You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Andreas Welchlin <an...@comyno.com> on 2014/06/07 22:22:42 UTC
qpid broker ssl plugin - start using systemctl fails
Hi All,
I started the qpidd broker on a fedora 9 using "sytemctl start
qpidd.service". But the initialisation of the SSL plugin failed:
[Security] error Failed to initialise SSL plugin: Failed: NSS error
[-8015] (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
When I start it as root from the commandline with "# /usr/sbin/qpidd
--config /etc/qpid/qpidd.conf", then
it works fine:
[Security] notice Listening for SSL connections on TCP/TCP6 port 5674
I am more a software developer than an administrator and I just can
assume that the environment of the systemd needs to be changed. But I
have no idea how I can fix it.
Does anyone of you have an idea what I should change?
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Gordon Sim <gs...@redhat.com>.
On 06/10/2014 01:16 PM, Andreas Welchlin wrote:
> Now it runs with systemctl as user qpidd.
Excellent, thanks for the update!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Andreas Welchlin <an...@comyno.com>.
Gordon, you are right with your initial assuption: the rights are not
sufficient.
I let qpidd run with strace and it shows that the permissions are not
sufficient when it runs as user qpidd:
stat("/home/noname/tests/x509_test/server_db/secmod.db", 0x7fff38d28e00)
= -1 EACCES (Permission denied)
open("/home/noname/tests/x509_test/server_db/secmod.db", O_RDONLY) = -1
EACCES (Permission denied)
Under root:
stat("/home/noname/tests/x509_test/server_db/secmod.db",
{st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
open("/home/noname/tests/x509_test/server_db/secmod.db", O_RDONLY) = 11
My fault was that the upper directory /home/noname hat no read
permission for "group" and "other".
Now it runs with systemctl as user qpidd.
Thank you very much, Gordon!
Am 10.06.2014 13:38, schrieb Andreas Welchlin:
>
> Am 10.06.2014 11:49, schrieb Gordon Sim:
>> On 06/10/2014 10:38 AM, Andreas Welchlin wrote:
>>>
>>> Am 10.06.2014 11:37, schrieb Gordon Sim:
>>>> On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
>>>>> Am 10.06.2014 10:51, schrieb Gordon Sim:
>>>>>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>>>>>
>>>>>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>>>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>>>>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>>>>>>
>>>>>>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS
>>>>>>>>> error
>>>>>>>>> [-8015]
>>>>>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When I start it as root from the commandline with "#
>>>>>>>>> /usr/sbin/qpidd
>>>>>>>>> --config /etc/qpid/qpidd.conf", then
>>>>>>>>> it works fine:
>>>>>>>>>
>>>>>>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port
>>>>>>>>> 5674
>>>>>>>>>
>>>>
>>>> When you changed the permissions, did you do that recursively? I.e.
>>>> did you change *all* the files within the directory also?
>>>
>>> Yes, I did.
>>
>> Does `sudo -u qpidd /usr/sbin/qpidd --config /etc/qpid/qpidd.conf`
>> work? (The only things I can think of that could be different between
>> the case that works and the case that fails are (a) the user and (b)
>> the actual executable run and libraries loaded).
>>
>
> It raises the same error:
>
> sudo -u qpidd /usr/local/sbin/qpidd --config /etc/qpid/qpidd.conf
> 2014-06-10 13:28:32 [Security] error Failed to initialise SSL plugin:
> Failed: NSS error [-8015]
> (/home/noname/install/qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/util.cpp:100)
>
>
>> What versions of nss-devel and nss-tools do you have? Did you build
>> any other version of NSS?
>
> Apper says that I have nss and nss-devel 3.16.1-1.fc19.
