Home  ›  Javascript Fs Permission Denied Reading Ssl Cert

Javascript Fs Permission Denied Reading Ssl Cert

Written By Tuesday, 1 March 2022 Add Comment Edit

Hello World,

We are once again back and set to discuss a actually minor issue/badgerer that some people have noticed when performing there remote connection using xRDP software.  For some weeks now (come across our previous posts),  a lot of work has been done to analyse how Ubuntu 19.04 would bear upon the xRDP installation process and nosotros accept included our findings in the latest version of our scripts.  The changes are not major but still needed to be tackle to offer an easy manner to perform xRDP installation and provide the best user feel.

If you are interested in our findings, you tin accept a wait at the following posts

  • xRDP – Manual Installation on Ubuntu xix.04
  • xRDP – Fixing Look n' Feel Settings in Ubuntu nineteen.04 Remote Session
  • xRDP – New "Hallmark Required…" Popup showing up in Ubuntu 19.04
  • xRDP – Missing packages for Audio Redirection in Ubuntu nineteen.04

The post of today will explicate why xRDP logs an SSL mistake in its log and how this tin can be solved.  Please not that this error is not preventing the connection and you could just ignore the steps described in this post.  However, if you are a picky user and desire to get rid of this error message, you lot can go on….

Then, let's become !

Issue Description

As mentioned earlier, if y'all have used the transmission installation arroyo or if you have used one of our scripts (Std installation vs Custom installation), you should be able to perform your remote connexion and access your cute Ubuntu Desktop interface.  No popups should be displayed and you should be able to offset working about immediately.  Nonetheless, some advanced users/sysadmins have noticed that an error is thrown in the /var/log/xrdp.log file.   The screenshot beneath shows the error that will be generated each fourth dimension a user perform a remote connection (if you accept not perform whatsoever additional actions)

Std_install_xRDP_19.04_21

Click on flick for better resolution

Then, to understand why this fault is generated, nosotros need to accept a look at the permissions on this specific file.  If you open nautilus and your browse to the following location

              /etc/xrdp

You will see that the folder contains indeed the *.pem files (cert.pem and fundamental.pem)

xrdp_ssl_err_01

Click on movie for better resolution

Looking at the permissions for the the file /etc/xrdp/cert.pem, any user can have a read access on it.  This is inline with what the /var/log/xrdp.log is telling united states of america.  xRDP can read the cert.pem file but gets an access denied on /etc/xrdp/central.pem

xrdp_ssl_err_02

Click on motion picture for better resolution

So, looking at the permissions on the file /etc/xrdp/key.pem, nosotros can meet that over again, in theory, everybody should have a read access to it

xrdp_ssl_err_03

Click on picture show for better resolution

If nosotros endeavour to open this file, we get the post-obit error message.

xrdp_ssl_err_04

Click on picture for better resolution

Then, this provide us a clue on the real location of the file.  Indeed, checking at the properties of the file, the real location of the file is nether /etc/ssl/private/ssl-cert-snakeoil.central

xrdp_ssl_err_05

Click on picture for meliorate resolution

Browsing to the location /etc/ssl/, we tin see that the red cross (in the screenshot) on the private folder indicate a no access for normal users. This can exist confirmed past checking the permissions on the folder and indeed, others group has admission set to None (i.east. Access Denied)

xrdp_ssl_err_06

Click on pic for better resolution

Solution

Since the consequence has been identified (i.eastward. file permission bug), information technology's time to come with some solution to this really minor effect.  There are two way to approach the trouble.  Nosotros can either relax security and grant access to the grouping Others.The other option would be to add the most appropriate user account into the ssl-cert grouping.  As y'all tin run into on the previous screenshot in a higher place, this group has some rights and should be able to admission the requested file.  Let's investigate these options

Option 1 – Change Permissions (Not the best choice)

I mention this option because I have seen a lot of people using it.  This was basically the easiest style to ready their issue at that moment.  Based on our assay, the Others group has no access to the folders and file needed by xRDP.  Then, by changing this and providing read only access to the resources should fix our result.   Equally shown in the following ii screenshots, from nautilus (started as admin), we accept changed the permissions on the folder and file located at /etc/ssl/individual

xrdp_ssl_err_08

Click on picture show for better resolution

xrdp_ssl_err_09

Click on moving-picture show for amend resolution

Subsequently that, try your xRDP connexion and check once again the /vart/log/xrdp.log file and you should see that the alarm/fault is gone.

xrdp_ssl_err_10

Click on moving-picture show for better resolution

Pick ii – add together user xrdp into ssl-cert group

This would be the recommended approach.  Updating the group membership for the ssl-cert group with the advisable user account should set up the issue.   The data is not new as Martin Thiago (run across this post) shared it already.  To fix this minor effect without changing file system permission, you would simply demand to add the user business relationship called xrdp into the group chosen ssl-cert.  yous tin achieve this by executing the following command

              sudo adduser xrdp ssl-cert

With no more than actions, if y'all attempt to perform an xRDP login over again, you will discover that the fault is still generated and logged in the /var/log/xrdp.log.  To ensure that the change fixes the event, you as well need to restart the xrdp services or simply reboot the machine ensuring that the group memberhsip is updated and the correct information is read by the system.

Last Notes

This is information technology for this post !  Once more, the fact that xRDP cannot read some of the certificate files does not seems to interruption the remote desktop functionality.  Users should be able to connect even if the certificate file cannot be read.  Because our goal is to provide the best user feel, this minor issue should be fixed and as you have seen the ready is actually piece of cake to implement.  Really, it's and then easy to implement it that information technology will be included in the next version of our famous scripts (Standard and custom installation scripts).

Nosotros are near ready to release these scripts and we are already working on the next version that might introduce over again some actually interesting changes

Till adjacent time

See ya

bernardreptereard1941.blogspot.com

Source: https://c-nergy.be/blog/?p=13708

0 Response to "Javascript Fs Permission Denied Reading Ssl Cert"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel