Re: Thoughts on QUIC/HTTP3
On 7/9/22 18:08, William Lallemand wrote: But is there any certificates in the /opt/quictls/ssl/certs/ directory ? No, it is empty. I didn't think to actually look inside it because it didn't occur to me that it would be empty. I just checked an install of stock openssl 3 and it also has no certs. I see that /usr/lib/ssl/certs is a symlink to /etc/ssl/certs ... so I have one more build step to put in my script -- make that symlink for quictls. Once I did that manually, no more warning. Thanks, Shawn
Re: Thoughts on QUIC/HTTP3
On Fri, Jul 08, 2022 at 09:11:02AM -0600, Shawn Heisey wrote: > > The openssl that haproxy is compiled against is in /opt/quictls/ssl ... > but there is a distribution-provided openssl package in /usr/lib/ssl as > well. Both locations contain "certs". > But is there any certificates in the /opt/quictls/ssl/certs/ directory ? > Setting either environment variable that you have mentioned does not > eliminate the warning. It should already be set to /opt/quictls/ssl/certs/, if you specified the openssldir at /opt/quictls/ssl/ during the build of your library. > root@bilbo:~# SSL_CERT_DIR=/opt/quictls/ssl/certs haproxy -c -f > /etc/haproxy/haproxy.cfg > [NOTICE] (2379692) : haproxy version is 2.6.1 > [NOTICE] (2379692) : path to executable is /usr/local/sbin/haproxy > [WARNING] (2379692) : config : ca-file: 0 CA were loaded from '@system-ca' > Warnings were found. > Configuration file is valid > root@bilbo:~# OPENSSLDIR=/opt/quictls/ssl haproxy -c -f > /etc/haproxy/haproxy.cfg > [NOTICE] (2379701) : haproxy version is 2.6.1 > [NOTICE] (2379701) : path to executable is /usr/local/sbin/haproxy > [WARNING] (2379701) : config : ca-file: 0 CA were loaded from '@system-ca' > Warnings were found. > Configuration file is valid > > My setup has no need to verify certificates, so the warning doesn't > actually matter for me. But it could be a problem for someone else. > In fact there is a warning because you might want to use the httpclient at runtime, and the httpclient is using the CAs, so they are loaded at startup. I supposed you don't have anything in this directory, or it failed to load for some reason and this could be a bug we need to fix. The message should have been about the httpclient, I'll look into this to clarify it. > I did figure out the correct way to run the "version -d" command you > mentioned on the quictls install: > > elyograg@smeagol:~$ LD_LIBRARY_PATH=/opt/quictls/lib64 > /opt/quictls/bin/openssl version -d > OPENSSLDIR: "/opt/quictls/ssl" You had to use LD_LIBRARY_PATH because you didn't use the rpath when compiling, this is necessary if you don't install the library in /usr/lib/. You only need to add -Wl,-rpath=/opt/quictls/lib64 to your ./config line. https://wiki.openssl.org/index.php/Compilation_and_Installation#Using_RPATHs > My install does quic/http3 correctly, so I know it is finding and using > quictls. > Ok, you can always check with ldd if you have some doubts. -- William Lallemand
Re: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04
On Sat, Jul 09, 2022 at 01:46:03PM +0200, Vincent Bernat wrote: > On 7/9/22 10:55, Willy Tarreau wrote: > > On Sat, Jul 09, 2022 at 12:03:02AM +0200, Vincent Bernat wrote: > > > The error when not running as root is expected. However, the fact it does > > > not work on boot, then works after is odd. Can you share a minimal > > > configuration file which exhibits this issue? > > > > That's very strange, it sounds as if the service was not started as > > root. Was there any change in ubuntu 22 regarding the definition of > > what user a service starts under ? > > We did some debugging off-list and the IP addresses were handled by > keepalived and ip_nonlocal_bind sysctl was not enabled. Ah OK, that indeed totally makes sense in this case. Thanks for the update! That makes me think that maybe we could provide a diagnostic here. When we fail to bind to an ip:port, we could retry with ip:0 and see if we face the same error. If so we could indicate that the IP isn't present, this would be helpful in such situations. Willy
Re: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04
On 7/9/22 10:55, Willy Tarreau wrote: On Sat, Jul 09, 2022 at 12:03:02AM +0200, Vincent Bernat wrote: The error when not running as root is expected. However, the fact it does not work on boot, then works after is odd. Can you share a minimal configuration file which exhibits this issue? That's very strange, it sounds as if the service was not started as root. Was there any change in ubuntu 22 regarding the definition of what user a service starts under ? We did some debugging off-list and the IP addresses were handled by keepalived and ip_nonlocal_bind sysctl was not enabled.
Re: SV: SV: Config will not start on 2.6.1 on Ubuntu 22.04
On Sat, Jul 09, 2022 at 12:03:02AM +0200, Vincent Bernat wrote: > The error when not running as root is expected. However, the fact it does > not work on boot, then works after is odd. Can you share a minimal > configuration file which exhibits this issue? That's very strange, it sounds as if the service was not started as root. Was there any change in ubuntu 22 regarding the definition of what user a service starts under ? Willy