Hi,

This is a good find.

Did you have a connection that had a space in the common name? Potentially it is that.

Changing the code to use the common name should be trivial. Maybe just try printing the path it is trying to delete. Are the files maybe not accessible by “nobody”?

-Michael

> On 11 Apr 2020, at 09:06, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> this patch does only works if the common name is the same then the
> connection name. Have encountered that the rrd creation for OpenVPN
> uses the common name of the certificate not the connection name -->
> 
> # root @ ipfire-server in /var/log/rrd/collectd/localhost [8:34:50] 
> $ ls
> cpu-0      disk-loop0                 iptables-filter-PSCAN  processes-charon    processes-spamd
> cpu-1      disk-sda                   load                   processes-java      processes-squid
> cpu-2      entropy                    memory                 processes-mpd       processes-squidguard
> cpu-3      interface                  openvpn-rwonecert      processes-nmbd      processes-sshd
> cpufreq    iptables-filter-NEWNOTSYN  openvpn-rwtwocert      processes-openvpn   sensors-coretemp-isa-0000
> disk-dm-0  iptables-filter-POLICYFWD  ping                   processes-qemu      sensors-f71869-isa-0290
> disk-dm-1  iptables-filter-POLICYIN   processes              processes-rtorrent  swap
> disk-dm-2  iptables-filter-POLICYOUT  processes-asterisk     processes-smbd
> 
> $ cat /var/ipfire/ovpn/ovpnconfig 
> 1,on,rwonename,rwonecert,host,cert,,,,,,,,,,,,,,,,,,,,,,,,,,,,dynamic
> 2,on,rwtwoname,rwtwocert,host,cert,,,,,,,,,,,,,,,,,,,,,,,,,,,,dynamic,,,,,,,,,,,
> 
> strangely enough if i set the element index to [2] it doesn´t work. Currently not sure why that´s happen.
> 
> It is better to revert this patch.
> 
> Best,
> 
> Erik
> 
> Am Samstag, den 28.03.2020, 10:45 +0100 schrieb ummeegge:
>> Hi Peter,
>> 
>> Am Samstag, den 28.03.2020, 09:25 +0000 schrieb Peter Müller:
>>> Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> 
>>> In my opinion, this fixes #11713.
>> 
>> Haven´t seen that one, yes i think so.
>> Have found another one in here --> 
>> 
> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=html/cgi-bin/ovpnmain.cgi;h=e76a688fe7dcda0b77bf716eb2538342cd775b00;hb=HEAD#l1224
>> which can not be solved in this way. Need to have another look into
>> this.
>> Will send a separate patch then for "delete all RRDs if X509 is
>> deleted".
>> 
>> Need a little more time.
>> 
>> Best,
>> 
>> Erik
>> 
>>> 
>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>>> ---
>>>> html/cgi-bin/ovpnmain.cgi | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>> 
>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-
>>>> bin/ovpnmain.cgi
>>>> index ce9524df7..00ecd77a0 100644
>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>>> @@ -2513,7 +2513,7 @@ else
>>>> # CCD end
>>>> 		# Update collectd configuration and delete all RRD
>>>> files of the removed connection
>>>> 		&writecollectdconf();
>>>> -		system ("/usr/local/bin/openvpnctrl -drrd
>>>> $confighash{$cgiparams{'KEY'}}[1]");
>>>> +		system ('/usr/local/bin/openvpnctrl', '-drrd',
>>>> $confighash{$cgiparams{'KEY'}}[1]);
>>>> 
>>>> 		delete $confighash{$cgiparams{'KEY'}};
>>>> 		my $temp2 = `/usr/bin/openssl ca -gencrl -out
>>>> ${General::swroot}/ovpn/crls/cacrl.pem -config
>>>> ${General::swroot}/ovpn/openssl/ovpn.cnf`;
>>>> 
>> 
>> 
>