Closed vitoyucepi closed 1 year ago
Thanks for reporting. This is fixed now. The error when file could not be found was already improved but buried under the other one. I added an error when file cannot be read and also fixed the subsequent error.
Typically error now looks like:
Some exceptions may not be caught.
2023/05/15 23:01:16 [clock.main:2] Error when starting input.harbor_0: SSL: Privte key error: error:0908F066:PEM routines:get_header_and_data:bad end line!
2023/05/15 23:01:16 [clock.main:4] Raised by primitive operation at Builtins_ssl.server in file "src/core/builtins/builtins_ssl.ml", line 58, characters 4-57
2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.open_port in file "src/core/harbor/harbor.ml", line 1007, characters 17-33
2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.get_handler in file "src/core/harbor/harbor.ml", line 1128, characters 17-53
2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.add_source in file "src/core/harbor/harbor.ml", line 1141, characters 20-57
2023/05/15 23:01:16 [clock.main:4] Called from Harbor_input.http_input_server#wake_up in file "src/core/sources/harbor_input.ml", line 151, characters 6-94
2023/05/15 23:01:16 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31
2023/05/15 23:01:16 [clock.main:4] Called from Clock.MkClock.clock#start_outputs.(fun) in file "src/core/clock.ml", line 370, characters 18-45
2023/05/15 23:01:16 [clock.main:4]
Furthermore, could you explain why two errors are triggered when the harbor is defined and sent to the output instead of just one?
Some exceptions may not be caught.
2023/05/15 23:01:16 [clock.main:2] Error when starting input.harbor_0: SSL: Privte key error: error:0908F066:PEM routines:get_header_and_data:bad end line! 2023/05/15 23:01:16 [clock.main:4] Raised by primitive operation at Builtins_ssl.server in file "src/core/builtins/builtins_ssl.ml", line 58, characters 4-57 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.open_port in file "src/core/harbor/harbor.ml", line 1007, characters 17-33 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.get_handler in file "src/core/harbor/harbor.ml", line 1128, characters 17-53 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.add_source in file "src/core/harbor/harbor.ml", line 1141, characters 20-57 2023/05/15 23:01:16 [clock.main:4] Called from Harbor_input.http_input_server#wake_up in file "src/core/sources/harbor_input.ml", line 151, characters 6-94 2023/05/15 23:01:16 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31 2023/05/15 23:01:16 [clock.main:4] Called from Clock.MkClock.clock#start_outputs.(fun) in file "src/core/clock.ml", line 370, characters 18-45 2023/05/15 23:01:16 [clock.main:4]
This looks fine. this is a legit error with a descriptive explanation. It's happening inside the streaming loop so there isn't really a reason to re-raise it as a runtime error since it cannot be caught and should be treated as a fatal error.
Furthermore, could you explain why two errors are triggered when the harbor is defined and sent to the output instead of just one?
Do you have context or logs?
Furthermore, could you explain why two errors are triggered when the harbor is defined and sent to the output instead of just one?
Do you have context or logs?
Config
ssl_transport = http.transport.ssl(
certificate="cert.pem",
key="key.pem",
)
live = input.harbor(
"live",
transport=ssl_transport,
port=8005,
password="test",
)
output.dummy(live, fallible=true)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=localhost' -nodes
chmod 0000 key.pem
input.harbor
is an active source so it is actively animated by its clock. For all intent and purposes, it acts as an output w.r.t. clock. The current initialization loop in clocks does try to initialize all "outputs" so input.harbor
is asked to get ready twice, once on its own and once through the output.
The code for get_ready
is able to detect if a source is asked multiple times to get ready and only execute once. However, it does not account for a failure to get ready the first time, which explains the double exception here.
This should be changed but this will have to wait for the next major release cycle during which we plan on rewriting the whole streaming API.
Some exceptions may not be caught.
