conf/ssl/ssl.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/zentyal/conf/ssl/ssl.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Looking in the /var/lib/zentyal/conf/ssl/ there are only two files:-

Code: [Select]
drwx------ 2 root root 4096 Nov 25 19:29 .
drwxr-xr-x 5 ebox adm  4096 Nov 25 19:29 ..
-rw------- 1 root root    0 Nov 25 19:29 ssl.cert
-r-------- 1 root root 3243 Nov 25 19:29 ssl.key

There is NO .pem file and the .cert file is EMPTY? Consequently, nginx cannot start.

I presume I cannot combine the two into a .pem because the .cert is empty? So, since I am evaluating Zentyal, can I create my own self-signed cert/keys and insert them here? Or is there an easier fix?

Thanks

turalyon

  • Zen Warrior
  • ***
  • Posts: 153
  • Karma: +14/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #1 on: November 28, 2022, 11:01:22 am »
It is a strange behavior, the other day I tested the script for an internal test and everything worked correctly. Did you check if you have some broken package or any error in the log file '/var/log/zentyal/zentyal.log'?

As you said, you can create a self-certificate file and set the right permissions so you can use the Zentyal GUI.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #2 on: November 28, 2022, 01:32:53 pm »
Hi

Yes, I've just looked in that file and found the following:-

Code: [Select]
2022/11/25 19:29:16 INFO> Base.pm:256 EBox::Module::Base::saveConfig - Saving config for module: sysinfo
2022/11/25 19:29:16 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: sysinfo
2022/11/25 19:29:17 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command set -e
openssl req -new -x509 -batch -subj /CN=hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk/  -sha1 -days 3650 -key /var/lib/zentyal/conf/ssl/ssl.key > /var/lib/zentyal/conf/ssl/ssl.cert
chmod 0400 /var/lib/zentyal/conf/ssl/ssl.cert failed.
Error output: problems making Certificate Request
 139645905614144:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=64

Command output: .
Exit value: 1 at root command set -e
openssl req -new -x509 -batch -subj /CN=hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk/  -sha1 -days 3650 -key /var/lib/zentyal/conf/ssl/ssl.key > /var/lib/zentyal/conf/ssl/ssl.cert
chmod 0400 /var/lib/zentyal/conf/ssl/ssl.cert failed.
Error output: problems making Certificate Request
 139645905614144:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=64

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/uUJbWvl7TK.cmd 2> /var/lib/zentyal/tmp/stderr', 'set -e^Jopenssl req -new -x509 -batch -subj /CN=hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk/  -sha1 -days 3650 -key /var/lib/zentyal/conf/ssl/ssl.key > /var/lib/zentyal/conf/ssl/ssl.cert^Jchmod 0400 /var/lib/zentyal/conf/ssl/ssl.cert', 256, 'ARRAY(0x56410efa6af0)', 'ARRAY(0x56410e9e5508)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'openssl req -new -x509 -batch -subj /CN=hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk/  -sha1 -days 3650 -key /var/lib/zentyal/conf/ssl/ssl.key > /var/lib/zentyal/conf/ssl/ssl.cert', 'chmod 0400 /var/lib/zentyal/conf/ssl/ssl.cert') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('openssl req -new -x509 -batch -subj /CN=hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk/  -sha1 -days 3650 -key /var/lib/zentyal/conf/ssl/ssl.key > /var/lib/zentyal/conf/ssl/ssl.cert', 'chmod 0400 /var/lib/zentyal/conf/ssl/ssl.cert') called at /usr/share/perl5/EBox/Util/Certificate.pm line 63
EBox::Util::Certificate::generateCert('/var/lib/zentyal/conf/ssl', '/var/lib/zentyal/conf/ssl/ssl.key', 1, 'hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk') called at /usr/share/zentyal/create-certificate line 29
2022/11/25 19:29:17 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command /usr/share/zentyal/change-hostname hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk hsm-ad.nnnnnnnnnnnnnnnn.co.uk failed.
Error output: problems making Certificate Request
 139645905614144:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=64

Command output: .
Exit value: 1 at root command /usr/share/zentyal/change-hostname hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk hsm-ad.nnnnnnnnnnnnnnnn.co.uk failed.
Error output: problems making Certificate Request
 139645905614144:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=64

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/AxbV5gJLrX.cmd 2> /var/lib/zentyal/tmp/stderr', '/usr/share/zentyal/change-hostname hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk hsm-ad.nnnnnnnnnnnnnnnn.co.uk', 256, 'ARRAY(0x5647d2c38be0)', 'ARRAY(0x5647d022a258)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, '/usr/share/zentyal/change-hostname hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk hsm-ad.nnnnnnnnnnnnnnnn.co.uk') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('/usr/share/zentyal/change-hostname hsm-zen.hsm-ad.nnnnnnnnnnnnnnnn.co.uk hsm-ad.nnnnnnnnnnnnnnnn.co.uk') called at /usr/share/perl5/EBox/SysInfo.pm line 170
EBox::SysInfo::_setConf('EBox::SysInfo=HASH(0x5647d23237e0)') called at /usr/share/perl5/EBox/Module/Base.pm line 995
EBox::Module::Base::_regenConfig('EBox::SysInfo=HASH(0x5647d23237e0)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::SysInfo=HASH(0x5647d23237e0)') called at /usr/share/zentyal/initial-setup line 56

It looks like a permission error of some kind?

I called the installation script from a user with sudoer rights and I'm pretty sure I used the sudo command.... I am starting to doubt myself now though!

In the meantime I created my own key and certificate, placed them in the /var/lib/zentyal/conf/ssl/ and modified /usr/share/zentyal/stubs/core/nginx.conf.mas around line 115 to look for them (rather than a .pem file)

Thanks
« Last Edit: November 28, 2022, 01:50:58 pm by Gray »

turalyon

  • Zen Warrior
  • ***
  • Posts: 153
  • Karma: +14/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #3 on: November 28, 2022, 03:34:35 pm »
Hi,

It seems that your domain name is too long:

Code: [Select]
asn1 encoding routines:ASN1_mbstring_ncopy:string too long

How many characters it has? Can you tell me an example? Apparently, this behavior is not considered by Zentyal.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #4 on: November 28, 2022, 06:30:45 pm »
Hi

Interesting.... ?

My Domain Name will be nnnnnnnnnnnnnnnn.co.uk  - 22 chars inc the dots (periods)
My Active Directory Name will be hsm-ad.nnnnnnnnnnnnnnnn.co.uk - 29 chars inc the dots (periods)
My Zentyal Server Name will be hsm-dc00.hsm-ad.nnnnnnnnnnnnnnnn.co.uk - 38 chars inc the dots (periods)

I am just about to set up the AD in Zentyal. I wonder if the char length will be an issue?

Thanks

Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #5 on: November 28, 2022, 06:54:26 pm »
Hi

Indeed it does seem to be a problem.. I've just restarted the server and checked the zentyal.log log to find:-

Code: [Select]
2022/11/28 17:41:03 DEBUG> HostName.pm:167 EBox::SysInfo::Model::HostName::validateTypedRow - Invalid value for Host name: hsm-dc00.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.
2022/11/28 17:41:37 DEBUG> HostName.pm:180 EBox::SysInfo::Model::HostName::validateTypedRow - Invalid value for Host domain: hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk.
My /etc/hostname is as follows:-

Code: [Select]
hsm-dc00.hsm-ad.nnnnnnnnnnnnnnnn.co.uk

Maybe in this context it should not be the FQDN but simply hsm-dc00?

Thanks


Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #6 on: November 28, 2022, 07:07:28 pm »
Hi

Ok I've tried with a /etc/hostname of simply hsm-dc00 which has resolved the errors in the zentyal.log but webadmin->general configuration->hostname and domain->   still shows the old entry i.e. the FQDN.

When I try to correct this in webadmin I get the following error:

Code: [Select]
Invalid value for Host domain: hsm-ad.nnnnnnnnnnnnnnnn.co.uk.hsm-ad.nnnnnnnnnnnnnnnn.co.uk. The length must be between 2 and 48 characters

My guess is that I should have used just hsm-dc00 as my hostname when first building the server. I have corrected this in webadmin by first changing the domain name to test.local, changing the hostname to him-dc00 and then changing, again, the domain name. Prior to this I changed my /etc/hostname file to him-dc00.

Hopefully all should be ok now...

Thanks
« Last Edit: November 28, 2022, 08:31:46 pm by Gray »

turalyon

  • Zen Warrior
  • ***
  • Posts: 153
  • Karma: +14/-0
    • View Profile
Re: Fresh Install - Certificate Problem
« Reply #7 on: November 29, 2022, 11:32:19 am »
It looks like Zentyal interpreted the hostname and domain that your server had incorrectly.

I don't think you will have more issues with this again in that machine at least.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

Gray

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Fresh Install - Certificate Problem
« Reply #8 on: November 29, 2022, 12:25:16 pm »
Hi Turalyon

Yes, hopefully so!  :)

I've found there to be differing server naming requirements dependent upon the environment they are being built in. For anyone else experiencing this issue with Zentyal, simply just use the server name (NetBIOS name in Windows), e.g. hsm-dc00, as the hostname as opposed to an FQDN. Ensure you update the Linux hostname in /etc/hostname before installing Zentyal.

Thanks