为什么 cups 有时无法根据符号链接的位置读取其 TLS 密钥和证书?

为什么 cups 有时无法根据符号链接的位置读取其 TLS 密钥和证书?

我的 cups 无法通过 https:// 建立连接。

→ curl https://possum.int.gg3.net:631/adsf -I
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to possum.int.gg3.net:631 

对该进程进行 strace 测试,结果显示无法打开密钥:

[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.crt", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.key", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.crt", R_OK) = 0
[pid 12399] access("/etc/cups/ssl/possum.int.gg3.net.key", R_OK) = 0
[pid 12399] openat(AT_FDCWD, "/etc/cups/ssl/possum.int.gg3.net.key", O_RDONLY) = -1 EACCES (Permission denied)

我的/etc/cups/ssl目录如下所示:

root@possum:/etc/cups/ssl# find /possum.int.gg3.net.* ./ -exec ls -dgG {} + ; 
drwx------ 1   88 Oct  1 19:52 ./
lrwxrwxrwx 1   23 Oct  1 19:52 ./possum.int.gg3.net.crt -> /possum.int.gg3.net.crt
lrwxrwxrwx 1   23 Oct  1 19:52 ./possum.int.gg3.net.key -> /possum.int.gg3.net.key
-rw------- 1 3810 Oct  1 18:58 /possum.int.gg3.net.crt
-rw------- 1 1708 Oct  1 18:58 /possum.int.gg3.net.key

但是,如果我将文件移动到/tmp/opt,它就会开始工作。

root@possum:/etc/cups/ssl# mv -vi /possum.int.gg3.net.* /opt/
renamed '/possum.int.gg3.net.crt' -> '/opt/possum.int.gg3.net.crt'
renamed '/possum.int.gg3.net.key' -> '/opt/possum.int.gg3.net.key'

root@possum:/etc/cups/ssl# ln -svf -t . /opt/possum.int.gg3.net.*
'./possum.int.gg3.net.crt' -> '/opt/possum.int.gg3.net.crt'
'./possum.int.gg3.net.key' -> '/opt/possum.int.gg3.net.key'

尝试了其他几个目录,但无法找出规律。例如,如果链接指向/tmp/opt或,则有效,但如果链接指向、或 ,则./file/无效(最后一个是我真正需要做的)。/usr//etc/letsencrypt/live/possum.int.gg3.net

答案1

事实证明,这是 cups 的 apparmor 配置文件的问题,它不允许该进程读取 /etc/letsencrypt 目录中的文件。

我最近安装了 livepatch,它安装了 snapd,它安装了并启用装甲。

解决方案是在配置文件中允许这些。例如

$ sudo tee -a /etc/apparmor.d/local/usr.sbin.cupsd <<EOF
>   /etc/letsencrypt/live/** r,
>   /etc/letsencrypt/archive/** r,
> EOF
$ sudo systemctl restart apparmor

相关内容