Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Strip spaces for SSL variables #1799

Open
matheusfillipe opened this issue Jul 9, 2021 · 2 comments
Open

Enhancement: Strip spaces for SSL variables #1799

matheusfillipe opened this issue Jul 9, 2021 · 2 comments

Comments

@matheusfillipe
Copy link

matheusfillipe commented Jul 9, 2021
edited

OS: Ubuntu 20.04 LTS
ZNC: Tested with 1.8.5 (ubuntu repositories) and build from 2914235

ZNC works fine on the port without ssl, I can use both the webadmin interface and irc from multiple IRC clients. I am trying to get it working with ssl certificates from let's encrypt that I already use on my site. I have the certs in a folder that my user can read (doing the cat command on any of the files work). I have this in my znc config:

anoniplimit = 10
authonlyviamodule = false
configwritedelay = 0
connectdelay = 5
hideversion = false
loadmodule = webadmin
loadmodule = adminlog
maxbuffersize = 500
protectwebsessions = true
sslcertfile = /certs/mattf/fullchain.pem
ssldhparamfile = /certs/mattf/ssl-dhparams.pem
sslkeyfile = /certs/mattf/privkey.pem 
serverthrottle = 30
skin = _default_
statusprefix = *
version = 1.9.x

<Listener listener0>
	AllowIRC = true
	AllowWeb = true
	IPv4 = true
	IPv6 = true
	Port = 6668
	SSL = false
	URIPrefix = /
</Listener>

<Listener listener1>
	AllowIRC = true
	AllowWeb = true
	IPv4 = true
	IPv6 = true
	Port = 6669
	SSL = true
	URIPrefix = /
</Listener>

<Listener listener2>
	AllowIRC = true
	AllowWeb = true
	IPv4 = true
	IPv6 = true
	Port = 6697
	SSL = true
	URIPrefix = /
</Listener>

<Listener listener3>
	AllowIRC = true
	AllowWeb = true
	IPv4 = true
	IPv6 = true
	Port = 6643
	SSL = true
	URIPrefix = /
</Listener>

None of the SSL ports work. If i try from the browser this is what I get: . PR_END_OF_FILE_ERROR

image

Also the IRC clients cannot connect. In both cases this is what gets logged (with irc or webadmin https):

znc -f -D

...

[2021-07-09 20:37:41.840726] _LISTENER == ConnectionFrom(******) [Allowed]                                         │
[2021-07-09 20:37:41.840800] There are [0] clients from [******]                                                          │
[2021-07-09 20:37:41.840956] /home/mattf/znc/src/Csocket.cpp:1851 Bad keyfile ... [/certs/mattf/privkey.pem ]                 │

Still the key seems to be ok:

$ openssl rsa -check -noout -in privkey.pem                                                                                   
RSA key ok          

# mattf @ mattf in /certs/mattf [20:42:44] C:130                                                                              
$ openssl x509 -modulus -noout -in fullchain.pem | openssl md5      
                                                          
(stdin)= f38d5606c23b48a3e962718406c48fe7                                                                                     
                                                                                                                              
# mattf @ mattf in /certs/mattf [20:42:56]                                                                                    
$ openssl rsa -modulus -noout -in privkey.pem | openssl md5                                                                   
(stdin)= f38d5606c23b48a3e962718406c48fe7  

# mattf @ mattf in /certs/mattf [20:45:24]                                                                                    
$ ls -Slah /certs/mattf                                                                                                      
total 32K                                                                                                                    
-rw-r--r-- 1 root root 7.2K Jul  9 21:00 znc.pem                                                                              
-rw-r--r-- 1 root sudo 5.5K Jul  9 21:00 fullchain.pem                                                                        
drwxr-xr-x 2 root sudo 4.0K Jul  9 20:28 .                                                                                    
drwxr-xr-x 3 root sudo 4.0K Jul  9 07:10 ..                                                                                   
-rw-r--r-- 1 root sudo 1.7K Jul  9 21:00 privkey.pem                                                                          
-rw-r--r-- 1 root sudo  424 Jul  9 21:00 ssl-dhparams.pem      

$ openssl version                                                                                                             │
OpenSSL 1.1.1f  31 Mar 2020                                                                                                   │

And the same key and cert are working on my nginx server.
@matheusfillipe
Copy link
Author

After removing the extra space after the key file it worked. Would be nice if those variables were stripped!

@matheusfillipe matheusfillipe changed the title SSL: letsencrypt keyfile not working - Csocket.cpp:1851 Bad keyfile Enhancement: Strip spaces for SSL variables Jul 9, 2021
@DarthGandalf
Copy link
Member

I'm not sure about removing spaces. It's possible for a filename to have various characters, including spaces. However, limiting this filename to not have spaces at the end looks like a reasonable limitation.

What should be improved for sure, however, is the error message. "File not found" would be clearer than "Bad file"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DarthGandalf @matheusfillipe