From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of
 /var/ipfire
Date: Fri, 07 Jun 2024 10:22:07 +0200
Message-ID: <2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org>
In-Reply-To: <b8749e1d-0eb2-40f3-88b1-f3b4caf63e0a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1178092024006732298=="
List-Id: <development.lists.ipfire.org>

--===============1178092024006732298==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,

Any comments on my feedback, did I make some errors or were there some issues=
 with the code not working as intended? It sounded like you wanted to get any=
 fix from this added into CU186 which would mean giving it some good testing,=
 which I am willing and available to do.

Regards,

Adolf.

On 05/06/2024 13:52, Adolf Belka wrote:
> I re-did the vm build and first did a restore of my system so I could acces=
s the logs via ssh.
>
> Then I cleared the x509 system and cleared the error_log and then ran the x=
509 create and the following is the output in the error_log file
>
> ...+.......+..+....+..+.......+..+.+...+.........+..................+......=
..+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+..=
.......+............+....+..+.......+......+..+++++++++++++++++++++++++++++++=
++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++=
++++++++++++++++++++++++++++*...+...............+...+....+..............+.+..=
....+.....+....+........+...+.........................+....................+.=
...+......+........+.........+......+......+...+..........+..+.+..+......+...=
.+......+.........+...+.........+.....+..........+...+........+............+.=
...........+......+...+.......+............+..+.........+....................=
.......+............+...............+.+............+.....+...+......+.+......=
..+......+...............+.+..............+................+..+.+...........+=
.+..+......+++++
> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+.......=
.......+.........+.......+..+...+.........+....+......+........+.+..+...+....=
+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++=
++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.=
......+.....+......+...+.+..............+.......+...+.....+............+.....=
.......+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+.=
.+...+++++++++++++++++++++++++++++++++++++++++++++*.......+..................=
..+....+..............+.+.....+.+...+..+...+......+.+.........+.........+....=
..+..............+...............+.........+.............+..+.......+........=
.+..............+.+..+.........+...+.+.....+..........+..+...+......+....+...=
.........+........+.+.................................+......+......+........=
+...............+......+.........+.............+..+.+.........+..+..........+=
...........+...+......+...+.........................+.....+...............+.+=
............+...+..+.......+.....+......+......+...............+.............=
......+......+......+..+...+.........+.........................+...+..+......=
+...+...............+.......+...+......+...+..+.........+....+.....+.........=
.+...+..+...............+......+......+...+..................+.......+.......=
........+......+..+............+...+...+....+...+.........+.....+..........+.=
..+..+.........+.......+............+.....+..........+..+......+....+........=
................+.....+......+...+..........+...+.....+....+......+........+.=
......+..+...+............+......+....+...+............+..+....+...........+.=
..+......+.+.....+..........+..........................+............+.+..+...=
+.........+.................................+....+..............+....+...+...=
...........+......+.......+..+................+...+.....+.+........+.........=
...+.............+...............+......+..+.......+...+.....+.......+++++=20
>
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Loc=
ality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizatio=
nal Unit Name (eg, section) []:Common Name (eg, your name or your server's ho=
stname) []:Email Address []:Error checking request extension section server
>
> So you can see explicitly what it came back with.
>
> Regards,
>
> Adolf
>
>
> On 05/06/2024 13:33, Adolf Belka wrote:
>> Hi All,
>>
>> I should have also added to the end of this message that patches 1 and 3 w=
ere applied, as far as I could tell as per the patch.
>>
>> I then installed the built iso into a vm machine and ran the x509 install =
