[stunnel-users] An issue with chroot, mail.pem and OmniOS/illumos (SunOS)
olaf.lists at gmail.com
Sun Oct 13 23:10:26 CEST 2013
I have been trying to set up stunnel to encrypt a SMTP connection.
The config of the encryption should be fine, I used it already on another OS, but I cannot get stunnel to start on my home server, based on OmniOS (kernel illumos), identified as "SunOS".
This is my config:
chroot = /opt/omni/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
;pid = /opt/omni/var/lib/stunnel/stunnel.pid
; Certificate/key is needed in server mode and optional in client mode
cert = /opt/omni/etc/stunnel/mail.pem
;key = /opt/omni/etc/stunnel/mail.pem
accept = localhost:11125
client = yes
connect = ssl0.ovh.net:465
;delay = yes
and the directories mentioned have the following permissions:
OmniOS-Xeon:~ $ ls -al /opt/omni/etc/stunnel/
drwxr-xr-x 2 root bin 5 Sep 24 23:26 .
drwxr-xr-x 5 root bin 6 Sep 23 23:53 ..
-rw------- 1 root bin 3050 Sep 24 23:25 mail.pem
-rw-r--r-- 1 stunnel stunnel 3247 Oct 13 22:56 stunnel.conf
-rw-r--r-- 1 root bin 2997 Sep 23 23:53 stunnel.conf-sample
OmniOS-Xeon:~ $ ls -al /opt/omni/var/lib/
drwxr-xr-x 3 root bin 3 Sep 23 23:53 .
drwxr-xr-x 4 root bin 4 Sep 23 23:53 ..
drwx------ 2 stunnel stunnel 2 Sep 23 23:53 stunnel
The service is started from the SMF facility provided by Solaris/OmniOS/... that launches as root/root the following:
On execution I get the following error message:
Initializing service section [smtp-tls-wrapper]
Error reading certificate file: /opt/omni/etc/stunnel/mail.pem
error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen:Permission denied
str_stats: 9 block(s), 1032 data byte(s), 522 control byte(s)
I must be overlooking something but I cannot see my mistake.
Could you please help me?
Thank you very much in advance!
More information about the stunnel-users