STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel
-
Using the STunnel 5.37_1 package in pfSense 2.4.4 I have an issue where STunnel is not separating the: "-----END PRIVATE KEY-----" and "-----BEGIN CERTIFICATE-----". I believe this is only happening when I use an imported certificate using: "System --> Cert. Manager --> Certificates --> +Add/Sign --> Method --> Import an existing Certificate". Looking at that certificate's PEM file:
cat /usr/local/etc/stunnel/'mycertfile'.pemI see this:
....Xhnsugqd -----END PRIVATE KEY----------BEGIN CERTIFICATE----- MIIGaTCCB....After I change it to this:
....Xhnsugqd -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGaTCCB....then STunnel will start. The problem is that after a pfSense reboot or reload the PEM file reverts back. There is also an issue where:
/var/tmp/stunnel/will disappear after a pfSense reboot and then must be re-created before STunnel will start. Other than that, STunnel works great! Does anyone know how to permanently correct these issues?
-
....Xhnsugqd -----END PRIVATE KEY----------BEGIN CERTIFICATE----- MIIGaTCCB....Adding an extra line at the end of: "-----END PRIVATE KEY-----" in the "Private key data" section seems to have fixed this issue and it is properly formatted during a service restart.
But there's still the issue where:
/var/tmp/stunnelis removed during a reboot. Is it acceptable to move this directory inside of:
/usr/local/etc/stunnel -
Stunnel wasn't modifying the pem incorrectly, it just didn't handle a private key that was imported without a trailing newline.
https://redmine.pfsense.org/issues/9118
Fixed in stunnel pkg version 5.47, which should show up for upgrade shortly.
Also, the
/var/tmp/stunnelparts are a chroot and not meant to be altered. They will be regenerated when needed.The config files written by a package (or even the base system) are never meant to be modified by hand and will be overwritten by the package when syncing, at boot, etc.
-
@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:
Stunnel wasn't modifying the pem incorrectly, it just didn't handle a private key that was imported without a trailing newline.
https://redmine.pfsense.org/issues/9118
Fixed in stunnel pkg version 5.47, which should show up for upgrade shortly.
Also, the
/var/tmp/stunnelparts are a chroot and not meant to be altered. They will be regenerated when needed.The config files written by a package (or even the base system) are never meant to be modified by hand and will be overwritten by the package when syncing, at boot, etc.
I'm not altering the:
/var/tmp/stunnelsomething (I assume pfSense or STunnel) is removing that directory after a reboot. I just rebooted pfSense and that directory is gone preventing STunnel from starting.
This is the error I'm seeing:
[!] chroot: No such file or directory (2)See, there's no "stunnel" directory here:
[2.4.4-RELEASE][admin@pfSense]/root: ls -alh /var/tmp/ total 16 drwxrwxrwt 4 root wheel 512B Nov 14 11:51 . drwxr-xr-x 15 root wheel 512B Nov 14 11:51 .. drwxr-xr-x 7 root wheel 512B Nov 14 11:51 nginx drwxr-xr-x 2 root wheel 512B Nov 14 11:51 vi.recoverCreate the directory:
[2.4.4-RELEASE][admin@pfSense]/root: mkdir /var/tmp/stunnelNow STunnel starts up and everyone is happy! Would you fix this please?
-
It starts up fine after a reboot here. Do you maybe have
/var/and/tmp/in RAM disks? -
That should be fixed now, too, once the new packages are built you'll see another update.
-
@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:
It starts up fine after a reboot here. Do you maybe have
/var/and/tmp/in RAM disks?Yes, I have this enabled in pfSense:
-
That is what is causing it to be removed every reboot, not the package.
I made the package re-create the dirs on each sync now though so it should be fine.
-
@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:
That is what is causing it to be removed every reboot, not the package.
I made the package re-create the dirs on each sync now though so it should be fine.
Great! and this is the updated package you are soon going to add to the repo?
-
It should already be up and available for 2.4.4 users. If not, it will be in a few moments.
-
@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:
It should already be up and available for 2.4.4 users. If not, it will be in a few moments.
Wonderful, thanks for the help!
