server.crt is blank

[MMcWrath]

Greetings, I had this working, and then upon changing my root/admin account name and directory name, I broke Epoptes. I've since corrected my root/admin account, and removed and reinstalled Epoptes while generating new .crt and key files. I'm using Ubuntu 22.04.2 using a chrootless (ltsp-pnp) install.

While I can install Epoptes and Epoptes-client, when I log into a user-level account (I've temporarily elevated them to an administrator to run epoptes-client -c) however, even if I log in as the user-level (non-admin) and su - <adminuser> and then sudo su to get to the administrator account to run epoptes-client -c, or provide temp admin level to the users, epoptes-client -c overwrites my /etc/epoptes/server.crt

The error that I get when running sudo epoptes-client -c is:

<string of letter and numbers>:error:<string of letters and numbers>:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
epoptes-client ERROR: Failed to fetch certificate from server:789

ls -l /etc/epoptes/
-rw-r--r-- 1 root root    0 Apr 25 10:27 server.crt
-rw-------   root root 3272 Apr 25 10:19 server.key

Besides running chrootless, what am I doing wrong?!

Thank you in advance for your help or hints!

[alkisg]

Hi, the problem is that you should not run epoptes-client -c on the server itself.
This tries to download the certificate from the server to the server, with the result being a zero-sized certificate.
You're supposed to run that command on the clients or in the chroots/template images.
And since you're using chrootless LTSP, you don't need to run that command at all.

To create a new certificate now, run:

rm /etc/epoptes/server.*
dpkg-reconfigure epoptes

And then ltsp initrd and/or ltsp image to make it available for the clients.

Normally I'd say "please open discussions instead of issues when requiring assistance".
But in this case this is a valid bug report, as we can change the epoptes code to download the certificate using a temporary file. This will avoid the zero-ing part, even if it's not the correct usage.

[MMcWrath]

Thank you for the feedback alkisg. Indeed, issuing the epoptes-client -c command is what was getting me down. I was escalating user-level permissions on the client to root, which was then rewriting the server.crt file.

Perhaps a note (albeit obvious) that in a chrootless LTSP environment, this command isn't required.

The tailing echo of the epoptes installation is:

A new OpenSSL certificate has been generated for epoptes.
Please ensure that you transfer /etc/epoptes/server.crt
to your clients by issuing 'epoptes-client-c' from your
regular workstations or from your LTSP chroots.

Perhaps adding a clause about not needing to do this step for chrootless installs.
Again, thank you for the input, and thank you for the timely response!

[alkisg]

Closed by GSoC 2023 Epoptes improvements #204.
Please test if the proposed PPA build resolves this issue.