[Solved] Permissions problem on OCSP reload
Added by flynn over 2 years ago
I still have problems reloading the external updated OCSP files.
Now I may have found the reason: I see the follwoing messages on stdout:
(fdevent.c.1026) fdevent_load_file() xxxx: Permission denied (server.c.1282) Initialization of plugins failed. Going down.
But on startup or reloading the configuration it works, no Permission denied messages.
Can it be, that on startup the OCSP file is loaded as root-user, but on OCSP-reload as server.username (e.g. www-data)?
- change the permissions on OCSP files
- fix the code
I think, this message should be also present in the error log.
Replies (3)
RE: Permissions problem on OCSP reload - Added by gstrauss over 2 years ago
If you start lighttpd as root, then yes, lighttpd reads the TLS configuration files as root. This is done so that if there are root-restricted files such as TLS certificate private keys which need to be read as root, then those files are read as root before dropping privileges to server.username.
There is no need to restrict reading of OCSP response files to root, so changing the permission on the OCSP response files is probably the best solution to allow both root and non-root (server.username) to read the OCSP response files.
Now I may have found the reason: I see the following messages on stdout: [...]
lighttpd does not print those messages to stdout. They are printed to stderr, but it is possible that stderr might still be connected to the console -- before the error log is opened -- if there is an error parsing the config file.
RE: Permissions problem on OCSP reload - Added by flynn over 2 years ago
I updated the SSL/TLS wiki page.
RE: [Solved] Permissions problem on OCSP reload - Added by gstrauss over 2 years ago
Thanks for the wiki update.