From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
Date: Sat, 08 Jun 2024 13:16:12 +0200
Message-ID: <7bd9e80c-a0b2-4283-8d15-c39f9444c45a@ipfire.org>
In-Reply-To: <866c130a-15e7-440d-912e-3508e4fdb065@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4893432813488426008=="
List-Id: <development.lists.ipfire.org>

--===============4893432813488426008==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Re-sending with minor change as I think I left some bits in that made the mai=
l server miss a section out.

Hi Michael,

With the small changes I made it now successfully built and also after instal=
ling in a vm it has built the x509 certificate set.

I suspect successfully as I didn't change any of the changes you made to the =
ovpnmain.cgi or the openvpn-crl-updater.

The minor changes I made, compared to the existing openvpn lfs and rootfile a=
re the following



 =C2=A0config/rootfiles/common/openvpn | 2 +-
 =C2=A0lfs/openvpn=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 6 ++++++
 =C2=A02 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..8a36d4bb4 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
 =C2=A0#usr/share/doc/openvpn/openvpn.8.html
 =C2=A0#usr/share/man/man5/openvpn-examples.5
 =C2=A0#usr/share/man/man8/openvpn.8
+usr/share/openvpn/ovpn.cnf
 =C2=A0var/ipfire/ovpn/ca
 =C2=A0var/ipfire/ovpn/caconfig
 =C2=A0var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
 =C2=A0var/ipfire/ovpn/crls
 =C2=A0var/ipfire/ovpn/n2nconf
 =C2=A0#var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
 =C2=A0var/ipfire/ovpn/openvpn-authenticator
 =C2=A0var/ipfire/ovpn/ovpn-leases.db
 =C2=A0var/ipfire/ovpn/ovpnconfig
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..b686cc930 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 =C2=A0=C2=A0=C2=A0=C2=A0 chown root:root /etc/fcron.daily/openvpn-crl-updater
 =C2=A0=C2=A0=C2=A0=C2=A0 chmod 750 /etc/fcron.daily/openvpn-crl-updater

+=C2=A0=C2=A0=C2=A0 # Move the OpenSSL configuration file out of /var/ipfire
+=C2=A0=C2=A0=C2=A0 mkdir -pv /usr/share/openvpn
+=C2=A0=C2=A0=C2=A0 mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /usr/share/openvpn/
+=C2=A0=C2=A0=C2=A0 rmdir -v /var/ipfire/ovpn/openssl
+
 =C2=A0=C2=A0=C2=A0=C2=A0 # Install authenticator
 =C2=A0=C2=A0=C2=A0=C2=A0 install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-au=
thenticator \
 =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /usr/sbin/openvpn-authenticator


So I think we are close to having it working.

I will create an OpenVPN Roadwarrior connection with the x509 certificate set=
 that has been created to confirm that it is all working properly now.

I can in fact confirm that a successful road warrior connection was able to b=
e made with the x509 cert set that was created with the modified patch.


Regards,

Adolf.


On 08/06/2024 12:43, Adolf Belka wrote:
> Hi Michael,
>
> I have made a change to the rootfile and the lfs file only and that has now=
 successfully built. That will only have ovpn.cnf in the new location.
>
> =C2=A0am now doing a build on my vm and will see if that then creates the c=
ertificates or not.
>
> Regards,
> Adolf.
>
> On 08/06/2024 12:14, Michael Tremer wrote:
>> Hello,
>>
>> Thanks for testing this.
>>
>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>
>>> Hi Michael,
>>>
>>> On 07/06/2024 18:01, Michael Tremer wrote:
>>>> We should not have any configuration files that we share in this place,
>>>> therefore this patch is moving it into /usr/share/openvpn where we
>>>> should be able to update it without any issues.
>>>>
>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> ---
>>>> =C2=A0 config/ovpn/openvpn-crl-updater |=C2=A0 3 +--
>>>> =C2=A0 config/rootfiles/common/openvpn |=C2=A0 2 +-
>>>> =C2=A0 html/cgi-bin/ovpnmain.cgi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 2=
0 ++++++++++----------
>>>> =C2=A0 lfs/openvpn=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 6 =
++++++
>>>> =C2=A0 4 files changed, 18 insertions(+), 13 deletions(-)
>>>>
>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-u=
pdater
>>>> index 5fbe21080..5008d6725 100644
>>>> --- a/config/ovpn/openvpn-crl-updater
>>>> +++ b/config/ovpn/openvpn-crl-updater
>>>> @@ -43,7 +43,6 @@ OVPN=3D"/var/ipfire/ovpn"
>>>> =C2=A0 CRL=3D"${OVPN}/crls/cacrl.pem"
>>>> =C2=A0 CAKEY=3D"${OVPN}/ca/cakey.pem"
>>>> =C2=A0 CACERT=3D"${OVPN}/ca/cacert.pem"
>>>> -OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf"
>>>> =C2=A0=C2=A0=C2=A0 # Check if CRL is presant or if OpenVPN is active
>>>> =C2=A0 if [ ! -e "${CAKEY}" ]; then
>>>> @@ -76,7 +75,7 @@ UPDATE=3D"14"
>>>> =C2=A0 ## Mainpart
>>>> =C2=A0 # Check if OpenVPNs CRL needs to be renewed
>>>> =C2=A0 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
>>>> -=C2=A0=C2=A0=C2=A0 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${C=
ACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
>>>> +=C2=A0=C2=A0=C2=A0 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${C=
ACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
>>>> =C2=A0=C2=A0 logger -t openvpn "CRL has been updated"
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 else
>>>> =C2=A0=C2=A0 logger -t openvpn "error: Could not update CRL"
>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/o=
penvpn
>>>> index d9848a579..c0d49bfad 100644
>>>> --- a/config/rootfiles/common/openvpn
>>>> +++ b/config/rootfiles/common/openvpn
>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
>>>> =C2=A0 #usr/share/doc/openvpn/openvpn.8.html
>>>> =C2=A0 #usr/share/man/man5/openvpn-examples.5
>>>> =C2=A0 #usr/share/man/man8/openvpn.8
>>>> +usr/share/openvpn/openssl.cnf
>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/ope=
nssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the c=
ode continues to use ovpn.cnf
>>
>> Oh.
>>
>>>> =C2=A0 var/ipfire/ovpn/ca
>>>> =C2=A0 var/ipfire/ovpn/caconfig
>>>> =C2=A0 var/ipfire/ovpn/ccd
>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
>>>> =C2=A0 var/ipfire/ovpn/crls
>>>> =C2=A0 var/ipfire/ovpn/n2nconf
>>>> =C2=A0 #var/ipfire/ovpn/openssl
>>>> -var/ipfire/ovpn/openssl/ovpn.cnf
>>>> =C2=A0 var/ipfire/ovpn/openvpn-authenticator
>>>> =C2=A0 var/ipfire/ovpn/ovpn-leases.db
>>>> =C2=A0 var/ipfire/ovpn/ovpnconfig
>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>>> index c92d0237d..f0172978f 100755
>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>>> @@ -1836,7 +1836,7 @@ END
>>>> =C2=A0=C2=A0 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant start openssl'}: $!";
>>>> =C2=A0=C2=A0 goto ROOTCERT_ERROR;
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
>>>> @@ -1868,7 +1868,7 @@ END
>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
>>>> =C2=A0=C2=A0 '-extensions', 'server',
>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) {
>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant start openssl'}: $!";
>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
>>>> @@ -1885,7 +1885,7 @@ END
>>>> =C2=A0=C2=A0 '-in',=C2=A0 "${General::swroot}/ovpn/certs/serverreq.pem",
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
>>>> =C2=A0=C2=A0 '-extensions', 'server',
>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>> =C2=A0=C2=A0 if ($?) {
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'opens=
sl produced an error'}: $?";
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/ca=
/cakey.pem");
>>>> @@ -1904,7 +1904,7 @@ END
>>>> =C2=A0=C2=A0 # System call is safe, because all arguments are passed as =
array.
>>>> =C2=A0=C2=A0 system('/usr/bin/openssl', 'ca', '-gencrl',
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" );
>>>> =C2=A0=C2=A0 if ($?) {
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'opens=
sl produced an error'}: $?";
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/ce=
rts/serverkey.pem");
>>>> @@ -2426,8 +2426,8 @@ else
>>>> =C2=A0=C2=A0=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}) {
>>>> =C2=A0=C2=A0 # Revoke certificate if certificate was deleted and rewrite=
 the CRL
>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swro=
ot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${Gene=
ral::swroot}/ovpn/openssl/ovpn.cnf");
>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gener=
al::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl=
/ovpn.cnf");
>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swro=
ot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/s=
hare/openvpn/ovpn.cnf");
>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gener=
al::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>> =C2=A0=C2=A0=C2=A0 ###
>>>> =C2=A0 # m.a.d net2net
>>>> @@ -2480,7 +2480,7 @@ else
>>>> =C2=A0=C2=A0 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$c=
onfighash{$cgiparams{'KEY'}}[1]");
>>>> =C2=A0=C2=A0=C2=A0=C2=A0 delete $confighash{$cgiparams{'KEY'}};
>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gener=
al::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl=
/ovpn.cnf");
>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gener=
al::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%configh=
ash);
>>>> =C2=A0=C2=A0=C2=A0=C2=A0 } else {
>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>> =C2=A0=C2=A0 '-batch', '-notext',
>>>> =C2=A0=C2=A0 '-in', $filename,
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}ce=
rt.pem",
>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ($?) {
>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'openssl produced an error'}: =
$?";
>>>> =C2=A0=C2=A0 unlink ($filename);
>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>> =C2=A0=C2=A0 '-newkey', 'rsa:4096',
>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'=
}key.pem",
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}re=
q.pem",
>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant =
start openssl'}: $!";
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/ce=
rts/$cgiparams{'NAME'}key.pem");
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/ce=
rts/$cgiparams{'NAME'}req.pem");
>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>> =C2=A0=C2=A0 '-batch', '-notext',
>>>> =C2=A0=C2=A0 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req=
.pem",
>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}ce=
rt.pem",
>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ($?) {
>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'openssl produced an error'}: =
$?";
>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}ke=
y.pem");
>>>> diff --git a/lfs/openvpn b/lfs/openvpn
>>>> index b71b4ccc9..0704aa438 100644
>>>> --- a/lfs/openvpn
>>>> +++ b/lfs/openvpn
>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>> =C2=A0=C2=A0 chown root:root /etc/fcron.daily/openvpn-crl-updater
>>>> =C2=A0=C2=A0 chmod 750 /etc/fcron.daily/openvpn-crl-updater
>>>> =C2=A0 + # Move the OpenSSL configuration file out of /var/ipfire
>>>> + mkdir -pv /usr/share/openvpn
>>> This creates the new directory.
>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>>> + /usr/share/openvpn/
>>> This then moves the ovpn.cnf file from the old location to the new one bu=
t keeps the name the same. This will then mismatch with the rootfile change.
>>>> + rmdir -v /usr/share/openvpn
>>> This then seems to me to be trying to delete the newly created directory =
which seems incorrect to me unless I have misunderstood what is trying to be =
done with this overall patch, which could also be the case.
>>
>> Yes, I have no idea what I did when I developed this the first time. Nothi=
ng good obviously.
>>
>> I will send patches.
>>
>> -Michael
>>
>>> Regards,
>>> Adolf.
>>>> +
>>>> =C2=A0=C2=A0 # Install authenticator
>>>> =C2=A0=C2=A0 install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authentica=
tor \
>>>> =C2=A0=C2=A0 /usr/sbin/openvpn-authenticator
>>>
>>> --=20
>>> Sent from my laptop
>>
>>

--===============4893432813488426008==--