Closed GoogleCodeExporter closed 9 years ago
I am unable to get this to work in Arch unless I run using '-t
--localhost-only'. The
default settings give me an SSL error, and service unavailable.
Original comment by christer...@gmail.com
on 30 May 2010 at 6:22
If I manually create the certificate.pem it works.
Original comment by christer...@gmail.com
on 30 May 2010 at 7:10
Can you please tell me how did you generate certificate.pem? I generated it as
well
via openssl but it still doesn't work... Thank you
Original comment by michal.b...@gmail.com
on 31 May 2010 at 8:31
i created certificate.pam using
openssl req -new -x509 -keyout certificate.pem -out certificate.pem -days 365
-nodes; chmod 600 certificate.pem
but it does not work. any idea? jose
ps: arch linux here too.
Original comment by jose1...@gmail.com
on 1 Aug 2010 at 2:57
I am unfamiliar with Arch, and this sounds a little bit like a problem that is
specific to the Arch distribution. So, there'll only be very limited help that
I can provide.
Normally, ShellInABox is supposed to automatically generate any missing SSL
certificates. You can run it with the --debug command line option to see a
message when it tries to generate the missing certificate.
For example, if you invoked the daemon as "shellinaboxd --debug", you should
see a message that says
Received SNI callback for virtual host "localhost" from "localhost:4200"
Auto-generating missing certificate "certificate-localhost.pem" for "localhost"
This would happen the first time you connect to the server over SSL.
For the time being, I marked this issue as "WontFix", as it doesn't sound as if
there is anything I can do about it. It appears as if this is a configuration
issue in Arch Linux. But should this turn out to be a problem with ShellInABox
itself, feel free to change the status.
Original comment by zod...@gmail.com
on 1 Aug 2010 at 4:23
thank you for your explaining post. i admit this can be (and probably is)
arch's problem but i've no idea what to do in order to fix this. as you
suggested i tried with --debug flag. this is the output:
[root@darkstar ~]# shellinaboxd --debug
Command line: shellinaboxd --debug
Listening on port 4200
Substituting "nobody's" primary group for "nogroup"
Substituting "nobody's" primary group for "nogroup"
Auto-generating missing certificate "certificate.pem" for "darkstar"
Failed to generate self-signed certificate "certificate.pem"
Cannot read valid certificate from "certificate.pem". Check file permissions
and file format.
this is the respective part from strace:
write(2, "Auto-generating missing certific"..., 68) = 68
write(2, "\n", 1) = 1
rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_IGN, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD,
parent_tidptr=0xbf80a934) = 12745
waitpid(12745, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0) = 12745
rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
write(2, "Failed to generate self-signed c"..., 60) = 60
could you please shed some light on what's going on in the above code? thank
you very much for your time and patience,
joe
Original comment by jose1...@gmail.com
on 1 Aug 2010 at 7:30
The idea of looking at "strace" output is definitely good. But I think, you'll
have to give it the "-f" option, if you want to make any sense of what's going
on. We really care why the child process is failing with an exit status of "1".
Original comment by zod...@gmail.com
on 2 Aug 2010 at 5:31
hopefully this will be helpful: http://archlinux.pastebin.com/k9wUyrpx
Original comment by jose1...@gmail.com
on 2 Aug 2010 at 5:57
It appears that the daemon is run with the current directory pointing to
"/root", but the user and group ids are 99 (no idea what that is on "arch",
maybe nobody or maybe a dedicated user for shellinabox).
This user doesn't have access to the "/root" directory. You can fix that by
either starting shellinaboxd from a different directory, or my creating a
suitable directory for the certificates and providing the "--cert" command line
option. The latter is probably the better approach.
Original comment by zod...@gmail.com
on 2 Aug 2010 at 6:26
oh great, this definitely got us further. i can now see that the certificate is
generated (certificate-localhost.pem). for some reason i get the following
error in the browser: Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH):
Unknown error.
Original comment by jose1...@gmail.com
on 2 Aug 2010 at 7:53
The problem is this certificates generate with SSL 2.0 version even I tried by
enabling this on browser it doesn't work well
Original comment by sjkeer...@gmail.com
on 20 Sep 2010 at 3:13
ShellInABox generates certificates with this command line:
openssl req -x509 -nodes -days 7300 -newkey rsa:1024 -keyout /dev/stdout -out
/dev/stdout -subj "/CN=${DOMAIN}/"
I believe, for a lot of parameters OpenSSL looks into the global "openssl.cnf"
file. Maybe, this file defaults to a different set of parameters than what is
commonly used by other OpenSSL installations?
Original comment by zod...@gmail.com
on 20 Sep 2010 at 4:32
Still no clue for the certification error pasted below.
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
Auto-generating missing certificate "certificate.pem" for "keet"
Accepted connection from localhost:52325
Handling "GET" "/"
Compressed response from 4883 to 2099
localhost - - [21/Sep/2010:18:29:44 +0530] "GET / HTTP/1.1" 200 2192
Accepted connection from localhost:52326
Switching to SSL (replaying 0+99 bytes)
Closing connection to localhost:52326
Accepted connection from localhost:52327
Switching to SSL (replaying 0+99 bytes)
Closing connection to localhost:52327
Original comment by sjkeer...@gmail.com
on 21 Sep 2010 at 1:01
[deleted comment]
Finely after a long research I could able to success with https. Just follow
the below instruction you could up shellinabox with https.
The self sign could help us to solve the issue of
(Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.)
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# cat server.crt server.key > certificate.pem
# shellinabox
Then open the browser https://localhost:4200
Thanks,
Keerthi
Original comment by sjkeer...@gmail.com
on 22 Sep 2010 at 11:23
thank you, it works!
Original comment by jose1...@gmail.com
on 23 Sep 2010 at 10:43
I confirm this now works for secure http
Thanks everyone.
Original comment by nik.tett...@gmail.com
on 28 Oct 2010 at 12:37
Can it be fixed? I got "Segmentation fault" but it works when I generate
certificate.pem as stated above.
Original comment by totaliza...@gmail.com
on 16 Jun 2011 at 6:14
Attached is the arch openssl.cnf. Can you post the default for your
distribution?
When I do an "openssl x509 -text" for the certificate that codeinabox generates
vs the instructions in comment 15, the difference is that the codeinabox cert
says version 3 and the comment15 one says version 1. The version3 cert also has
a block for x509 extensions...
Original comment by m...@0x01b.net
on 20 Jul 2011 at 5:24
Attachments:
This seems to happen on distributions other than Arch too. I'm running Ubuntu
Server 11.10 and I'm facing the exact same problem.
Original comment by tomtasche
on 3 Jan 2012 at 9:00
https://github.com/jayschwa/shellinabox/commit/28ff61e1c6b622c565ff7d1b5fbeba306
e937598
I have made an update that seems to resolve the
ERR_SSL_VERSION_OR_CIPHER_MISMATCH issue for me.
Original comment by Jayschwa
on 2 Feb 2012 at 6:27
It'd be nice if this was fixed. I don't know much about ssl yet in order to
make custom solutions like above.
Original comment by TruSktr
on 16 Sep 2013 at 1:51
cd /tmp, then shellinabox works perfect!
Original comment by TruSktr
on 16 Sep 2013 at 1:55
plus 1 Keerthi's answer
Original comment by andym...@gmail.com
on 5 Jun 2014 at 4:38
Original issue reported on code.google.com by
cptl....@gmail.com
on 12 Mar 2010 at 10:10