>
> Looking into /usr/lib and /usr/lib64 shows the following:
>
> [root@localhost usr]# ls -ltr lib/*nss*
> -rwxr-xr-x 1 root root 31680 17. Nov 2013 lib/libnss_db-2.17.so
> -rwxr-xr-x 1 root root 40000 17. Nov 2013 lib/libnss_compat-2.17.so
> -rwxr-xr-x 1 root root 22196 17. Nov 2013 lib/libnss_hesiod-2.17.so
> -rwxr-xr-x 1 root root 55080 17. Nov 2013 lib/libnss_files-2.17.so
> -rwxr-xr-x 1 root root 62816 17. Nov 2013 lib/libnss_nisplus-2.17.so
> -rwxr-xr-x 1 root root 49792 17. Nov 2013 lib/libnss_nis-2.17.so
> -rwxr-xr-x 1 root root 25704 17. Nov 2013 lib/libnss_dns-2.17.so
> lrwxrwxrwx 1 root root 21 4. Jun 16:00 lib/libnss_compat.so.2 ->
> libnss_compat-2.17.so
> lrwxrwxrwx 1 root root 17 4. Jun 16:00 lib/libnss_db.so.2 ->
> libnss_db-2.17.so
> lrwxrwxrwx 1 root root 18 4. Jun 16:00 lib/libnss_dns.so.2 ->
> libnss_dns-2.17.so
> lrwxrwxrwx 1 root root 20 4. Jun 16:00 lib/libnss_files.so.2 ->
> libnss_files-2.17.so
> lrwxrwxrwx 1 root root 21 4. Jun 16:00 lib/libnss_hesiod.so.2 ->
> libnss_hesiod-2.17.so
> lrwxrwxrwx 1 root root 18 4. Jun 16:00 lib/libnss_nis.so.2 ->
> libnss_nis-2.17.so
> lrwxrwxrwx 1 root root 22 4. Jun 16:00 lib/libnss_nisplus.so.2 ->
> libnss_nisplus-2.17.so
>
>
> [root@localhost usr]# ls -ltr lib64/*nss*
> -rwxr-xr-x. 1 root root 24480 16. Feb 2013
> lib64/libevent_openssl-2.0.so.5.1.6
> lrwxrwxrwx. 1 root root 29 27. Jun 2013
> lib64/libevent_openssl-2.0.so.5 -> libevent_openssl-2.0.so.5.1.6
> -rwxr-xr-x 1 root root 27512 17. Nov 2013 lib64/libnss_dns-2.17.so
> -rwxr-xr-x 1 root root 65744 17. Nov 2013 lib64/libnss_nisplus-2.17.so
> -rwxr-xr-x 1 root root 56776 17. Nov 2013 lib64/libnss_nis-2.17.so
> -rwxr-xr-x 1 root root 38160 17. Nov 2013 lib64/libnss_db-2.17.so
> -rwxr-xr-x 1 root root 28264 17. Nov 2013 lib64/libnss_hesiod-2.17.so
> -rwxr-xr-x 1 root root 46552 17. Nov 2013 lib64/libnss_compat-2.17.so
> -rwxr-xr-x 1 root root 62368 17. Nov 2013 lib64/libnss_files-2.17.so
> -rwxr-xr-x 1 root root 15096 9. Dez 2013 lib64/libnss_myhostname.so.2
> lrwxrwxrwx 1 root root 21 17. Jan 15:28 lib64/libnss_compat.so.2
> -> libnss_compat-2.17.so
> lrwxrwxrwx 1 root root 17 17. Jan 15:28 lib64/libnss_db.so.2 ->
> libnss_db-2.17.so
> lrwxrwxrwx 1 root root 18 17. Jan 15:28 lib64/libnss_dns.so.2 ->
> libnss_dns-2.17.so
> lrwxrwxrwx 1 root root 20 17. Jan 15:28 lib64/libnss_files.so.2
> -> libnss_files-2.17.so
> lrwxrwxrwx 1 root root 21 17. Jan 15:28 lib64/libnss_hesiod.so.2
> -> libnss_hesiod-2.17.so
> lrwxrwxrwx 1 root root 18 17. Jan 15:28 lib64/libnss_nis.so.2 ->
> libnss_nis-2.17.so
> lrwxrwxrwx 1 root root 22 17. Jan 15:28
> lib64/libnss_nisplus.so.2 -> libnss_nisplus-2.17.so
> lrwxrwxrwx 1 root root 27 17. Jan 15:29 lib64/libnss_nis.so ->
> ../../lib64/libnss_nis.so.2
> lrwxrwxrwx 1 root root 31 17. Jan 15:29 lib64/libnss_nisplus.so
> -> ../../lib64/libnss_nisplus.so.2
> lrwxrwxrwx 1 root root 30 17. Jan 15:29 lib64/libnss_hesiod.so
> -> ../../lib64/libnss_hesiod.so.2
> lrwxrwxrwx 1 root root 29 17. Jan 15:29 lib64/libnss_files.so ->
> ../../lib64/libnss_files.so.2
