Univention Bugzilla – Bug 52975
failed stunnel4.service
Last modified: 2021-05-25 16:00:27 CEST
After fresh installation of UCS 5.0-0-rc0: root@dc0:~# journalctl -u stunnel4.service -- Logs begin at Tue 2021-03-23 11:53:09 CET, end at Tue 2021-03-23 13:47:04 CET. -- Mär 23 11:58:02 unassigned-hostname systemd[1]: Starting LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)... Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: Starting TLS tunnels: /etc/stunnel/univention_saml.conf: [ ] Clients allowed=500 Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] stunnel 5.50 on x86_64-pc-linux-gnu platform Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] Compiled with OpenSSL 1.1.1b 26 Feb 2019 Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] Running with OpenSSL 1.1.1d 10 Sep 2019 Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] errno: (*__errno_location ()) Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] Reading configuration from file /etc/stunnel/univention_saml.conf Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] UTF-8 byte order mark not detected Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [.] FIPS mode disabled Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] Compression disabled Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] No PRNG seeding was required Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] Initializing service [memcached] Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] TLS options: 0x02104004 (+0x02004000, -0x00000000) Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] Loading certificate from file: Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [!] error queue: 140DC002: error:140DC002:SSL routines:use_certificate_chain_file:system lib Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [!] error queue: 20074002: error:20074002:BIO routines:file_ctrl:system lib Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [!] Service [memcached]: Failed to initialize TLS context Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: [ ] Deallocating section defaults Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: failed Mär 23 11:58:02 unassigned-hostname stunnel4[21087]: You should check that you have specified the pid= in you configuration file Mär 23 11:58:02 unassigned-hostname systemd[1]: stunnel4.service: Control process exited, code=exited, status=1/FAILURE Mär 23 11:58:02 unassigned-hostname systemd[1]: stunnel4.service: Failed with result 'exit-code'. Mär 23 11:58:02 unassigned-hostname systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons). Restarting fixing it: root@dc0:~# systemctl restart stunnel4 root@dc0:~# systemctl status stunnel4 ● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons) Loaded: loaded (/etc/init.d/stunnel4; generated) Active: active (running) since Tue 2021-03-23 13:50:15 CET; 1s ago Docs: man:systemd-sysv-generator(8) Process: 2984 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS) Tasks: 2 (limit: 2344) Memory: 2.1M CGroup: /system.slice/stunnel4.service └─2999 /usr/bin/stunnel4 /etc/stunnel/univention_saml.conf Mär 23 13:50:10 dc0 systemd[1]: Starting LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)... Mär 23 13:50:15 dc0 stunnel4[2984]: Starting TLS tunnels: /etc/stunnel/univention_saml.conf: started Mär 23 13:50:15 dc0 systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons).
mhm, this seems to be a release blocker as SimpleSAMLphp won't work properly? I change the Target Milestone to be sure we discuss this.
*** Bug 48225 has been marked as a duplicate of this bug. ***
/etc/init.d/stunnel4 checks for files /etc/stunnel/*.conf, which already contains /etc/stunnel/univention_saml.conf generated by UCR. But it references files /etc/univention/ssl/ucsCA/CAcert.pem and /etc/simplesamlphp/ucs-sso.$FQDN-ldp-certificate.{crt,key}, which only exist after USS has finished. Therefor "stunnel4.service" fails to start for the reboot between D-I and USS It is not restarted after USS has finished and remains failed. [5.0-0] f671e26229 fix[saml]: Fix PHP 7.3 dependencies saml/univention-saml/debian/control | 4 ++-- saml/univention-saml/scripts/php-cgi | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) [5.0-0] 92098e7296 fix[saml]: Restart stunnel4 after join saml/univention-saml/91univention-saml.inst | 4 +--- saml/univention-saml/debian/changelog | 6 ++++++ 2 files changed, 7 insertions(+), 3 deletions(-) [5.0-0] d58878f5cf style[saml]: Remove executable permissions saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml.conf | 0 saml/univention-saml/conffiles/etc/simplesamlphp/00authsources.php | 0 saml/univention-saml/conffiles/etc/simplesamlphp/config.php | 0 saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php | 0 saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00header.php | 0 saml/univention-saml/debian/univention-saml.postinst | 0 saml/univention-saml/debian/univention-saml.preinst | 0 saml/univention-saml/debian/univention-saml.prerm | 0 8 files changed, 0 insertions(+), 0 deletions(-) Package: univention-saml Version: 7.0.4-5A~5.0.0.202104131303 Branch: ucs_5.0-0 No changelog entry -> part of update to php7.3
Changes -> OK stunnel is running after installation -> OK jenkins -> OK
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".