Failed to start stunnel4 on Ubuntu 15.04

ubuntu ssh ssl ssh-tunnel stunnel

13,560

Is this 212.43.222.123 really your server's ip address, or are you NAT'd behind something? If you're NAT'd then your accept = needs to point to your LAN ip.

What is the output of ifconfig?

Or I wonder if the /etc/services/ file is preventing you from binding port 443 to a service other than https; If that's really the ip address, try commenting out the 2 lines referencing 443 in /etc/services then restart stunnel4 again.

default /etc/services lines:

https           443/tcp                         # http protocol over TLS/SSL
https           443/udp

after change:

#https           443/tcp                         # http protocol over TLS/SSL
#https           443/udp

13,560

BBJ3

Updated on September 18, 2022

Comments

BBJ3 over 1 year

I get the following error starting stunnel4 service on Ubuntu 15.04:

root@scw-d91ec7:~# service stunnel4 start
Job for stunnel4.service failed. See "systemctl status stunnel4.service" and "journalctl -xe" for details.

root@scw-d91ec7:~# systemctl status stunnel4.service
● stunnel4.service - LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4)
   Active: failed (Result: exit-code) since Mon 2015-08-24 17:03:25 UTC; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 2869 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=1/FAILURE)

Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [!] Error binding service [ssh] to 212.43.222.123:443
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [!] bind: Cannot assign requested address (99)
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [ ] Closing service [ssh]
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [ ] Service [ssh] closed
Aug 24 17:03:25 scw-d91ec7 systemd[1]: stunnel4.service: control process exited, code=exited status=1
Aug 24 17:03:25 scw-d91ec7 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
Aug 24 17:03:25 scw-d91ec7 systemd[1]: Unit stunnel4.service entered failed state.
Aug 24 17:03:25 scw-d91ec7 systemd[1]: stunnel4.service failed.
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [Failed: /etc/stunnel/stunnel.conf]
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: You should check that you have specified the pid= in you configuration file

/etc/stunnel/stunnel.conf:

root@scw-d91ec7:~# cat /etc/stunnel/stunnel.conf
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
[ssh] accept = 212.43.222.123:443
connect = 127.0.0.1:22

/etc/default/stunnel4:

root@scw-d91ec7:~# cat  /etc/default/stunnel4
# /etc/default/stunnel
# Julien LEMOINE <[email protected]>
# September 2003

# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0

# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""

Ubuntu release:

root@scw-d91ec7:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 15.04
Release:    15.04
Codename:   vivid

stunnel version:

root@scw-d91ec7:~# stunnel -version
stunnel 5.06 on arm-unknown-linux-gnueabihf platform
Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP

Global options:
debug                  = daemon.notice
pid                    = /var/run/stunnel4.pid
RNDbytes               = 64
RNDfile                = /dev/urandom
RNDoverwrite           = yes

Service-level options:
ciphers                = FIPS (with "fips = yes")
ciphers                = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no")
curve                  = prime256v1
sessionCacheSize       = 1000
sessionCacheTimeout    = 300 seconds
stack                  = 65536 bytes
TIMEOUTbusy            = 300 seconds
TIMEOUTclose           = 60 seconds
TIMEOUTconnect         = 10 seconds
TIMEOUTidle            = 43200 seconds
verify                 = none

... more details:

root@scw-d91ec7:~# journalctl -xe
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] errno: (*__errno_location ())
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Reading configuration from file /etc/stunnel/stunnel.conf
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] FIPS mode disabled
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Compression disabled
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Snagged 64 random bytes from /dev/urandom
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] PRNG seeded successfully
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Initializing service [ssh]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Loading cert from file: /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Loading key from file: /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [:] Insecure file permissions on /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Private key check succeeded
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] DH initialization
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Could not load DH parameters from /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Using hardcoded DH parameters
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] DH initialized with 2048-bit key
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] ECDH initialization
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] ECDH initialized with curve prime256v1
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] SSL options: 0x03000004 (+0x03000000, -0x00000000)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Configuration successful
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Listening file descriptor created (FD=7)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [!] Error binding service [ssh] to 212.43.222.123:443
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [!] bind: Cannot assign requested address (99)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Closing service [ssh]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Service [ssh] closed
Aug 24 17:18:12 scw-d91ec7 systemd[1]: stunnel4.service: control process exited, code=exited status=1
Aug 24 17:18:12 scw-d91ec7 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
-- Subject: Unit stunnel4.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit stunnel4.service has failed.
-- 
-- The result is failed.
Aug 24 17:18:12 scw-d91ec7 systemd[1]: Unit stunnel4.service entered failed state.
Aug 24 17:18:12 scw-d91ec7 systemd[1]: stunnel4.service failed.
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [Failed: /etc/stunnel/stunnel.conf]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: You should check that you have specified the pid= in you configuration file

Any idea ?

Hemant Kumar over 2 years

remove [ssh] in front of accept = 212.43.222.123:443

BBJ3 over 8 years

I am root (see the prompt)
Jim G. over 8 years

Does it run successfully if you run stunnel from the command line?
Jim G. over 8 years

Is anything else currently bound to port 443? You can check with 'netstat -a'
BBJ3 over 8 years

running from command line get the same
BBJ3 over 8 years

'netstat -ntpel' and 'ss -ntpe', actually show that stunnel4 is really listening on 443 port and it's the only one (no port mux in place)