STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel

alteredstate · Nov 13, 2018, 6:51 PM

Using the STunnel 5.37_1 package in pfSense 2.4.4 I have an issue where STunnel is not separating the: "-----END PRIVATE KEY-----" and "-----BEGIN CERTIFICATE-----". I believe this is only happening when I use an imported certificate using: "System --> Cert. Manager --> Certificates --> +Add/Sign --> Method --> Import an existing Certificate". Looking at that certificate's PEM file:

cat /usr/local/etc/stunnel/'mycertfile'.pem

I see this:

....Xhnsugqd
-----END PRIVATE KEY----------BEGIN CERTIFICATE-----
MIIGaTCCB....

After I change it to this:

....Xhnsugqd
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGaTCCB....

then STunnel will start. The problem is that after a pfSense reboot or reload the PEM file reverts back. There is also an issue where:

/var/tmp/stunnel/

will disappear after a pfSense reboot and then must be re-created before STunnel will start. Other than that, STunnel works great! Does anyone know how to permanently correct these issues?

alteredstate · Nov 14, 2018, 1:27 PM

....Xhnsugqd
-----END PRIVATE KEY----------BEGIN CERTIFICATE-----
MIIGaTCCB....

Adding an extra line at the end of: "-----END PRIVATE KEY-----" in the "Private key data" section seems to have fixed this issue and it is properly formatted during a service restart.

But there's still the issue where:

/var/tmp/stunnel

is removed during a reboot. Is it acceptable to move this directory inside of:

/usr/local/etc/stunnel

jimp · Nov 14, 2018, 2:43 PM

Stunnel wasn't modifying the pem incorrectly, it just didn't handle a private key that was imported without a trailing newline.

https://redmine.pfsense.org/issues/9118

Fixed in stunnel pkg version 5.47, which should show up for upgrade shortly.

Also, the /var/tmp/stunnel parts are a chroot and not meant to be altered. They will be regenerated when needed.

The config files written by a package (or even the base system) are never meant to be modified by hand and will be overwritten by the package when syncing, at boot, etc.

alteredstate · Nov 14, 2018, 5:04 PM

@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:

Stunnel wasn't modifying the pem incorrectly, it just didn't handle a private key that was imported without a trailing newline.

https://redmine.pfsense.org/issues/9118

Fixed in stunnel pkg version 5.47, which should show up for upgrade shortly.

Also, the /var/tmp/stunnel parts are a chroot and not meant to be altered. They will be regenerated when needed.

The config files written by a package (or even the base system) are never meant to be modified by hand and will be overwritten by the package when syncing, at boot, etc.

I'm not altering the:

/var/tmp/stunnel

something (I assume pfSense or STunnel) is removing that directory after a reboot. I just rebooted pfSense and that directory is gone preventing STunnel from starting.

This is the error I'm seeing:

[!] chroot: No such file or directory (2)

See, there's no "stunnel" directory here:

[2.4.4-RELEASE][admin@pfSense]/root: ls -alh /var/tmp/
total 16
drwxrwxrwt   4 root  wheel   512B Nov 14 11:51 .
drwxr-xr-x  15 root  wheel   512B Nov 14 11:51 ..
drwxr-xr-x   7 root  wheel   512B Nov 14 11:51 nginx
drwxr-xr-x   2 root  wheel   512B Nov 14 11:51 vi.recover

Create the directory:

[2.4.4-RELEASE][admin@pfSense]/root: mkdir /var/tmp/stunnel

Now STunnel starts up and everyone is happy! Would you fix this please?

jimp · Nov 14, 2018, 5:06 PM

It starts up fine after a reboot here. Do you maybe have /var/ and /tmp/ in RAM disks?

jimp · Nov 14, 2018, 5:18 PM

That should be fixed now, too, once the new packages are built you'll see another update.

alteredstate · Nov 14, 2018, 5:21 PM

@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:

It starts up fine after a reboot here. Do you maybe have /var/ and /tmp/ in RAM disks?

Yes, I have this enabled in pfSense:

jimp · Nov 14, 2018, 5:32 PM

That is what is causing it to be removed every reboot, not the package.

I made the package re-create the dirs on each sync now though so it should be fine.

alteredstate · Nov 14, 2018, 5:35 PM

@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:

That is what is causing it to be removed every reboot, not the package.

I made the package re-create the dirs on each sync now though so it should be fine.

Great! and this is the updated package you are soon going to add to the repo?

jimp · Nov 14, 2018, 5:36 PM

It should already be up and available for 2.4.4 users. If not, it will be in a few moments.

alteredstate · Nov 14, 2018, 5:39 PM

@jimp said in STunnel Is Modifying PEM File Incorrectly & Not Recreating /var/tmp/stunnel:

It should already be up and available for 2.4.4 users. If not, it will be in a few moments.

Wonderful, thanks for the help!