Https gsad unit wont come up

alessio · November 18, 2021, 1:09pm

Hi,
after i add key and certificate to my gsad unit file, it stucks in loading mode and aborts.
Has something changed in 21.4 about the ssl configuration?
Heres my unit file

[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service
[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/run/gvm/gsad.pid
ExecStart=/usr/local/sbin/gsad --listen=<ip> --ssl-private-key=/etc/systemd/certificates/private.pem --ssl-certificate=/etc/systemd/certificates/cert.pem --timeout=600
Restart=always
TimeoutStopSec=10
[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

bricks · November 18, 2021, 4:25pm

Hi,

you should take a look at /var/log/gvm/gsad.log for some more details and paste them here. Additionally we need some more information about which version you build. From which git tag, git branch, release tar.gz? Code wise nothing has changed at the TLS handling for some years now.

alessio · November 19, 2021, 11:33am

Hi,
for my setup i used 21.4.3.tar.gz from your github.
Heres the output of my /var/log/gvm/gsad.log

gsad main:MESSAGE:2021-11-19 11h04.56 utc:67534: Starting GSAD version 21.4.3
gsad main:WARNING:2021-11-19 11h04.56 utc:67537: main: start_http_daemon redirect failed !
gsad main:WARNING:2021-11-19 11h04.56 utc:67536: Binding to port 443 failed, trying default port 9392 next.

Key and certificate matches to each other, i got no idea why it cant bind to 443

best regards

heewey · November 19, 2021, 11:47am

Hi @alessio

seems to be another service occupied port 443

Do ss-tunwlp | grep 443 to find which one.

But, the best practice is to hide the default port behind Nginx. And cowering 80 and 443 by Nginx service and forward traffic through it to default Openvasport and set the machine firewall for it. Another reason is a better option how to manage certificates for secure traffic.

bricks · November 19, 2021, 12:29pm

I suppose if gsad is started as gvm user it can’t bind to port 443. Ports below 1024 need root permissions.

heewey · November 19, 2021, 1:02pm

Yes, that is correct.

bud you can manage it with chroot option and in this case, is better to do an Nginx proxy.

alessio · November 19, 2021, 3:37pm

Hi, thanks for the answers. I simply removed the gvm user in my unit file. works just fine

best regards

alessio · November 19, 2021, 3:44pm

yikes, server can speak https therefore i cant login anymore. Error message is “…GVM is not responding. This could be due to system maintenance…”
Log file only shows my failed login

Authentication failure for '<user>' from <ip>. Status was 1.