我的 cups 无法通过 https:// 建立连接。
→ curl https://possum.int.gg3.net:631/adsf -I
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to possum.int.gg3.net:631
对该进程进行 strace 测试,结果显示无法打开密钥:
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.crt", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.key", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.crt", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.key", R_OK) = 0
[pid 12399] openat(AT_FDCWD, "/etc/cups/ssl/possum.int.gg3.net.key", O_RDONLY) = -1 EACCES (Permission denied)
我的/etc/cups/ssl目录如下所示:
root@possum:/etc/cups/ssl# find /possum.int.gg3.net.* ./ -exec ls -dgG {} + ;
drwx------ 1 88 Oct 1 19:52 ./
lrwxrwxrwx 1 23 Oct 1 19:52 ./possum.int.gg3.net.crt -> /possum.int.gg3.net.crt
lrwxrwxrwx 1 23 Oct 1 19:52 ./possum.int.gg3.net.key -> /possum.int.gg3.net.key
-rw------- 1 3810 Oct 1 18:58 /possum.int.gg3.net.crt
-rw------- 1 1708 Oct 1 18:58 /possum.int.gg3.net.key
但是,如果我将文件移动到/tmp或/opt,它就会开始工作。
root@possum:/etc/cups/ssl# mv -vi /possum.int.gg3.net.* /opt/
renamed '/possum.int.gg3.net.crt' -> '/opt/possum.int.gg3.net.crt'
renamed '/possum.int.gg3.net.key' -> '/opt/possum.int.gg3.net.key'
root@possum:/etc/cups/ssl# ln -svf -t . /opt/possum.int.gg3.net.*
'./possum.int.gg3.net.crt' -> '/opt/possum.int.gg3.net.crt'
'./possum.int.gg3.net.key' -> '/opt/possum.int.gg3.net.key'
尝试了其他几个目录,但无法找出规律。例如,如果链接指向/tmp、/opt或,则有效,但如果链接指向、或 ,则./file/无效(最后一个是我真正需要做的)。/usr//etc/letsencrypt/live/possum.int.gg3.net
答案1
事实证明,这是 cups 的 apparmor 配置文件的问题,它不允许该进程读取 /etc/letsencrypt 目录中的文件。
我最近安装了 livepatch,它安装了 snapd,它安装了并启用装甲。
解决方案是在配置文件中允许这些。例如
$ sudo tee -a /etc/apparmor.d/local/usr.sbin.cupsd <<EOF
> /etc/letsencrypt/live/** r,
> /etc/letsencrypt/archive/** r,
> EOF
$ sudo systemctl restart apparmor