2023/05/15 23:01:16 [clock.main:2] Error when starting input.harbor_0: SSL: Privte key error: error:0908F066:PEM routines:get_header_and_data:bad end line! 2023/05/15 23:01:16 [clock.main:4] Raised by primitive operation at Builtins_ssl.server in file "src/core/builtins/builtins_ssl.ml", line 58, characters 4-57 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.open_port in file "src/core/harbor/harbor.ml", line 1007, characters 17-33 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.get_handler in file "src/core/harbor/harbor.ml", line 1128, characters 17-53 2023/05/15 23:01:16 [clock.main:4] Called from Harbor.Make.add_source in file "src/core/harbor/harbor.ml", line 1141, characters 20-57 2023/05/15 23:01:16 [clock.main:4] Called from Harbor_input.http_input_server#wake_up in file "src/core/sources/harbor_input.ml", line 151, characters 6-94 2023/05/15 23:01:16 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31 2023/05/15 23:01:16 [clock.main:4] Called from Clock.MkClock.clock#start_outputs.(fun) in file "src/core/clock.ml", line 370, characters 18-45 2023/05/15 23:01:16 [clock.main:4]
This looks fine. this is a legit error with a descriptive explanation. It's happening inside the streaming loop so there isn't really a reason to re-raise it as a runtime error since it cannot be caught and should be treated as a fatal error.
But where does it happen? One of the keys is broken, but which one?
This is caused by removing the last line from the key file. Everything is left the same.
Config
ssl_transport = http.transport.ssl(
certificate="cert.pem",
key="key.pem",
)
live = input.harbor(
"live",
transport=ssl_transport,
port=8005,
password="test",
)
output.dummy(live, fallible=true)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=localhost' -nodes
sed 's/-----END PRIVATE KEY-----//' -i key.pem
sed '5d' -i key.pem
Both errors are the same. I believe your key is considered invalid by libssl
/openss
if it is missing the last line.
Also, the error says the private key is invalid:
Privte key error: error:0908F066:PEM routines:get_header_and_data:bad end line!
That seems pretty clear to me.
Privte key error: error:0200100D:system library:fopen:Permission denied!
Privte key error: error:0908F066:PEM routines:get_header_and_data:bad end line!
Privte key error: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long!
The first one is caught, while the rest are not.
I'd like to see the position and file path for all of them.
Error when starting input.harbor_0: Lang.Runtime_error { kind: "not_found", msg: "Cannot read SSL key file! Given path: key.pem, resolved path: /home/debian/key.pem", pos: [at 1.liq, line 3 char 16 - line 6 char 1] }!
Internal exceptions like that are triggered in parts that are not script. There's a function to map them to runtime errors, Lang.raise_as_runtime
, but it reports the stack tracks as ML files. I think that this can be equally confusing to the user who may or may not know what OCaml is. Besides, it would report the same info that is currently reported the log and wouldn't be catchable so I'm not sure exactly what this would add.
Is it possible to show which cert/key caused this error?
nginx: [emerg] cannot load certificate key "/etc/nginx/key.pem": PEM_read_bio_PrivateKey() failed (SSL: error:1E08010C:DECODER routines::unsupported:No supported data to decode. Input type: PEM error:0680009B:asn1 encoding routines::too long error:06800066:asn1 encoding routines::bad object header error:0688010A:asn1 encoding routines::nested asn1 error:Type=PKCS8_PRIV_KEY_INFO)
Traceback (most recent call last):
File "/tmp/1.py", line 7, in <module>
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="./key.pem", certfile="./cert.pem", server_side=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/ssl.py", line 1443, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3921)
Describe the bug Liquidsoap will terminate with numerous errors if the SSL certificate or key is inaccessible or damaged.
