Cups errors on core 191

Add-Ons
1

There are several issues on the latest core release (191) as shown in /var/log/cups/error_log ::

CreateProfile failed: org.freedesktop.DBus.Error.ServiceUnknown:The name org.freedesktop.ColorManager was not provided by any .service files

as well as:

[Client 1] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 2] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 3] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 4] Started “/usr/lib/cups/cgi-bin/printers.cgi” (pid=23184, file=16)
[Client 4] Started “/usr/lib/cups/cgi-bin/admin.cgi” (pid=23189, file=17)
[Client 6] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 4] Started “/usr/lib/cups/cgi-bin/printers.cgi” (pid=23288, file=17)
[Client 8] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 4] Started “/usr/lib/cups/cgi-bin/printers.cgi” (pid=23292, file=17)
[Client 10] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 4] Started “/usr/lib/cups/cgi-bin/admin.cgi” (pid=23296, file=18)
[Client 12] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 14] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 4] Started “/usr/lib/cups/cgi-bin/admin.cgi” (pid=23304, file=17)
[Client 15] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 23] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 24] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 25] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown
[Client 26] Started “/usr/lib/cups/cgi-bin/jobs.cgi” (pid=24017, file=17)
[Client 26] Started “/usr/lib/cups/cgi-bin/printers.cgi” (pid=24022, file=17)
[Client 28] Unable to encrypt connection: error:0A000416:SSL routines::ssl/tls alert certificate unknown

I guess openssl is causing these issues, since downgrading does not help and even rebuilding the add-on did not fix these issues.

When starting cups, the error_log shows a few warnings as well and I replaced the cupsd.conf with the one from the package itself:

I [29/Jan/2025:16:27:53 +0100] Listening to 0.0.0.0:631 (IPv4)
I [29/Jan/2025:16:27:53 +0100] Listening to [v1.::]:631 (IPv6)
I [29/Jan/2025:16:27:53 +0100] Listening to /var/run/cups/cups.sock (Domain)
E [29/Jan/2025:16:27:53 +0100] Unknown directive BrowseOrder on line 7 of /var/ipfire/cups/cupsd.conf.
E [29/Jan/2025:16:27:53 +0100] Unknown directive BrowseAllow on line 8 of /var/ipfire/cups/cupsd.conf.
W [29/Jan/2025:16:27:53 +0100] No limit for Validate-Job defined in policy default and no suitable template found.
W [29/Jan/2025:16:27:53 +0100] No limit for Cancel-Jobs defined in policy default - using Pause-Printer’s policy.
W [29/Jan/2025:16:27:53 +0100] No limit for Cancel-My-Jobs defined in policy default - using Send-Document’s policy.
W [29/Jan/2025:16:27:53 +0100] No limit for Close-Job defined in policy default - using Send-Document’s policy.
W [29/Jan/2025:16:27:53 +0100] No limit for CUPS-Get-Document defined in policy default - using Send-Document’s policy.
W [29/Jan/2025:16:27:53 +0100] No JobPrivateAccess defined in policy default - using defaults.
W [29/Jan/2025:16:27:53 +0100] No JobPrivateValues defined in policy default - using defaults.
W [29/Jan/2025:16:27:53 +0100] No SubscriptionPrivateAccess defined in policy default - using defaults.
W [29/Jan/2025:16:27:53 +0100] No SubscriptionPrivateValues defined in policy default - using defaults.
I [29/Jan/2025:16:27:53 +0100] Remote access is enabled.
I [29/Jan/2025:16:27:53 +0100] Loaded configuration file “/var/ipfire/cups/cupsd.conf”
I [29/Jan/2025:16:27:53 +0100] Using default TempDir of /var/spool/cups/tmp…
I [29/Jan/2025:16:27:53 +0100] Configured for up to 100 clients.
I [29/Jan/2025:16:27:53 +0100] Allowing up to 100 client connections per host.
I [29/Jan/2025:16:27:53 +0100] Using policy “default” as the default.
I [29/Jan/2025:16:27:53 +0100] Full reload is required.
I [29/Jan/2025:16:27:53 +0100] Loaded MIME database from “/usr/share/cups/mime” and “/var/ipfire/cups”: 78 types, 114 filters…
I [29/Jan/2025:16:27:53 +0100] Loading job cache file “/var/cache/cups/job.cache”…
I [29/Jan/2025:16:27:53 +0100] Full reload complete.
I [29/Jan/2025:16:27:53 +0100] Cleaning out old files in “/var/spool/cups/tmp”.
I [29/Jan/2025:16:27:53 +0100] Cleaning out old files in “/var/cache/cups”.

2

cups is working fine on my testbed vm CU191 system.

I can access the web administration system via port 631 as with previous Core Updates. Also can access the administration functions.

This is indicating that the self signed certificates in /etc/cups/ssl/ have some problem.

I don’t know if you missed the deprecation notice in the Core Update 190 release

https://www.ipfire.org/blog/ipfire-2-29-core-update-190-released#add-ons

so cups and the associated packages will be removed in Core Update 192

2 Likes
3

I use cups with IPP only since the printers support this protocol and it’s much easier to deploy printers to Windoze clients this way. Is there any alternative solution for IPFire after cups becomes deprecated?

4

After cups is removed there will not be any alternative within IPFire itself.

If your printers are not network capable with either a physical ethernet plug and/or a wifi connection then your best option would be to set up a cups server on something like a RPi system to provide access to your printers in a similar way as done currently with cups in IPFIre.

When cups-3.x is released then only IPP-Everywhere will be supported. ppd’s will no longer be used or recognised. The use of ppd’s by cups has been deprecated since 2010.

As your printers are capable of using IPP then they should be able to work without using any ppd drivers.

The benefits of the above are that your cups server is then behind the firewall rather than inside it, especially when new CVE’s are announced. They haven’t always been dealt with quickly and at the end of 2024 there was a group of CVE’s that were not responded to well, resulting in their announcement before any fix patches had been prepared. The eventual supply of the patches was also very low key in the end.

The above created a lot of hassle for the IPFire devs as we looked at the potential impacts or not for IPFire.

In the end we decided that we just don’t have the resources and bandwidth to maintain the cups environment in a secure way within IPFire.

As your logs show there are some mismatches in the used syntax for the cups configuration file, where things have changed and new parameters have been declared to need to be moved to different locations. Also cups has been split from one package into 3 or 4 separate packages that each will need to be maintained.

It is not really clear when cups-3.x will be released. Back in 2022 cups-2.5 release was talked about for May 2023 and cups-3.0 having its beta release in Sep 2023 and first release in early 2024.
None of those events occurred and currently the cups web site just says “Coming soon” for cups v3.

My current printer and my previous machine both have had ethernet connections so I was able to access them very easily via IPP using cups installed on the Arch Linux OS on my various systems.

2 Likes