[stunnel-users] An issue with chroot, mail.pem and OmniOS/illumos (SunOS)

Olaf Marzocchi olaf.lists at gmail.com
Sun Oct 13 23:10:26 CEST 2013


Dear all,
I have been trying to set up stunnel to encrypt a SMTP connection.
The config of the encryption should be fine, I used it already on another OS, but I cannot get stunnel to start on my home server, based on OmniOS (kernel illumos), identified as "SunOS".

This is my config:
----
chroot = /opt/omni/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup

;pid = /opt/omni/var/lib/stunnel/stunnel.pid

; Certificate/key is needed in server mode and optional in client mode
cert = /opt/omni/etc/stunnel/mail.pem
;key = /opt/omni/etc/stunnel/mail.pem

[smtp-tls-wrapper]
accept = localhost:11125
client = yes
connect = ssl0.ovh.net:465
;delay = yes  
----

and the directories mentioned have the following permissions:
----
OmniOS-Xeon:~ $ ls -al /opt/omni/etc/stunnel/
total 28
drwxr-xr-x   2 root     bin            5 Sep 24 23:26 .
drwxr-xr-x   5 root     bin            6 Sep 23 23:53 ..
-rw-------   1 root     bin         3050 Sep 24 23:25 mail.pem
-rw-r--r--   1 stunnel  stunnel     3247 Oct 13 22:56 stunnel.conf
-rw-r--r--   1 root     bin         2997 Sep 23 23:53 stunnel.conf-sample

OmniOS-Xeon:~ $ ls -al /opt/omni/var/lib/        
total 9
drwxr-xr-x   3 root     bin            3 Sep 23 23:53 .
drwxr-xr-x   4 root     bin            4 Sep 23 23:53 ..
drwx------   2 stunnel  stunnel        2 Sep 23 23:53 stunnel
----

The service is started from the SMF facility provided by Solaris/OmniOS/... that launches as root/root the following:
/opt/omni/bin/stunnel /opt/omni/etc/stunnel/stunnel.conf

On execution I get the following error message:
…
Initializing service section [smtp-tls-wrapper]
Certificate: /opt/omni/etc/stunnel/mail.pem
Error reading certificate file: /opt/omni/etc/stunnel/mail.pem
error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen:Permission denied
str_stats: 9 block(s), 1032 data byte(s), 522 control byte(s)
…

I must be overlooking something but I cannot see my mistake.
Could you please help me?
Thank you very much in advance!

Olaf Marzocchi



More information about the stunnel-users mailing list