Permission denied 1
``` 2023/05/15 21:36:17 [clock.main:2] Error when starting input.harbor_0: SSL: Privte key error: error:0200100D:system library:fopen:Permission denied! 2023/05/15 21:36:17 [clock.main:4] Raised by primitive operation at Builtins_ssl.server in file "src/core/builtins/builtins_ssl.ml", line 58, characters 4-57 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.open_port in file "src/core/harbor/harbor.ml", line 1007, characters 17-33 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.get_handler in file "src/core/harbor/harbor.ml", line 1128, characters 17-53 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.add_source in file "src/core/harbor/harbor.ml", line 1141, characters 20-57 2023/05/15 21:36:17 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31 2023/05/15 21:36:17 [clock.main:4] Called from Clock.MkClock.clock#start_outputs.(fun) in file "src/core/clock.ml", line 370, characters 18-45 2023/05/15 21:36:17 [clock.main:4] ```Not found 1
``` 2023/05/15 21:36:17 [clock:2] Error when leaving output input.harbor_0: Not_found! 2023/05/15 21:36:17 [clock:4] Raised at Stdlib__Hashtbl.find in file "hashtbl.ml", line 539, characters 13-28 2023/05/15 21:36:17 [clock:4] Called from Harbor.Make.remove_source in file "src/core/harbor/harbor.ml", line 1152, characters 30-60 2023/05/15 21:36:17 [clock:4] Called from Source.operator#leave in file "src/core/source.ml", line 557, characters 8-18 2023/05/15 21:36:17 [clock:4] Called from Clock.leave in file "src/core/clock.ml", line 104, characters 6-44 2023/05/15 21:36:17 [clock:4] ```Permission denied 2
``` 2023/05/15 21:36:17 [clock.main:2] Error when starting dummy: SSL: Privte key error: error:0200100D:system library:fopen:Permission denied! 2023/05/15 21:36:17 [clock.main:4] Raised by primitive operation at Builtins_ssl.server in file "src/core/builtins/builtins_ssl.ml", line 58, characters 4-57 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.open_port in file "src/core/harbor/harbor.ml", line 1007, characters 17-33 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.get_handler in file "src/core/harbor/harbor.ml", line 1128, characters 17-53 2023/05/15 21:36:17 [clock.main:4] Called from Harbor.Make.add_source in file "src/core/harbor/harbor.ml", line 1141, characters 20-57 2023/05/15 21:36:17 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31 2023/05/15 21:36:17 [clock.main:4] Called from Output.output#wake_up in file "src/core/outputs/output.ml", line 122, characters 6-57 2023/05/15 21:36:17 [clock.main:4] Called from Source.operator#get_ready in file "src/core/source.ml", line 514, characters 8-31 2023/05/15 21:36:17 [clock.main:4] Called from Clock.MkClock.clock#start_outputs.(fun) in file "src/core/clock.ml", line 370, characters 18-45 2023/05/15 21:36:17 [clock.main:4] ```Not found 2
``` 2023/05/15 21:36:17 [clock:2] Error when leaving output dummy: Not_found! 2023/05/15 21:36:17 [clock:4] Raised at Stdlib__Hashtbl.find in file "hashtbl.ml", line 539, characters 13-28 2023/05/15 21:36:17 [clock:4] Called from Harbor.Make.remove_source in file "src/core/harbor/harbor.ml", line 1152, characters 30-60 2023/05/15 21:36:17 [clock:4] Called from Source.operator#leave in file "src/core/source.ml", line 557, characters 8-18 2023/05/15 21:36:17 [clock:4] Called from Source.operator#leave in file "src/core/source.ml", line 557, characters 8-18 2023/05/15 21:36:17 [clock:4] Called from Clock.leave in file "src/core/clock.ml", line 104, characters 6-44 2023/05/15 21:36:17 [clock:4] ```To Reproduce
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=localhost' -nodes
chmod 0000 key.pem
Config
Expected behavior I think these errors are not very informative. If there is an error regarding file permissions, the exact file location should be shown. The only error message that should appear is Permission denied related.
Version details
Install method Deb package from liquidsoap releases at github
Common issues
3067