SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Visvanath Ratnaweera -
Numero di risposte: 6
Immagine Particularly helpful Moodlers Immagine Translators

Hi Juan Carlos

On a Debian 10 Buster after installing the vpl-jail-server I get this when I start the service (HOST and HOST.FQDN are masking the real names):

# /usr/sbin/vpl/vpl-jail-system start
Starting vpl-jail-system service:

Broadcast message from systemd-journald@HOST (Wed 2021-03-24 19:46:50 CET):

vpl-jail-system[19463]: SSL_CTX_use_certificate_chain_file() fail: \
  error:02001002:system library:fopen:No such file or directory

Message from syslogd@HOST at Mar 24 19:46:50 ...
 vpl-jail-system[19463]: SSL_CTX_use_certificate_chain_file() fail: \
  error:02001002:system library:fopen:No such file or directory
Daemon not started

Digging in to pem:

/etc/vpl# ls -l
lrwxrwxrwx 1 root root   53 Mar 13 20:51 cert.pem -> /etc/letsencrypt/live/HOST.FQDN/fullchain.pem
lrwxrwxrwx 1 root root   51 Mar 13 20:51 key.pem -> /etc/letsencrypt/live/HOST.FQDN/privkey.pem
-rw------- 1 root root 3824 Mar 24 19:39 vpl-jail-system.conf
-rw------- 1 root root 3824 Mar 24 19:46 vpl-jail-system.conf.LAST

But

# cd /etc/letsencrypt/live/
root@HOST:/etc/letsencrypt/live# ls -l
drwxr-xr-x 2 root root 4096 Mar 13 21:33 HOST.FQDN-0001
...

Looks like letsencrypt is messed up?

Media dei voti:  -
In riposta a Visvanath Ratnaweera

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Juan Carlos Rodríguez-del-Pino -
Immagine Particularly helpful Moodlers Immagine Plugin developers
Hi Visvanath,
It seems that your Certbot adds a ".001" to the name of the domain leading to an incorrect directory name and incorrect symbolic link. Really I don't know why your Certbot does that but the solution is easy: change the symbolic links to the correct file.
Notice that instead of using symbolic links you also can use the new parameter to indicate to the SSL certificate (fullchain.pem) and SSL key (privkey.pem) files.
See ttps://vpl.dis.ulpgc.es/documentation/vpl-jail-system-2.7.0/configuration.html#ssl-key-file

Best regards,
Juan Carlos
Media dei voti: Useful (2)
In riposta a Juan Carlos Rodríguez-del-Pino

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Visvanath Ratnaweera -
Immagine Particularly helpful Moodlers Immagine Translators
Hi Juan Carlos

Indeed, rechaining the symbolic links did the trick. Now they are:
lrwxrwxrwx 1 root root 56 Mar 24 22:08 /etc/vpl/cert.pem -> ../letsencrypt/live/HOSTFQDN-0001/fullchain.pem
lrwxrwxrwx 1 root root 54 Mar 24 22:10 /etc/vpl/key.pem -> ../letsencrypt/live/HOSTFQDN-0001/privkey.pem

I think the problem was that an Apache process was already running at the standard port. It must have confused letsencrypt.

BTW, I am going to move VPL-jail-server to port 8080 and get my Apache back. This a tiny VPS for practicing VPL. I would be nice if it contains Moodle and VPL. It is "legal", I hope. ;)

From what I see in the configuration, it is as simple as PORT=8080 in the vpl-jail-system.conf, am I right?
Media dei voti: Useful (1)
In riposta a Visvanath Ratnaweera

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Juan Carlos Rodríguez-del-Pino -
Immagine Particularly helpful Moodlers Immagine Plugin developers
HI Visvanath.
Notice that if you want to use VPL and Apache at the same machine and Apache is using Certbot to get the SSL certificates the correct way to install VPL is to indicate that you already have certificates and using symbolic links or the SSL_CERT_FILE and SSL_KEY_FILE parameters to allow VPL to get access to the certificates got by Apache.
I guess that if you are getting two different certificates for the same HOSTFQDN the Certbot generates two different directories.
If you are using Apache on the default ports HTTP:80/HTTPS:443 you must set VPL on two different ports g.e. HTTP:8080/HTTPS:8081. You can also remove the HTTP port from VPL.
https://vpl.dis.ulpgc.es/documentation/vpl-jail-system-2.7.0/configuration.html#ssl-cert-file

Best regards,
Juan Carlos.
Media dei voti: Useful (1)
In riposta a Juan Carlos Rodríguez-del-Pino

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Luiz Barboza -

I am having the same problem. How ever it did not generate any pem files


lrwxrwxrwx   1 root root    49 Jun 29 15:43 cert.pem -> /etc/letsencrypt/live/pythonml.site/fullchain.pem

lrwxrwxrwx   1 root root    47 Jun 29 15:43 key.pem -> /etc/letsencrypt/live/pythonml.site/privkey.pem

-rw-------   1 root root  3814 Jun 29 16:33 vpl-jail-system.conf

-rw-------   1 root root  3814 Jun 29 16:33 vpl-jail-system.conf.LAST

root@pythonml:/etc/vpl# cd /etc/letsencrypt/

root@pythonml:/etc/letsencrypt# ls

accounts  cli.ini  csr  keys  renewal  renewal-hooks

root@pythonml:/etc/letsencrypt# ls -la

total 40


Media dei voti:  -
In riposta a Luiz Barboza

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Juan Carlos Rodríguez-del-Pino -
Immagine Particularly helpful Moodlers Immagine Plugin developers

Dear Luis,
It seems that certbot has failed to install your certificates.
Please, stop VPL jail and retry running certbot.

HNAME=pythonml.site
systemctl stop vpl-jail-system
certbot certonly --standalone --preferred-challenges http -d $HNAME

Notice that HNAME must contain your full internet server name.
Remember start VPL with

systemctl start vpl-jail-system

Best regard,
Juan Carlos.

Media dei voti: Useful (1)
In riposta a Juan Carlos Rodríguez-del-Pino

Re: SSL_CTX_use_certificate_chain_file() fail: error:02001002:system library:fopen:No such file or directory

di Akram Adem -
I encountered the same issue and it was due to -0001 appended to the FQDM.
Media dei voti:  -