and got the root certificate and no host certificate with the standard openss=
l error message.
>>
>> In the httpd/error_log file it had the following message
>>
>> Email Address []:Error checking request extension section server
>>
>> Regards,
>>
>> Adolf.
>>
>> On 05/06/2024 13:26, Adolf Belka wrote:
>>> Hi Michael,
>>>
>>> Here is my feedback on these three patches and the issues I found when I =
tried to use them.
>>>
>>> I had to manually apply them so there is also the possibility that I made=
 a typo somewhere.
>>>
>>> On 18/04/2024 23:36, Michael Tremer wrote:
>>>> We should not have any configuration files that we share in this place,
>>>> therefore this patch is moving it into /usr/share/openvpn where we
>>>> should be able to update it without any issues.
>>>>
>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> ---
>>>> =C2=A0 config/rootfiles/common/openvpn | 2 +-
>>>> =C2=A0 html/cgi-bin/ovpnmain.cgi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 2=
 +-
>>>> =C2=A0 lfs/openvpn=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 6 ++++++
>>>> =C2=A0 3 files changed, 8 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/o=
penvpn
>>>> index d9848a579..c0d49bfad 100644
>>>> --- a/config/rootfiles/common/openvpn
>>>> +++ b/config/rootfiles/common/openvpn
>>> These changes were no problem.
>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
>>>> =C2=A0 #usr/share/doc/openvpn/openvpn.8.html
>>>> =C2=A0 #usr/share/man/man5/openvpn-examples.5
>>>> =C2=A0 #usr/share/man/man8/openvpn.8
>>>> +usr/share/openvpn/openssl.cnf
>>>> =C2=A0 var/ipfire/ovpn/ca
>>>> =C2=A0 var/ipfire/ovpn/caconfig
>>>> =C2=A0 var/ipfire/ovpn/ccd
>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
>>>> =C2=A0 var/ipfire/ovpn/crls
>>>> =C2=A0 var/ipfire/ovpn/n2nconf
>>>> =C2=A0 #var/ipfire/ovpn/openssl
>>>> -var/ipfire/ovpn/openssl/ovpn.cnf
>>>> =C2=A0 var/ipfire/ovpn/openvpn-authenticator
>>>> =C2=A0 var/ipfire/ovpn/ovpn-leases.db
>>>> =C2=A0 var/ipfire/ovpn/ovpnconfig
>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>>> index 9b8ff5aa5..ed80fef7d 100755
>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>> Also this change no problem.
>>>> @@ -54,7 +54,7 @@ my %mainsettings =3D ();
>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.tx=
t", \%color);
>>>> =C2=A0 =C2=A0 # Use a custom OpenSSL configuration file for all operatio=
ns
>>>> -$ENV["OPENSSL_CONF"] =3D "${General::swroot}/ovpn/ca/cacert.pem";
>>>> +$ENV["OPENSSL_CONF"] =3D "/usr/share/openvpn/openssl.cnf";
>>>> =C2=A0 =C2=A0 ###
>>>> =C2=A0 ### Initialize variables
>>>> diff --git a/lfs/openvpn b/lfs/openvpn
>>>> index b71b4ccc9..0704aa438 100644
>>>> --- a/lfs/openvpn
>>>> +++ b/lfs/openvpn
>>> This change refused to build as it said the directory removal was for a n=
on empty directory. When I looked at it I believe that it needed to be differ=
ent.
>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 chown root:root /etc/fcron.daily/openvpn-=
crl-updater
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 chmod 750 /etc/fcron.daily/openvpn-crl-up=
dater
>>>> =C2=A0 +=C2=A0=C2=A0=C2=A0 # Move the OpenSSL configuration file out of =
/var/ipfire
>>>> +=C2=A0=C2=A0=C2=A0 mkdir -pv /usr/share/openvpn
>>>> +=C2=A0=C2=A0=C2=A0 mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /usr/share/openvpn/
>>>> +=C2=A0=C2=A0=C2=A0 rmdir -v /usr/share/openvpn
>>>> +
>>>
>>> The above lines I changed to
>>>
>>> +=C2=A0=C2=A0=C2=A0 # Move the OpenSSL configuration file out of /var/ipf=
ire
>>> +=C2=A0=C2=A0=C2=A0 mkdir -pv /usr/share/openvpn
>>> +=C2=A0=C2=A0=C2=A0 mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /usr/share/openvpn/openssl.cnf
>>> +=C2=A0=C2=A0=C2=A0 rmdir -v /var/ipfire/ovpn/openssl/
>>> +
>>> with my changes in the last two lines.
>>> When I changed just the last line to start with then the openvpn lfs buil=
t but then later on in the cdrom stage it complained about openssl.cnf not be=
ing found, hence I also then added the change to the one before last line.
>>>
>>> Regards,
>>> Adolf.
>>>
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # Install authenticator
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 install -v -m 755 $(DIR_SRC)/config/ovpn/=
openvpn-authenticator \
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /usr/sbin/openvpn=
-authenticator

--===============1178092024006732298==--