Solved at last! A syntax error in the YAML file. This line: Certificates: "/etc/pound/c.pem"
MUST be: Certificates: - "/etc/pound/c.pem" Should this be documented? Kind regards, [Unione della Romagna Faentina] [cid:f45cb0be-d717-4921-90c3-0717281506ed] dr. Alessandro Baldoni [cid:88c499d0-ca05-4ac8-b0cc-b63d914babbc] Servizio Informatica Via Severoli 7 48018 Faenza RA [cid:5ace4860-750a-4996-82d8-4c3a32f83fc0] 0546 691224 [cid:979f950b-ef55-4a6f-854b-a653072abc8c] alessandro.bald...@romagnafaentina.it [cid:6804d760-e320-4711-99b4-8a1088db18ff] p...@cert.romagnafaentina.it ________________________________ From: Alessandro Baldoni via pound <pound@apsis.ch> Sent: Wednesday, October 28, 2020 19:09 To: pound@apsis.ch <pound@apsis.ch> Cc: Alessandro Baldoni <alessandro.bald...@romagnafaentina.it>; Robert Segall <ro...@apsis.ch> Subject: Re: [pound] Pound-3.0e: Error when reading PEM file Hello Robert, I managed to get rid of the error so I thought it useful to share. I used openssl to read and write back the private key: openssl rsa -in private.key -out private_same.key And it did the magic! I came to this solution by applying a KB article for Citrix NetScaler (that I own) which can be picky about private key. Now, however, I get a SIGSEGV: ...omissis... address 192.168.1.72 /root/Pound-3.0e/src/config.c:509 port 890 /root/Pound-3.0e/src/config.c:512 start get_certificates /root/Pound-3.0e/src/config.c:451 start get_one(/etc/pound/c.pem) /root/Pound-3.0e/src/config.c:377 start get_services /root/Pound-3.0e/src/config.c:209 HeadRequire Host: .*xxx.yyy.zzz.* /root/Pound-3.0e/src/config.c:237 push /root/Pound-3.0e/src/config.c:258 Segmentation fault (core dumped) Program received signal SIGSEGV, Segmentation fault. 0x0000000000409c5e in get_https (root=0x4328e0, root=0x4328e0, document=0x7fffffffcb10) at /root/Pound-3.0e/src/config.c:548 548 if(res.sni[0]->certificate.next != NULL) Is there any info I can provide to help debug the problem? Kind regards, [Unione della Romagna Faentina] [cid:3f964879-8639-40b7-9609-87549971a2d4] dr. Alessandro Baldoni [cid:24c5db01-cf9d-4128-8764-3411d9830652] Servizio Informatica Via Severoli 7 48018 Faenza RA [cid:7852a39a-a422-4dab-b282-846ce6d38b33] 0546 691224 [cid:7d5bae8e-77f3-45cd-b8da-b01026eefbae] alessandro.bald...@romagnafaentina.it [cid:56c8320a-a836-4717-a902-2753cf6bb7a3] p...@cert.romagnafaentina.it ________________________________ From: Robert Segall via pound <pound@apsis.ch> Sent: Thursday, October 22, 2020 18:16 To: pound@apsis.ch <pound@apsis.ch> Cc: Robert Segall <ro...@apsis.ch> Subject: Re: [pound] Pound-3.0e: Error when reading PEM file Hallo Alessandro I am a bit out of ideas. Perhaps you could try downloading, compiling, and linking to the newest version of mbedtls? The official distribution also contains a bunch of programs (similar to the "openssl" command) which could be helpful in debugging this issue. Worth a try... Failing that you could perhaps open a bug report on their mailing list. On Tue, 2020-10-20 at 13:19 +0000, Alessandro Baldoni via pound wrote: > Hello Robert, I run again the openssl command with version 1.1.1 and > now the output is: > > Private-Key: (2048 bit, 2 primes) > modulus: > publicExponent: 65537 (0x10001) > privateExponent: > prime1: > prime2: > exponent1: > exponent2: > coefficient: > > The previous output was with openssl 1.0.2e > Kind regards, > [Unione della Romagna Faentina] > [cid:0707f32f-186c-48bf-a2f3-ecd8c973753a] dr. Alessandro > Baldoni > [cid:670760e4-95b0-4cc8-aeb9-e9226ada149e] Servizio Informatica > Via Severoli 7 > 48018 Faenza RA > [cid:23f236d9-3050-45e9-9e56-17a3afcecee3] 0546 691224 > [cid:7d875fa5-071d-4e39-9265-1023abd18e9a] > alessandro.bald...@romagnafaentina.it > [cid:3d9b4127-2678-4d02-9faa-11baf517420a] > p...@cert.romagnafaentina.it > ________________________________ > From: Robert Segall <ro...@apsis.ch> > Sent: Monday, October 19, 2020 14:48 > To: Alessandro Baldoni <alessandro.bald...@romagnafaentina.it>; > pound@apsis.ch <pound@apsis.ch> > Subject: Re: [pound] Pound-3.0e: Error when reading PEM file > > Hallo Alessandro > > By "wrong values" I meant primes that do not result in the advertised > number of bits (for example). This is very unlikely, but not outright > impossible. > > What worries me more is that in your printout I see "Private-Key: > (2048 > bit)" rather than "RSA Private-Key: (2048 bit, 2 primes)". I believe > mbedssl (like other TLS1.3 implementations) is rather picky about the > tags used. Could you possibly check with your certificate provider > for > the reasons? Perhaps they could generate a new certificate with fully > compliant tags just for testing purposes? Alternately, I know the > latest versions of openssl generate these tags, so perhaps you could > create a self-signed certificate just for testing? > > BTW: this could also explain the issues people had with Pound 2.8: > using a newer openssl version may have a similar effect. > > On Mon, 2020-10-19 at 10:40 +0000, Alessandro Baldoni wrote: > > Hello Robert, this is the output of the SSL command (values > > removed): > > > > Private-Key: (2048 bit) > > modulus: > > publicExponent: 65537 (0x10001) > > privateExponent: > > prime1: > > prime2: > > exponent1: > > exponent2: > > coefficient: > > > > What do you mean with "a problem of wrong values"? > > > > Kind regards, > > > > [Unione della Romagna Faentina] > > [cid:7d8f8d83-a9e4-4bf0-84b3-9e1aeeb31a71] dr. Alessandro > > Baldoni > > [cid:19f2ff9f-e848-4fe4-ac3c-65bd6301f0a7] Servizio > > Informatica > > Via Severoli 7 > > 48018 Faenza RA > > [cid:03df2d07-aef8-437c-8826-30d9d43e5250] 0546 691224 > > [cid:61e85ff2-c4dd-4fb5-a25b-25e1039aa233] > > alessandro.bald...@romagnafaentina.it > > [cid:447cce9f-3bab-4731-81a1-c49b0721e761] > > p...@cert.romagnafaentina.it > > ________________________________ > > From: Robert Segall via pound <pound@apsis.ch> > > Sent: Monday, October 19, 2020 11:12 > > To: pound@apsis.ch <pound@apsis.ch> > > Cc: Robert Segall <ro...@apsis.ch> > > Subject: Re: [pound] Pound-3.0e: Error when reading PEM file > > > > Hallo Alessandro > > > > Please have a look at your private key and check what it contains. > > To > > see it use the command "openssl rsa -noout -text -in cert.pem". The > > expected output: > > > > RSA Private-Key: (... bit, 2 primes) > > modulus: > > ... > > publicExponent: ... (...) > > privateExponent: > > ... > > prime1: > > ... > > prime2: > > ... > > exponent1: > > ... > > exponent2: > > ... > > coefficient: > > ... > > > > If your key looks different it may cause issues, otherwise it may > > be > > a > > problem of wrong values. > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
-- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch