After updating crowdsec-openresty-bouncer to version 1.1.3-1.el9, OpenResty fails to start and fails the configuration test. The issue is caused by the lua_ssl_trusted_certificate directive in the crowdsec_openresty.conf file, which contains an unresolved environment variable${SSL_CERTS_PATH}instead of the actual path to the certificates.
Environment
OS: Oracle Linux 9
OpenResty version: 1.29.2.3
CrowdSec OpenResty Bouncer version: 1.1.3-1.el9
Installation method: RPM package
Running openresty -t returns the following error:
nginx: [emerg] cannot load certificate "/usr/local/openresty/nginx/conf/${SSL_CERTS_PATH}": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/usr/local/openresty/nginx/conf/${SSL_CERTS_PATH}, r) error:10000080:BIO routines::no such file)
In the problematic version (1.1.3), crowdsec_openresty.conf looks like this:
`lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;';
lua_shared_dict crowdsec_cache 50m;
lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; # <-- Variable is not substituted
init_by_lua_block {
cs = require "crowdsec"
}`
For comparison, on another host with an older version (crowdsec-openresty-bouncer 1.1.1-1.el9 and openresty 1.29.2.3), everything works fine. The old config correctly points to the absolute path:
`lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;';
lua_shared_dict crowdsec_cache 50m;
lua_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt; # <-- Hardcoded path
init_by_lua_block {
cs = require "crowdsec"
}`
Manually editing crowdsec_openresty.conf to replace the variable is not a viable long-term solution, as it will cause conflicts during future package updates.
Could you please advise on how to properly resolve this, or fix the packaging script so that it correctly substitutes ${SSL_CERTS_PATH} with the actual OS path during the RPM installation?
The certificate file is already in the system.
ll /etc/pki/tls/certs/ca-bundle.crt lrwxrwxrwx. 1 root root 49 Nov 19 12:40 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
After updating crowdsec-openresty-bouncer to version 1.1.3-1.el9, OpenResty fails to start and fails the configuration test. The issue is caused by the
lua_ssl_trusted_certificatedirective in the crowdsec_openresty.conf file, which contains an unresolved environment variable${SSL_CERTS_PATH}instead of the actual path to the certificates.Environment
OS: Oracle Linux 9
OpenResty version: 1.29.2.3
CrowdSec OpenResty Bouncer version: 1.1.3-1.el9
Installation method: RPM package
Running
openresty -treturns the following error:nginx: [emerg] cannot load certificate "/usr/local/openresty/nginx/conf/${SSL_CERTS_PATH}": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/usr/local/openresty/nginx/conf/${SSL_CERTS_PATH}, r) error:10000080:BIO routines::no such file)In the problematic version (1.1.3), crowdsec_openresty.conf looks like this:
`lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;';
lua_shared_dict crowdsec_cache 50m;
lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; # <-- Variable is not substituted
init_by_lua_block {
cs = require "crowdsec"
}`
For comparison, on another host with an older version (crowdsec-openresty-bouncer 1.1.1-1.el9 and openresty 1.29.2.3), everything works fine. The old config correctly points to the absolute path:
`lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;';
lua_shared_dict crowdsec_cache 50m;
lua_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt; # <-- Hardcoded path
init_by_lua_block {
cs = require "crowdsec"
}`
Manually editing crowdsec_openresty.conf to replace the variable is not a viable long-term solution, as it will cause conflicts during future package updates.
Could you please advise on how to properly resolve this, or fix the packaging script so that it correctly substitutes ${SSL_CERTS_PATH} with the actual OS path during the RPM installation?
The certificate file is already in the system.
ll /etc/pki/tls/certs/ca-bundle.crt lrwxrwxrwx. 1 root root 49 Nov 19 12:40 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem