search

h2o / h2o

H2O - the optimized HTTP/1, HTTP/2, HTTP/3 server
https://h2o.examp1e.net
MIT License
10.9k stars 847 forks source link

OCSP cannot stat initial working directory #282

Closed ghost closed 9 years ago

ghost commented 9 years ago

We build H2O on a source development machine and move the binaries to a production test machine. Since the source build directory is not on the production test boxes the OCSP script prints a "cannot stat initial working directory" error. Using /tmp or /var/tmp as a working directory would alleviate this error.

cat /var/log/h2o_error.log 

Filehandle STDIN reopened as  only for output at /usr/local/share/h2o/start_server line 9.
starting new worker 75045
[INFO] raised RLIMIT_NOFILE to 203904
h2o server (pid:75045) is ready to serve requests
fetch-ocsp-response (using OpenSSL 1.0.1l-freebsd 15 Jan 2015)
sending OCSP request to http://ocsp.comodoca.com
/ssl_keys/example.org_ssl.crt: good
        This Update: Apr 10 08:10:04 2015 GMT
        Next Update: Apr 14 08:10:04 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/NROPyngWfx/issuer.crt)
[OCSP Stapling] successfully updated the response for certificate file:/ssl_keys/example.org_ssl.crt

fetch-ocsp-response (using OpenSSL 1.0.1l-freebsd 15 Jan 2015)
sending OCSP request to http://ocsp.comodoca.com
/ssl_keys/example.org_ssl.crt: good
        This Update: Apr 11 19:06:39 2015 GMT
        Next Update: Apr 15 19:06:39 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/J2meOOcrhT/issuer.crt)
cannot stat initial working directory for /storage/builds/h2o: Permission denied at /usr/local/lib/perl5/5.18/File/Temp.pm line 921.
[OCSP Stapling] successfully updated the response for certificate file:/ssl_keys/example.org_ssl.crt

fetch-ocsp-response (using OpenSSL 1.0.1l-freebsd 15 Jan 2015)
sending OCSP request to http://ocsp.comodoca.com
/ssl_keys/example.org_ssl.crt: good
        This Update: Apr 13 04:10:41 2015 GMT
        Next Update: Apr 17 04:10:41 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/u1_COh_tnA/issuer.crt)
cannot stat initial working directory for /storage/builds/h2o: Permission denied at /usr/local/lib/perl5/5.18/File/Temp.pm line 921.
[OCSP Stapling] successfully updated the response for certificate file:/ssl_keys/example.org_ssl.crt
# version: github pull on Thurs April 13, 2015 @ 0739 GMT
root@NIFON:  /usr/local/bin/h2o -v
h2o version 1.1.2-alpha1
kazuho commented 9 years ago

@Tintinabula Looking at the error message and the source code of File::Path which is reporting the error, it seems like that:

Are these assumptions correct? If that is the case, please either change the current working directory to somewhere else (that is accessible by the running user), or change the permissions of the directory so that it becomes accessible by the running user.

EDIT: The relevant parts of File::Path is File/Path.pm line 218 and line 249. In line 218 the library is calling getcwd that returns /storage/builds/h2o, and in line 248 it is failing to obtain the information of the directory by lstat.

ghost commented 9 years ago

@kazuho , this ticket can be closed. I understand now.

The assumptions were correct. H2O is built on the development machines and the compiled code is moved to the production machines in /storage/builds/h2o . The /storage/builds/h2o directory is owned by root with 700 permission. After running "make install", the H2O daemon is started and /storage/builds/h2o is still in the directory tree, but not readable by the H2O daemon user. The root only permissions caused the "cannot stat initial working directory" error.

The fix in our situation is to install the H2O binary and tools and remove the source build directory, /storage/builds/h2o . H2O starts without issue and the OCSP tools does not report any errors. 

starting new worker 86222
[INFO] raised RLIMIT_NOFILE to 203904
h2o server (pid:86222) is ready to serve requests
fetch-ocsp-response (using OpenSSL 1.0.1l-freebsd 15 Jan 2015)
sending OCSP request to http://ocsp.comodoca.com
/ssl_keys/example.org_ssl.crt: good
        This Update: Apr 13 04:10:41 2015 GMT
        Next Update: Apr 17 04:10:41 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/8SKZXrZikR/issuer.crt)
[OCSP Stapling] successfully updated the response for certificate file:/ssl_keys/example.org_ssl.crt

fetch-ocsp-response (using OpenSSL 1.0.1l-freebsd 15 Jan 2015)
sending OCSP request to http://ocsp.comodoca.com
/ssl_keys/example.org_ssl.crt: good
        This Update: Apr 14 14:04:04 2015 GMT
        Next Update: Apr 18 14:04:04 2015 GMT
verifying the response signature
verify OK (used: -VAfile /tmp/qN7EK1lxlO/issuer.crt)
[OCSP Stapling] successfully updated the response for certificate file:/ssl_keys/example.org_ssl.crt
kazuho commented 9 years ago

:+1: