Delete printer remotely, firefox: cannot communicate securely
Chris Martin
cmartin at spamcop.net
Sat Jul 15 03:03:51 PDT 2006
cups-1.2.1-r2 on Gentoo 2006.0
The server is set up (using local administration) to allow remote administration. On trying to delete a printer from another machine (running the same version of CUPS on Gentoo 2006.0 as well), the messages
"426 Upgrade Required
You must access this page using the URL https://192.168.1.36:631/admin/?op=delete-printer&printer_name=EPL6200."
followed by a popup from Firefox (1.5.0.4)
"Firefox and 192.168.1.36 cannot communicate securely because they
have no common encryption algorithms."
Nothing in either error_log or access_log on the workstation (192.168.1.37). On the server (192.168.1.36), what seem to be the relevant lines of error_log are (loglevel set to debug)
D [15/Jul/2006:10:46:52 +0100] cupsdReadClient: 7 GET /admin/?op=delete-printer&printer_na
me=EPL6200 HTTP/1.1
D [15/Jul/2006:10:46:52 +0100] cupsdReadClient: 7 Browser asked for language "en-us.utf-8"
...
D [15/Jul/2006:10:46:52 +0100] cupsdAuthorize: No authentication data provided.
D [15/Jul/2006:10:46:52 +0100] cupsdSendError: 7 code=426 (Upgrade Required)
D [15/Jul/2006:10:46:52 +0100] cupsdCloseClient: 7
D [15/Jul/2006:10:46:55 +0100] cupsdAcceptClient: 7 from 192.168.1.37:631 (IPv4)
E [15/Jul/2006:10:46:55 +0100] encrypt_client: Unable to encrypt connection from 192.168.1
.37!
E [15/Jul/2006:10:46:55 +0100] encrypt_client: error:1408A0C1:SSL routines:SSL3_GET_CLIENT
_HELLO:no shared cipher
access_log just has
192.168.1.37 - - [15/Jul/2006:10:46:52 +0100] "GET /admin/?op=delete-printer&printer_name=
EPL6200 HTTP/1.1" 426 0 - -
cupsd.conf for the server (192.168.1.36):
# Show troubleshooting information in error_log.
LogLevel debug
SystemGroup lpadmin
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
DefaultAuthType Basic
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
Encryption Required
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attrib
utes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Repr
ocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Authenticate-Job>
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel a job...
<Limit Cancel-Job>
Order deny,allow
Require user @OWNER @SYSTEM
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
Looking for the error on the 'net it seemed to be connected with missing certificates, here is /etc/cups/certs
bigfoot ~ # /bin/ls -l /etc/cups/certs
total 4
-r--r----- 1 root lp 32 2006-07-14 11:09 0
On the workstation (192.168.1.37), cupsd.conf is as it was installed except that Gentoo recommends, for remote printing, changing "Listen localhost:631" to "Listen *:631"
#
# "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $"
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info
# Administrator user group...
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen *:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an adminstrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attrib
utes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Repr
ocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an adminstrator to authenticate...
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printe
r Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer A
ctivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-
After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jo
bs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
# End of "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $".
#
More information about the cups-devel
mailing list