Categories
Uncategorised

Something I learnt about openssl

I’ve been starting to use vestacp to manage my server. Mostly because it’s open source and simple design. But recently it’s SSL feature just… fail. It reject every certificate I throw at it, either from Let’s Encrypt or self sign. So after many lazy-ish hesitant, I decided to dig in.
Turn out that vesta use openssl extensively to check and verify certificate before enable them. In the file func/domain.sh it has function is_web_cert_valid with this snippet of code:
openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &
pid=$!
sleep 0.5
disown &> /dev/null
kill $pid &> /dev/null
check_result $? "ssl certificate key pair is not valid" $E_INVALID

 

This start a dry run ssl server using openssl feature. And if this dry run result in any abnormal return code, the certificate got reject. But openssl by defaults start its testing server using port 4433, this is also the default port for ssl torrent use by deluge with libtorrent < 1.1. Since I got deluge autostart, openssl can never got hold of port 4433 and quit. And thus vesta reject all of my generated certificate.

Now I find no way to disable port 4433 in deluge. That feature seem to have been assigned to deluge 1.4 milestone, some said of install libtorrent 1.1 (which turn off ssl torrents by default), but that’s too much of a hassle. Fortunately, openssl can change its port, so I edit line ~340 in file funct/domain.sh and add one argument to the openssl command:-accept 44333

From

openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

To:

openssl s_server -quiet -accept 44333 -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

And that seem to do the trick.

2 replies on “Something I learnt about openssl”

It is relaxing to read your archives recollecting a long story since your first time at UIT. I know this is a personal page where you can share your thoughts and helpful technical write-ups, however, I am still waiting for academic-related posts discussing your fields of interest and your experience on teaching at UIT. That must be very interesting to read about that kind of posts authored by you , consider about it. Pham!
-from a loyal & anonymous reader follower –

It worked! Thank you!

After weeks of on/off searching google and vesta forums I finally found the solution. I too found is_web_cert_valid and tracked it down to func/domain.sh. I had a feeling something was going wrong there after manually verifying crt and key with openssl. I’m also running deluge. Glad you were able to get to the bottom of it. Truly appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.