[cups.general] Q. Is https required for remote administration?

wtautz wtautz at cs.uwaterloo.ca
Thu May 18 12:31:24 PDT 2006 

Michael Sweet wrote:

> wtautz wrote:
>
>> Michael Sweet wrote:
>>
>>> wtautz wrote:
>>>
>>>> ...
>>>> So it looks like gnutls is being used. I guess to get around the
>>>> licensing issue
>>>> the Debian doesn't like . So encryption is being used.
>>>> ...
>>>> I get the problem if I start with http://servername:443 I can't even
>>>> connect.
>>>> On the server I see a CLOSE_WAIT if I use lsof -i. This may be a local
>>>> issue.
>>>
>>>
>>> First, make sure you have an /etc/cups/ssl directory; the GNU TLS
>>> support includes automatic server certificate generation, so the
>>> first connect will be a little slow.  You can look in the error_log
>>> file for any encryption errors that show up...
>>>
>> Yes, I don't have the openssl package installed which contains /etc/ssl
>> Looks like the Ubuntu package should have openssl as a dependency
>> and they left it out.
>
>
> Look for /etc/cups/ssl, not /etc/ssl.  /etc/cups/ssl should exist
> and may contain a server.crt and server.key file.

Duh. Sorry I misread that.... I gather I should make the directory. It
is missing.
Seems to be the case considering the errors below...

>
>> What should I be looking for in error_log. Doesn't seem to contain
>> anything informative
>> and I have LogLevel at debug2
>
>
> Look for encrypt_client, "server key", and "self-signed certificate".

/var/log/cups/error_log:E [18/May/2006:12:08:53 -0400] encrypt_client:
Unable to encrypt connection from 129.97.15.46!
/var/log/cups/error_log:E [18/May/2006:12:08:53 -0400] encrypt_client:
Could not negotiate a supported cipher suite.

>
Ok. I made the directory /etc/cups/ssl/ with permissoin root.lp and
permission 755.
Error log has:
D [18/May/2006:14:06:53 -0400] cupsdAcceptClient: 8 from XX.XX.XX.XX:443
(IPv4)
d [18/May/2006:14:06:53 -0400] cupsdAcceptClient: 8 connected to server
on servname:443
d [18/May/2006:14:06:53 -0400] cupsdAcceptClient: Adding fd 8 to InputSet...
d [18/May/2006:14:06:53 -0400] cupsdCheckJobs: 0 active jobs,
sleeping=0, reload=0
d [18/May/2006:14:06:53 -0400] stringpool: 317 strings, 7360 allocated,
6424 total bytes
d [18/May/2006:14:06:53 -0400] cupsdAddCert: adding certificate for pid 0
d [18/May/2006:14:06:53 -0400] cupsdAddCert: NumSystemGroups=1
d [18/May/2006:14:06:53 -0400] cupsdReadClient: 8, used=0, file=-1 state=0
d [18/May/2006:14:06:53 -0400] cupsdReadClient: Saw first byte 80,
auto-negotiating SSL/TLS session...
I [18/May/2006:14:06:53 -0400] Generating server key...

At least the error message I saw has stopped as a result of putting in a
/etc/cups/ssl
directory.

Doesn't do anything after that, i.e. just sits there spinning trying to
connect
(lsof -i has CLOSE_WAIT) and /etc/cups/ssl/ is empty.

btw  /var/run/cups/certs/
total 4
drwx--x--x 2 cupsys lpadmin  60 2006-05-18 14:06 .
drwxr-xr-x 3 cupsys lp      100 2006-05-18 14:05 ..
--w-r----- 1 cupsys lpadmin  32 2006-05-18 14:06 0

probably unrelated? actually the time stamp suggests this is the file
that was generated.
Yes, I've confirmed it by removing the file and do a cold start of
cupsd. I.e. the Generating server key
message seems to correspond to the file /var/run/cups/certs/0 being created.

More information about the cups mailing list