Something I learnt about openssl

I’ve been starting to use vestacp to manage my server. Mostly because it’s open source and simple design. But recently it’s SSL feature just… fail. It reject every certificate I throw at it, either from Let’s Encrypt or self sign. So after many lazy-ish hesitant, I decided to dig in.
Turn out that vesta use openssl extensively to check and verify certificate before enable them. In the file func/domain.sh it has function is_web_cert_valid with this snippet of code:
openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &
pid=$!
sleep 0.5
disown &> /dev/null
kill $pid &> /dev/null
check_result $? "ssl certificate key pair is not valid" $E_INVALID

This start a dry run ssl server using openssl feature. And if this dry run result in any abnormal return code, the certificate got reject. But openssl by defaults start its testing server using port 4433, this is also the default port for ssl torrent use by deluge with libtorrent < 1.1. Since I got deluge autostart, openssl can never got hold of port 4433 and quit. And thus vesta reject all of my generated certificate.

Now I find no way to disable port 4433 in deluge. That feature seem to have been assigned to deluge 1.4 milestone, some said of install libtorrent 1.1 (which turn off ssl torrents by default), but that’s too much of a hassle. Fortunately, openssl can change its port, so I edit line ~340 in file funct/domain.sh and add one argument to the openssl command:-accept 44333

From

openssl s_server -quiet -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

To:

openssl s_server -quiet -accept 44333 -cert $ssl_dir/$domain.crt \
-key $ssl_dir/$domain.key >> /dev/null 2>&1 &

And that seem to do the trick.