From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
Date: Fri, 07 Jun 2024 10:22:07 +0200 [thread overview]
Message-ID: <2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org> (raw)
In-Reply-To: <b8749e1d-0eb2-40f3-88b1-f3b4caf63e0a@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8618 bytes --]
Hi Michael,
Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do.
Regards,
Adolf.
On 05/06/2024 13:52, Adolf Belka wrote:
> I re-did the vm build and first did a restore of my system so I could access the logs via ssh.
>
> Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file
>
> ...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++
> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++
>
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server
>
> So you can see explicitly what it came back with.
>
> Regards,
>
> Adolf
>
>
> On 05/06/2024 13:33, Adolf Belka wrote:
>> Hi All,
>>
>> I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch.
>>
>> I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message.
>>
>> In the httpd/error_log file it had the following message
>>
>> Email Address []:Error checking request extension section server
>>
>> Regards,
>>
>> Adolf.
>>
>> On 05/06/2024 13:26, Adolf Belka wrote:
>>> Hi Michael,
>>>
>>> Here is my feedback on these three patches and the issues I found when I tried to use them.
>>>
>>> I had to manually apply them so there is also the possibility that I made a typo somewhere.
>>>
>>> On 18/04/2024 23:36, Michael Tremer wrote:
>>>> We should not have any configuration files that we share in this place,
>>>> therefore this patch is moving it into /usr/share/openvpn where we
>>>> should be able to update it without any issues.
>>>>
>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> ---
>>>> config/rootfiles/common/openvpn | 2 +-
>>>> html/cgi-bin/ovpnmain.cgi | 2 +-
>>>> lfs/openvpn | 6 ++++++
>>>> 3 files changed, 8 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
>>>> index d9848a579..c0d49bfad 100644
>>>> --- a/config/rootfiles/common/openvpn
>>>> +++ b/config/rootfiles/common/openvpn
>>> These changes were no problem.
>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
>>>> #usr/share/doc/openvpn/openvpn.8.html
>>>> #usr/share/man/man5/openvpn-examples.5
>>>> #usr/share/man/man8/openvpn.8
>>>> +usr/share/openvpn/openssl.cnf
>>>> var/ipfire/ovpn/ca
>>>> var/ipfire/ovpn/caconfig
>>>> var/ipfire/ovpn/ccd
>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
>>>> var/ipfire/ovpn/crls
>>>> var/ipfire/ovpn/n2nconf
>>>> #var/ipfire/ovpn/openssl
>>>> -var/ipfire/ovpn/openssl/ovpn.cnf
>>>> var/ipfire/ovpn/openvpn-authenticator
>>>> var/ipfire/ovpn/ovpn-leases.db
>>>> var/ipfire/ovpn/ovpnconfig
>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>>> index 9b8ff5aa5..ed80fef7d 100755
>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>> Also this change no problem.
>>>> @@ -54,7 +54,7 @@ my %mainsettings = ();
>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
>>>> # Use a custom OpenSSL configuration file for all operations
>>>> -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem";
>>>> +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf";
>>>> ###
>>>> ### Initialize variables
>>>> diff --git a/lfs/openvpn b/lfs/openvpn
>>>> index b71b4ccc9..0704aa438 100644
>>>> --- a/lfs/openvpn
>>>> +++ b/lfs/openvpn
>>> This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different.
>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater
>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater
>>>> + # Move the OpenSSL configuration file out of /var/ipfire
>>>> + mkdir -pv /usr/share/openvpn
>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>>> + /usr/share/openvpn/
>>>> + rmdir -v /usr/share/openvpn
>>>> +
>>>
>>> The above lines I changed to
>>>
>>> + # Move the OpenSSL configuration file out of /var/ipfire
>>> + mkdir -pv /usr/share/openvpn
>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>> + /usr/share/openvpn/openssl.cnf
>>> + rmdir -v /var/ipfire/ovpn/openssl/
>>> +
>>> with my changes in the last two lines.
>>> When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line.
>>>
>>> Regards,
>>> Adolf.
>>>
>>>> # Install authenticator
>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
>>>> /usr/sbin/openvpn-authenticator
next prev parent reply other threads:[~2024-06-07 8:22 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 21:36 [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally Michael Tremer
2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer
2024-06-05 11:26 ` Adolf Belka
2024-06-05 11:33 ` Adolf Belka
2024-06-05 11:52 ` Adolf Belka
2024-06-07 8:22 ` Adolf Belka [this message]
2024-06-07 16:01 ` [PATCH] " Michael Tremer
2024-06-08 8:40 ` Adolf Belka
2024-06-08 10:14 ` Michael Tremer
2024-06-08 10:43 ` Adolf Belka
2024-06-08 11:00 ` Adolf Belka
2024-06-08 11:16 ` Adolf Belka
2024-06-09 7:58 ` Adolf Belka
2024-06-10 16:02 ` Michael Tremer
2024-06-11 9:09 ` Adolf Belka
2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer
2024-06-07 16:24 ` Adolf Belka
2024-06-07 19:46 ` Adolf Belka
2024-04-18 21:36 ` [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox