[stunnel-users] Stunnel as windows service doesn't start on restart.

Michal Trojnara Michal.Trojnara at mirt.net
Tue Sep 23 16:05:25 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Guys,

Can anyone reproduce this issue?  Could you attach a debugger and see
why it didn't create the log file?  I'd be glad to at least see the
list of open file handles to get some clues about the state of the
process...  Some Sysinternals tools can get this information, e.g.
Process Explorer.

Mike

John Smith wrote:
> I wish you were right but unfortunately it's running lol
> 
> On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre at free.fr 
> <mailto:delaage.pierre at free.fr>> wrote:
> 
> When you observe that log is empty and that "stunnel shows as
> started", do a CTRL ALT DEL to check if there is any process called
> "stunnel" that is really running...
> 
> I have a doubt that, although scm says stunnel is running, in fact 
> it is not.
> 
> Regards Pierre
> 
> Le 22/09/2014 21:43, John Smith a écrit :
>> Hi I used administrator account and defaults to install. It is 
>> installed at Program Files (x86)
>> 
>> The service is set to run as local system account and interact 
>> with desktop is checked.
>> 
>> Once the machine is booted... Login open service control panel, 
>> stunnel shows as started. Go look at logs nothing there... In 
>> service control panel hit the restart button. And it comes up 
>> properly.
>> 
>> My config is as follows:
>> 
>> ; Debugging stuff (may useful for troubleshooting) ;debug = 7 
>> output = stunnel.log
>> 
>> ; Initialize Microsoft CryptoAPI interface engine = capi ; Also
>> needs "engineID = capi" in each section using the CAPI engine
>> 
>> [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300
>> <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2
>> 
>> [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200
>> <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2
>> 
>> [es-disc-local] client = yes accept = 127.0.0.1:9700
>> <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = ....
>> 
>> 
>> 
>> On 22 September 2014 14:30, Pierre DELAAGE
>> <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>> 
>> Hello, I can tell my patch was adressing read file error on conf
>> file, but, unfortunately, not at all "dependencies of stunnel 
>> service at start up", which is likely to be the core pb
>> preventing stunnel to start correctly at boot time for people on
>> that thread.
>> 
>> Michal added explicit dependencies at startup, that is necessary
>> to solve that bug. I did not check yet its implementation.
>> 
>> But maybe some services, although started, are still "not ready"
>> when stunnel starts, so that this makes stunnel fail.
>> 
>> I suggest that stunnel checks, not only the availability, but 
>> also the "efficiency" of the DNS service by trying to resolve a
>> well known server. it should retry during, eg, 3 seconds, and
>> then stops with some reports if failing to resolve the hostname, 
>> either by lack of network, or by lack of answer from the name 
>> resolver. But...it seems that when having problems at startup, it
>> cannot even log anything....maybe this is due to the identity of 
>> "system user" of stunnel at that particular moment: user that may
>> have no right to write on the HD.
>> 
>> People should check also the installation location of stunnel :
>> it is supposed (and have predefined shortcuts for that) to be
>> installed PREFERABLY in "c:\program files\stunnel". I recommend
>> to use that location.
>> 
>> They also should try to resolve by hand the hostnames they put in
>> their stunnel conf file, just to be sure.
>> 
>> On some network or machines, maybe there is a problem with the 
>> firewall and SOME services tunneled by stunnel on forbidden
>> ports.
>> 
>> On another hand, it sounds strange that just restarting stunnel
>> (in user mode or service mode ?) is solving the problem : this
>> sounds like unavailability of DNS at startup.
>> 
>> I did not investigate that particular problem, but I will perform
>> some tests soon with the last 504 (or 505).
>> 
>> Yours sincerely Pierre
>> 
>> 
>> 
>> Le 22/09/2014 19:20, 541401 at gmail.com <mailto:541401 at gmail.com> a
>> écrit :
>>> Using Stunnel on several Windows Server 2008 R2 SP1 machines 
>>> (all such machines are X64 as the OS is only released as X64).
>>> 
>>> During August of 2014 I reported in this forum the current 
>>> version of Stunnel would not function as a service under the 
>>> above OS, even if using a delayed start, it might run but it 
>>> would not work.  I reverted to using version 4.35, which did 
>>> work properly.
>>> 
>>> Pierre DeLagge was kind enough to provide me with a copy of his
>>> patched Stunnel 5.02, which I am still using and which is 
>>> working flawlessly on my production servers.  No delayed start
>>> required.
>>> 
>>> I am wondering if Pierre's 5.02 patch has been incorporated 
>>> into the most recently released Stunnel, 5.04?  Has anyone been
>>> successful in getting the most current version to actually work
>>> under the above environment without delaying the start of the
>>> service?
>>> 
>>> Just to add a little color and background to the story, I am 
>>> using the native WS2008R2SP1 SMTP server on each machine, in 
>>> conjunction with Stunnel, so as to forward OS event 
>>> notifications through a gmail account.
>>> 
>>> 
>>> 
>>> On 09.22.2014 06:54, John Smith wrote:
>>>> I tried 5.04. on Windows Server 2008 R2 Enterprise Service 
>>>> Pack 1 x64
>>>> 
>>>> 
>>>> Same issue. Service shows as started, but no log. If I go 
>>>> manual restart it works.
>>>> 
>>>> Have to put delayed startup.
>>>> 
>>>> On 18 September 2014 16:15, John Smith 
>>>> <java.dev.mtl at gmail.com <mailto:java.dev.mtl at gmail.com>>
>>>> wrote:
>>>> 
>>>> For now i'm happy with 5.03 Already in production so I will
>>>> have to wait next time! :)
>>>> 
>>>> On 17 September 2014 17:10, Michal Trojnara 
>>>> <Michal.Trojnara at mirt.net <mailto:Michal.Trojnara at mirt.net>>
>>>> wrote:
>>>> 
> Jose Alf. wrote:
>> Regarding stunnel service dependencies, If you
> read the 5.04 beta
>> announcement, the dependency is created
> automatically now when you
>> install stunnel as a service. Please give it a
> try. Looks like it
>> works for me.
> 
>> Thanks to Mike for implementing that.
> 
> Thank you for testing it.
> 
> Best regards, Mike
>>>> _______________________________________________ stunnel-users
>>>> mailing list stunnel-users at stunnel.org 
>>>> <mailto:stunnel-users at stunnel.org> 
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 
_______________________________________________
>>>> stunnel-users mailing list stunnel-users at stunnel.org
>>>> <mailto:stunnel-users at stunnel.org> 
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>>
>>>
>>>> 
_______________________________________________
>>> stunnel-users mailing list stunnel-users at stunnel.org
>>> <mailto:stunnel-users at stunnel.org> 
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>> 
>> 
>> _______________________________________________ stunnel-users
>> mailing list stunnel-users at stunnel.org
>> <mailto:stunnel-users at stunnel.org> 
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>> 
>> 
> 
> 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org
> <mailto:stunnel-users at stunnel.org> 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> 
> 
> 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQhfiAACgkQ/NU+nXTHMtErgwCcC+M9Z85+v7oqVqiMbpRfnQeH
ipgAoOSf6BGXhb50UXdgIg93CsYdNjyu
=otVW
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list