1. Forum
  2. Usenet
  3. NEWS.ADMIN.PEERING

  • Re: Issues with nnrpd and tls

    From Roberto CORRADO@21:1/5 to Gabx on Wed Apr 2 20:14:34 2025
    XPost: news.software.nntp

    "Gabx" wrote:


    ,----[ Quote vshfc5$2dfs$[email protected] ]
    | I removed the nnrpdflags -S option from etc/news/inn.conf but port 119 is still not exactly clear
    `----

    IMHO, is the correct procedure but you have restarted the INN2 server?
    After launch append su news /usr/inn/nnrpd -D -p 563 -S to the startup script Gabx, congratulations on your NNTP server, you have excellent peers!

    --
    Roberto.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam W.@21:1/5 to Gabx on Thu May 29 12:42:13 2025
    XPost: news.software.nntp

    In news.admin.peering Gabx <[email protected]> wrote:

    Any help appreciated

    I'm late to the party (I've not been active here recently), but if you
    still have the issue, here's my configuration.

    I have inn running normally, on port 119, and it drops non-peers to
    nnrpd, which accepts STARTTLS to switch to TLS.

    I also have the following entry in my inetd.conf:

    nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

    So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).

    I don't know if it's the official way to do it, but it works without any problems.

    BTW, when you post to multiple groups, don't insert spaces after the
    commas. Some software might not like it (tin complains).

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gabx@21:1/5 to Adam W. on Sun Jun 8 22:46:05 2025
    XPost: news.software.nntp

    Adam W. wrote:

    I have inn running normally, on port 119, and it drops non-peers to
    nnrpd, which accepts STARTTLS to switch to TLS.

    I also have the following entry in my inetd.conf:

    nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

    So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).


    Hi !
    I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
    I have a systemd script:

    [Unit]
    Description=NNRP Daemon (standalone TLS on port 563) After=network-online.target
    Wants=network-online.target
    Requires=inn2.service

    [Service]
    Type=simple
    User=news
    Group=news
    ExecStart=/usr/lib/news/bin/nnrpd -p 563 -b 0.0.0.0 -S
    Restart=on-abort
    ConfigurationDirectory=news
    LogsDirectory=news
    LogsDirectoryMode=775
    RuntimeDirectory=news
    StateDirectory=news
    StateDirectoryMode=775
    ReadWritePaths=/var/spool/news/
    ProtectSystem=full
    ProtectControlGroups=yes
    ProtectHome=yes
    LimitNOFILE=infinity

    [Install]
    WantedBy=multi-user.target

    I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
    The server is in production, stopping the service would not be nice, you
    will understand me.

    I hope to find a nnrpd ssl configuration that definitely works with my environment.

    Certificates are ready with letsencrypt.
    This the desired configuration in etc/news/inn.conf:

    #tlscafile: /etc/news/ssl/chain.pem
    #tlscapath: /etc/news/ssl
    #tlscertfile: /etc/news/ssl/cert.pem
    #tlskeyfile: /etc/news/ssl/privkey.pem
    #tlsciphers: "ECDHE+AESGCM"
    #tlsciphers13: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
    #tlscompression: false
    #tlseccurve: "X25519:P-256:P-384:P-521"
    #tlspreferserverciphers: true
    #tlsprotocols: [ TLSv1.2 TLSv1.3 ]

    These are the errors in the logs for nnrpd launche by systemd:

    Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'
    Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: error initializing TLS: [CA_file: ] [CA_path: /etc/news] [cert_file: /etc/news/cert.pem] [key_

    Uncommenting the settings in etc/news/inn.conf would probably solve this.
    There would also be *nnrpdflags* parameter where I wouldn't know whether
    to use -S when already used in the systemd script,

    too many doubts.

    Gabx

    --
    0745074DFEAA9CB762E9D89D3E54F490F2CC5A82

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam W.@21:1/5 to Gabx on Sun Jun 8 23:18:18 2025
    XPost: news.software.nntp

    In news.admin.peering Gabx <[email protected]d> wrote:

    The server is in production, stopping the service would not be nice, you
    will understand me.

    I sure do. When I want to do some invasive experiments on my server, I
    just copy the files (minus huge spools) to the VM and do them there. It
    might be a solution.

    These are the errors in the logs for nnrpd launche by systemd:

    Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'

    Does this file exist? What are its access rights (and access rights for /etc/news directory itself)? Is it possible that it's a simple file access error? If not, then does the file start with "-----BEGIN CERTIFICATE-----"?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)