df1 / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

Cannot read valid certificate from "certificate.pem". Check file permissions and file format. #214

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Install shellinabox RPM in Fedora 17
2. start shellinaboxd in root's home directory or any other protected area
3. it will not start, giving the error in the summary.

What is the expected output?

Nothing - the process should run, quietly, as a service.

What do you see instead?

Cannot read valid certificate from "certificate.pem". Check file permissions 
and file format.  

What version of the product are you using? On what operating system?

Fedora 17.  Version of shellinabox from their "updates" channel - i.e. what a 
typical end-user will get using their "Add/Remove Software" utility.

[pbr@fedora ~]$ rpm -qi shellinabox
Name        : shellinabox
Version     : 2.14
Release     : 17.git88822c1f.fc17
Architecture: x86_64
Install Date: Sat 29 Dec 2012 07:02:50 PM CST
Group       : System Environment/Daemons
Size        : 413914
License     : GPLv2
Signature   : RSA/SHA256, Fri 14 Dec 2012 07:31:18 PM CST, Key ID 
50e94c991aca3465
Source RPM  : shellinabox-2.14-17.git88822c1f.fc17.src.rpm
Build Date  : Fri 14 Dec 2012 04:49:48 AM CST
Build Host  : buildvm-28.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/pythonanywhere/shellinabox_fork
Summary     : Web based AJAX terminal emulator
Description :
Shell In A Box implements a web server that can export arbitrary command line
tools to a web based terminal emulator. This emulator is accessible to any
JavaScript and CSS enabled web browser and does not require any additional
browser plugins.

Please provide any additional information below.

->  I believe all that would be needed would be for the service to action a "cd 
/tmp" early on in its initialization, to resolve this 

-> note the "URL" from the rpm info - the guys doing that fork were surprised 
to learn they're the "go-to URL" for the Fedora package.  You might want to 
reach out to Fedora to get that fixed.

Let me know if anything else is required.

Happy to help!
-PBR
http://reiber.org

Original issue reported on code.google.com by reiber on 31 Dec 2012 at 1:42

GoogleCodeExporter commented 9 years ago
Hello, this is a Fedora issue, so the bug should not be opened here but instead 
in bugzilla.

Shellinabox in Fedora runs from systemd:

[root@3zpc0560 ~]# systemctl status shellinaboxd.service
shellinaboxd.service - Shell In A Box daemon
      Loaded: loaded (/usr/lib/systemd/system/shellinaboxd.service; disabled)
      Active: active (running) since Wed, 09 Jan 2013 11:21:36 +0100; 3s ago
        Docs: man:shellinaboxd(1)
    Main PID: 6351 (shellinaboxd)
      CGroup: name=systemd:/system/shellinaboxd.service
          ├ 6351 /usr/sbin/shellinaboxd -u shellinabox -g shellinabox
--cert=/var/lib/shellinabox --port=4200 --disable-ssl-menu -s /:LOGIN
          └ 6352 /usr/sbin/shellinaboxd -u shellinabox -g shellinabox
--cert=/var/lib/shellinabox --port=4200 --disable-ssl-menu -s /:LOGIN

[root@3zpc0560 ~]# ls -al /var/lib/shellinabox/
total 12
drwxr-x---.  2 shellinabox shellinabox 4096 Jan  9 11:21 .
drwxr-xr-x. 61 root        root        4096 Jan  9 11:21 ..
-rw-------.  1 shellinabox shellinabox 2851 Jan  9 11:21 certificate.pem

If you want to run the daemon from another directory and not through systemd, 
you have to pass the "--cert=" parameter to it to point to the certificate file.

"/sbin/shellinaboxd" is not a script but a binary, so there's no way to put a 
"cd /tmp" anywhere.

Regards,
--Simone

Original comment by negativ...@gmail.com on 9 Jan 2013 at 10:30

GoogleCodeExporter commented 9 years ago
Hi!

This was an end-user issue - I had no idea systemctl knew about shellinaboxd.

Maybe a little documentation on the package would help - possibly as simple as 
adding "This service is managed via systemctl" to the package description.

Thanks for your help - please consider this matter closed.

Original comment by reiber on 9 Jan 2013 at 9:20

GoogleCodeExporter commented 9 years ago
changing dir to tmp the shellinabox worked. But is this unsafe if other users 
can peek into /tmp? Maybe shellinabox can create a folder in /tmp, apply secure 
permissions, then create the certificate?

Original comment by TruSktr on 16 Sep 2013 at 1:57

GoogleCodeExporter commented 9 years ago
Running "systemctl start shellinaboxd.service" runs, but trying to connect to 
it with https results in "(Error code: ssl_error_rx_record_too_long)".

Visiting http://localhost:4200 (no ssl) results in "Session closed.". I can 
press the "Connect" button multiple times until finally it connects. It'll 
refresh the page each time showing the "Session closed." message before finally 
connecting after a random number of clicks on the Connect button.

Original comment by TruSktr on 16 Sep 2013 at 2:05