An issue with chroot, mail.pem and OmniOS/illumos (SunOS) - stunnel-users

13 Oct 2013


      Dear all,
I have been trying to set up stunnel to encrypt a SMTP connection.
The config of the encryption should be fine, I used it already on another OS, but I cannot get stunnel to start on my home server, based on OmniOS (kernel illumos), identified as "SunOS".
This is my config:
----
chroot = /opt/omni/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
;pid = /opt/omni/var/lib/stunnel/stunnel.pid
; Certificate/key is needed in server mode and optional in client mode
cert = /opt/omni/etc/stunnel/mail.pem
;key = /opt/omni/etc/stunnel/mail.pem
[smtp-tls-wrapper]
accept = localhost:11125
client = yes
connect = ssl0.ovh.net:465
;delay = yes  
----
and the directories mentioned have the following permissions:
----
OmniOS-Xeon:~ $ ls -al /opt/omni/etc/stunnel/
total 28
drwxr-xr-x   2 root     bin            5 Sep 24 23:26 .
drwxr-xr-x   5 root     bin            6 Sep 23 23:53 ..
-rw-------   1 root     bin         3050 Sep 24 23:25 mail.pem
-rw-r--r--   1 stunnel  stunnel     3247 Oct 13 22:56 stunnel.conf
-rw-r--r--   1 root     bin         2997 Sep 23 23:53 stunnel.conf-sample
OmniOS-Xeon:~ $ ls -al /opt/omni/var/lib/        
total 9
drwxr-xr-x   3 root     bin            3 Sep 23 23:53 .
drwxr-xr-x   4 root     bin            4 Sep 23 23:53 ..
drwx------   2 stunnel  stunnel        2 Sep 23 23:53 stunnel
----
The service is started from the SMF facility provided by Solaris/OmniOS/... that launches as root/root the following:
/opt/omni/bin/stunnel /opt/omni/etc/stunnel/stunnel.conf
On execution I get the following error message:
…
Initializing service section [smtp-tls-wrapper]
Certificate: /opt/omni/etc/stunnel/mail.pem
Error reading certificate file: /opt/omni/etc/stunnel/mail.pem
error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
SSL_CTX_use_certificate_chain_file: 200100D: error:0200100D:system library:fopen:Permission denied
str_stats: 9 block(s), 1032 data byte(s), 522 control byte(s)
…
I must be overlooking something but I cannot see my mistake.
Could you please help me?
Thank you very much in advance!
Olaf Marzocchi