> lrwxrwxrwx 1 root root 27 17. Jan 15:29 lib64/libnss_dns.so ->
> ../../lib64/libnss_dns.so.2
> lrwxrwxrwx 1 root root 26 17. Jan 15:29 lib64/libnss_db.so ->
> ../../lib64/libnss_db.so.2
> lrwxrwxrwx 1 root root 30 17. Jan 15:29 lib64/libnss_compat.so
> -> ../../lib64/libnss_compat.so.2
> -rwxr-xr-x 1 root root 175752 16. Feb 19:23 lib64/libkdnssd.so.4.11.5
> -rwxr-xr-x 1 root root 10976 12. Mär 11:29 lib64/libnss_wins.so.2
> -rwxr-xr-x 1 root root 19224 12. Mär 11:29 lib64/libnss_winbind.so.2
> lrwxrwxrwx 1 root root 19 24. Mär 09:35 lib64/libkdnssd.so.4 ->
> libkdnssd.so.4.11.5
> -rwxr-xr-x 1 root root 32936 11. Apr 20:06 lib64/libnss_sss.so.2
> lrwxrwxrwx 1 root root 19 14. Apr 09:02 lib64/libnss_winbind.so
> -> libnss_winbind.so.2
> lrwxrwxrwx 1 root root 16 14. Apr 09:02 lib64/libnss_wins.so ->
> libnss_wins.so.2
> -rwxr-xr-x 1 root root 184312 8. Mai 17:44 lib64/libnssutil3.so
> -rwxr-xr-x 1 root root 181328 8. Mai 18:05 lib64/libnssdbm3.so
> -rw-r--r-- 1 root root 899 8. Mai 18:05 lib64/libnssdbm3.chk
> -rwxr-xr-x 1 root root 11256 8. Mai 18:26 lib64/libnsssysinit.so
> -rwxr-xr-x 1 root root 171296 8. Mai 18:26 lib64/libnsspem.so
> -rwxr-xr-x 1 root root 1318904 8. Mai 18:26 lib64/libnss3.so
> lrwxrwxrwx 1 root root 38 26. Mai 16:48 lib64/libnssckbi.so ->
> /etc/alternatives/libnssckbi.so.x86_64
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Andreas Welchlin <an...@comyno.com>.
Am 10.06.2014 11:49, schrieb Gordon Sim:
> On 06/10/2014 10:38 AM, Andreas Welchlin wrote:
>>
>> Am 10.06.2014 11:37, schrieb Gordon Sim:
>>> On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
>>>> Am 10.06.2014 10:51, schrieb Gordon Sim:
>>>>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>>>>
>>>>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>>>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>>>>>
>>>>>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS
>>>>>>>> error
>>>>>>>> [-8015]
>>>>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> When I start it as root from the commandline with "#
>>>>>>>> /usr/sbin/qpidd
>>>>>>>> --config /etc/qpid/qpidd.conf", then
>>>>>>>> it works fine:
>>>>>>>>
>>>>>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port
>>>>>>>> 5674
>>>>>>>>
>>>
>>> When you changed the permissions, did you do that recursively? I.e.
>>> did you change *all* the files within the directory also?
>>
>> Yes, I did.
>
> Does `sudo -u qpidd /usr/sbin/qpidd --config /etc/qpid/qpidd.conf`
> work? (The only things I can think of that could be different between
> the case that works and the case that fails are (a) the user and (b)
> the actual executable run and libraries loaded).
>
It raises the same error:
sudo -u qpidd /usr/local/sbin/qpidd --config /etc/qpid/qpidd.conf
2014-06-10 13:28:32 [Security] error Failed to initialise SSL plugin:
Failed: NSS error [-8015]
(/home/noname/install/qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/util.cpp:100)
> What versions of nss-devel and nss-tools do you have? Did you build
> any other version of NSS?
Apper says that I have nss and nss-devel 3.16.1-1.fc19.
Looking into /usr/lib and /usr/lib64 shows the following:
[root@localhost usr]# ls -ltr lib/*nss*
-rwxr-xr-x 1 root root 31680 17. Nov 2013 lib/libnss_db-2.17.so
-rwxr-xr-x 1 root root 40000 17. Nov 2013 lib/libnss_compat-2.17.so
-rwxr-xr-x 1 root root 22196 17. Nov 2013 lib/libnss_hesiod-2.17.so
-rwxr-xr-x 1 root root 55080 17. Nov 2013 lib/libnss_files-2.17.so
-rwxr-xr-x 1 root root 62816 17. Nov 2013 lib/libnss_nisplus-2.17.so
-rwxr-xr-x 1 root root 49792 17. Nov 2013 lib/libnss_nis-2.17.so
-rwxr-xr-x 1 root root 25704 17. Nov 2013 lib/libnss_dns-2.17.so
lrwxrwxrwx 1 root root 21 4. Jun 16:00 lib/libnss_compat.so.2 ->
libnss_compat-2.17.so
lrwxrwxrwx 1 root root 17 4. Jun 16:00 lib/libnss_db.so.2 ->
libnss_db-2.17.so
lrwxrwxrwx 1 root root 18 4. Jun 16:00 lib/libnss_dns.so.2 ->
libnss_dns-2.17.so
lrwxrwxrwx 1 root root 20 4. Jun 16:00 lib/libnss_files.so.2 ->
libnss_files-2.17.so
lrwxrwxrwx 1 root root 21 4. Jun 16:00 lib/libnss_hesiod.so.2 ->
libnss_hesiod-2.17.so
lrwxrwxrwx 1 root root 18 4. Jun 16:00 lib/libnss_nis.so.2 ->
libnss_nis-2.17.so
lrwxrwxrwx 1 root root 22 4. Jun 16:00 lib/libnss_nisplus.so.2 ->
libnss_nisplus-2.17.so
[root@localhost usr]# ls -ltr lib64/*nss*
-rwxr-xr-x. 1 root root 24480 16. Feb 2013
lib64/libevent_openssl-2.0.so.5.1.6
lrwxrwxrwx. 1 root root 29 27. Jun 2013
lib64/libevent_openssl-2.0.so.5 -> libevent_openssl-2.0.so.5.1.6
-rwxr-xr-x 1 root root 27512 17. Nov 2013 lib64/libnss_dns-2.17.so
-rwxr-xr-x 1 root root 65744 17. Nov 2013 lib64/libnss_nisplus-2.17.so
-rwxr-xr-x 1 root root 56776 17. Nov 2013 lib64/libnss_nis-2.17.so
-rwxr-xr-x 1 root root 38160 17. Nov 2013 lib64/libnss_db-2.17.so
-rwxr-xr-x 1 root root 28264 17. Nov 2013 lib64/libnss_hesiod-2.17.so
-rwxr-xr-x 1 root root 46552 17. Nov 2013 lib64/libnss_compat-2.17.so
-rwxr-xr-x 1 root root 62368 17. Nov 2013 lib64/libnss_files-2.17.so
-rwxr-xr-x 1 root root 15096 9. Dez 2013 lib64/libnss_myhostname.so.2
lrwxrwxrwx 1 root root 21 17. Jan 15:28 lib64/libnss_compat.so.2
-> libnss_compat-2.17.so
lrwxrwxrwx 1 root root 17 17. Jan 15:28 lib64/libnss_db.so.2 ->
libnss_db-2.17.so
lrwxrwxrwx 1 root root 18 17. Jan 15:28 lib64/libnss_dns.so.2 ->
libnss_dns-2.17.so
lrwxrwxrwx 1 root root 20 17. Jan 15:28 lib64/libnss_files.so.2 ->
libnss_files-2.17.so
lrwxrwxrwx 1 root root 21 17. Jan 15:28 lib64/libnss_hesiod.so.2
-> libnss_hesiod-2.17.so
lrwxrwxrwx 1 root root 18 17. Jan 15:28 lib64/libnss_nis.so.2 ->
libnss_nis-2.17.so
lrwxrwxrwx 1 root root 22 17. Jan 15:28 lib64/libnss_nisplus.so.2
-> libnss_nisplus-2.17.so
lrwxrwxrwx 1 root root 27 17. Jan 15:29 lib64/libnss_nis.so ->
../../lib64/libnss_nis.so.2
lrwxrwxrwx 1 root root 31 17. Jan 15:29 lib64/libnss_nisplus.so ->
../../lib64/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 30 17. Jan 15:29 lib64/libnss_hesiod.so ->
../../lib64/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 29 17. Jan 15:29 lib64/libnss_files.so ->
../../lib64/libnss_files.so.2
lrwxrwxrwx 1 root root 27 17. Jan 15:29 lib64/libnss_dns.so ->
../../lib64/libnss_dns.so.2
lrwxrwxrwx 1 root root 26 17. Jan 15:29 lib64/libnss_db.so ->
../../lib64/libnss_db.so.2
lrwxrwxrwx 1 root root 30 17. Jan 15:29 lib64/libnss_compat.so ->
../../lib64/libnss_compat.so.2
-rwxr-xr-x 1 root root 175752 16. Feb 19:23 lib64/libkdnssd.so.4.11.5
-rwxr-xr-x 1 root root 10976 12. Mär 11:29 lib64/libnss_wins.so.2
-rwxr-xr-x 1 root root 19224 12. Mär 11:29 lib64/libnss_winbind.so.2
lrwxrwxrwx 1 root root 19 24. Mär 09:35 lib64/libkdnssd.so.4 ->
libkdnssd.so.4.11.5
-rwxr-xr-x 1 root root 32936 11. Apr 20:06 lib64/libnss_sss.so.2
lrwxrwxrwx 1 root root 19 14. Apr 09:02 lib64/libnss_winbind.so ->
libnss_winbind.so.2
lrwxrwxrwx 1 root root 16 14. Apr 09:02 lib64/libnss_wins.so ->
libnss_wins.so.2
-rwxr-xr-x 1 root root 184312 8. Mai 17:44 lib64/libnssutil3.so
-rwxr-xr-x 1 root root 181328 8. Mai 18:05 lib64/libnssdbm3.so
-rw-r--r-- 1 root root 899 8. Mai 18:05 lib64/libnssdbm3.chk
-rwxr-xr-x 1 root root 11256 8. Mai 18:26 lib64/libnsssysinit.so
-rwxr-xr-x 1 root root 171296 8. Mai 18:26 lib64/libnsspem.so
-rwxr-xr-x 1 root root 1318904 8. Mai 18:26 lib64/libnss3.so
lrwxrwxrwx 1 root root 38 26. Mai 16:48 lib64/libnssckbi.so ->
/etc/alternatives/libnssckbi.so.x86_64
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Gordon Sim <gs...@redhat.com>.
On 06/10/2014 10:38 AM, Andreas Welchlin wrote:
>
> Am 10.06.2014 11:37, schrieb Gordon Sim:
>> On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
>>> Am 10.06.2014 10:51, schrieb Gordon Sim:
>>>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>>>
>>>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>>>>
>>>>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>>>>>>> [-8015]
>>>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>>>>
>>>>>>>
>>>>>>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>>>>>>> --config /etc/qpid/qpidd.conf", then
>>>>>>> it works fine:
>>>>>>>
>>>>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port
>>>>>>> 5674
>>>>>>>
>>
>> When you changed the permissions, did you do that recursively? I.e.
>> did you change *all* the files within the directory also?
>
> Yes, I did.
Does `sudo -u qpidd /usr/sbin/qpidd --config /etc/qpid/qpidd.conf` work?
(The only things I can think of that could be different between the case
that works and the case that fails are (a) the user and (b) the actual
executable run and libraries loaded).
What versions of nss-devel and nss-tools do you have? Did you build any
other version of NSS?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Andreas Welchlin <an...@comyno.com>.
Am 10.06.2014 11:37, schrieb Gordon Sim:
> On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
>> Am 10.06.2014 10:51, schrieb Gordon Sim:
>>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>>
>>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>>>
>>>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>>>>>> [-8015]
>>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>>>
>>>>>>
>>>>>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>>>>>> --config /etc/qpid/qpidd.conf", then
>>>>>> it works fine:
>>>>>>
>>>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port
>>>>>> 5674
>>>>>>
>
> When you changed the permissions, did you do that recursively? I.e.
> did you change *all* the files within the directory also?
Yes, I did.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Gordon Sim <gs...@redhat.com>.
On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
> Am 10.06.2014 10:51, schrieb Gordon Sim:
>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>
>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>> Hi All,
>>>>>
>>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>>
>>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>>>>> [-8015]
>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>>
>>>>>
>>>>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>>>>> --config /etc/qpid/qpidd.conf", then
>>>>> it works fine:
>>>>>
>>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port 5674
>>>>>
When you changed the permissions, did you do that recursively? I.e. did
you change *all* the files within the directory also?
> Yes, there was an older qpidd installation but without using ssl.
>
> certutil works on the machine:
> -------------------------------------------------
> certutil -L -d server_db
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
>
> MyRootCA CT,,
> localhost.localdomain u,u,u
> --------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Andreas Welchlin <an...@comyno.com>.
Am 10.06.2014 10:51, schrieb Gordon Sim:
> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>
>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>> Hi All,
>>>>
>>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>>
>>>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>>>> [-8015]
>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>>
>>>>
>>>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>>>> --config /etc/qpid/qpidd.conf", then
>>>> it works fine:
>>>>
>>>> [Security] notice Listening for SSL connections on TCP/TCP6 port 5674
>>>>
>>>>
>>>> I am more a software developer than an administrator and I just can
>>>> assume that the environment of the systemd needs to be changed. But I
>>>> have no idea how I can fix it.
>>>>
>>>> Does anyone of you have an idea what I should change?
>>>
>>> Are the cert db and password file (if used) readable by the qpidd user?
>>>
>>>
>>
>> No, they were not.
>> Now I changed the user of cert db and password file to qpidd.
>>
>> But unfortunately the problem is still there.
>>
>> Any more ideas?
>
> I believe that error code is SEC_ERROR_LEGACY_DATABASE. Has there been
> a previous, older installation of qpidd and/or nss on this box?
>
> Does certutil -L -d <cert_db_path> work?
>
Yes, there was an older qpidd installation but without using ssl.
certutil works on the machine:
-------------------------------------------------
certutil -L -d server_db
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
MyRootCA CT,,
localhost.localdomain u,u,u
--------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Gordon Sim <gs...@redhat.com>.
On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>
> Am 09.06.2014 10:38, schrieb Gordon Sim:
>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>> Hi All,
>>>
>>> I started the qpidd broker on a fedora 9 using "sytemctl start
>>> qpidd.service". But the initialisation of the SSL plugin failed:
>>>
>>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>>> [-8015]
>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>>
>>>
>>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>>> --config /etc/qpid/qpidd.conf", then
>>> it works fine:
>>>
>>> [Security] notice Listening for SSL connections on TCP/TCP6 port 5674
>>>
>>>
>>> I am more a software developer than an administrator and I just can
>>> assume that the environment of the systemd needs to be changed. But I
>>> have no idea how I can fix it.
>>>
>>> Does anyone of you have an idea what I should change?
>>
>> Are the cert db and password file (if used) readable by the qpidd user?
>>
>>
>
> No, they were not.
> Now I changed the user of cert db and password file to qpidd.
>
> But unfortunately the problem is still there.
>
> Any more ideas?
I believe that error code is SEC_ERROR_LEGACY_DATABASE. Has there been a
previous, older installation of qpidd and/or nss on this box?
Does certutil -L -d <cert_db_path> work?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Andreas Welchlin <an...@comyno.com>.
Am 09.06.2014 10:38, schrieb Gordon Sim:
> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>> Hi All,
>>
>> I started the qpidd broker on a fedora 9 using "sytemctl start
>> qpidd.service". But the initialisation of the SSL plugin failed:
>>
>> [Security] error Failed to initialise SSL plugin: Failed: NSS error
>> [-8015]
>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>>
>>
>> When I start it as root from the commandline with "# /usr/sbin/qpidd
>> --config /etc/qpid/qpidd.conf", then
>> it works fine:
>>
>> [Security] notice Listening for SSL connections on TCP/TCP6 port 5674
>>
>>
>> I am more a software developer than an administrator and I just can
>> assume that the environment of the systemd needs to be changed. But I
>> have no idea how I can fix it.
>>
>> Does anyone of you have an idea what I should change?
>
> Are the cert db and password file (if used) readable by the qpidd user?
>
>
No, they were not.
Now I changed the user of cert db and password file to qpidd.
But unfortunately the problem is still there.
Any more ideas?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid broker ssl plugin - start using systemctl fails
Posted by Gordon Sim <gs...@redhat.com>.
On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
> Hi All,
>
> I started the qpidd broker on a fedora 9 using "sytemctl start
> qpidd.service". But the initialisation of the SSL plugin failed:
>
> [Security] error Failed to initialise SSL plugin: Failed: NSS error
> [-8015] (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)
>
>
> When I start it as root from the commandline with "# /usr/sbin/qpidd
> --config /etc/qpid/qpidd.conf", then
> it works fine:
>
> [Security] notice Listening for SSL connections on TCP/TCP6 port 5674
>
>
> I am more a software developer than an administrator and I just can
> assume that the environment of the systemd needs to be changed. But I
> have no idea how I can fix it.
>
> Does anyone of you have an idea what I should change?
Are the cert db and password file (if used) readable by the qpidd user?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org