From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
Date: Sun, 09 Jun 2024 09:58:42 +0200 [thread overview]
Message-ID: <81aab8c7-03f0-4cd8-aff0-ba496aff8795@ipfire.org> (raw)
In-Reply-To: <7bd9e80c-a0b2-4283-8d15-c39f9444c45a@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 13163 bytes --]
Hi Michael,
I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run.
As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created.
Regards,
Adolf.
On 08/06/2024 13:16, Adolf Belka wrote:
> Re-sending with minor change as I think I left some bits in that made the mail server miss a section out.
>
> Hi Michael,
>
> With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set.
>
> I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater.
>
> The minor changes I made, compared to the existing openvpn lfs and rootfile are the following
>
>
>
> config/rootfiles/common/openvpn | 2 +-
> lfs/openvpn | 6 ++++++
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index d9848a579..8a36d4bb4 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
> #usr/share/doc/openvpn/openvpn.8.html
> #usr/share/man/man5/openvpn-examples.5
> #usr/share/man/man8/openvpn.8
> +usr/share/openvpn/ovpn.cnf
> var/ipfire/ovpn/ca
> var/ipfire/ovpn/caconfig
> var/ipfire/ovpn/ccd
> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
> var/ipfire/ovpn/crls
> var/ipfire/ovpn/n2nconf
> #var/ipfire/ovpn/openssl
> -var/ipfire/ovpn/openssl/ovpn.cnf
> var/ipfire/ovpn/openvpn-authenticator
> var/ipfire/ovpn/ovpn-leases.db
> var/ipfire/ovpn/ovpnconfig
> diff --git a/lfs/openvpn b/lfs/openvpn
> index b71b4ccc9..b686cc930 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> chown root:root /etc/fcron.daily/openvpn-crl-updater
> chmod 750 /etc/fcron.daily/openvpn-crl-updater
>
> + # Move the OpenSSL configuration file out of /var/ipfire
> + mkdir -pv /usr/share/openvpn
> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
> + /usr/share/openvpn/
> + rmdir -v /var/ipfire/ovpn/openssl
> +
> # Install authenticator
> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
> /usr/sbin/openvpn-authenticator
>
>
> So I think we are close to having it working.
>
> I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now.
>
> I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch.
>
>
> Regards,
>
> Adolf.
>
>
> On 08/06/2024 12:43, Adolf Belka wrote:
>> Hi Michael,
>>
>> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location.
>>
>> am now doing a build on my vm and will see if that then creates the certificates or not.
>>
>> Regards,
>> Adolf.
>>
>> On 08/06/2024 12:14, Michael Tremer wrote:
>>> Hello,
>>>
>>> Thanks for testing this.
>>>
>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>>
>>>> Hi Michael,
>>>>
>>>> On 07/06/2024 18:01, Michael Tremer wrote:
>>>>> We should not have any configuration files that we share in this place,
>>>>> therefore this patch is moving it into /usr/share/openvpn where we
>>>>> should be able to update it without any issues.
>>>>>
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>> config/ovpn/openvpn-crl-updater | 3 +--
>>>>> config/rootfiles/common/openvpn | 2 +-
>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
>>>>> lfs/openvpn | 6 ++++++
>>>>> 4 files changed, 18 insertions(+), 13 deletions(-)
>>>>>
>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
>>>>> index 5fbe21080..5008d6725 100644
>>>>> --- a/config/ovpn/openvpn-crl-updater
>>>>> +++ b/config/ovpn/openvpn-crl-updater
>>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
>>>>> CRL="${OVPN}/crls/cacrl.pem"
>>>>> CAKEY="${OVPN}/ca/cakey.pem"
>>>>> CACERT="${OVPN}/ca/cacert.pem"
>>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
>>>>> # Check if CRL is presant or if OpenVPN is active
>>>>> if [ ! -e "${CAKEY}" ]; then
>>>>> @@ -76,7 +75,7 @@ UPDATE="14"
>>>>> ## Mainpart
>>>>> # Check if OpenVPNs CRL needs to be renewed
>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
>>>>> logger -t openvpn "CRL has been updated"
>>>>> else
>>>>> logger -t openvpn "error: Could not update CRL"
>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
>>>>> index d9848a579..c0d49bfad 100644
>>>>> --- a/config/rootfiles/common/openvpn
>>>>> +++ b/config/rootfiles/common/openvpn
>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
>>>>> #usr/share/doc/openvpn/openvpn.8.html
>>>>> #usr/share/man/man5/openvpn-examples.5
>>>>> #usr/share/man/man8/openvpn.8
>>>>> +usr/share/openvpn/openssl.cnf
>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf
>>>
>>> Oh.
>>>
>>>>> var/ipfire/ovpn/ca
>>>>> var/ipfire/ovpn/caconfig
>>>>> var/ipfire/ovpn/ccd
>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
>>>>> var/ipfire/ovpn/crls
>>>>> var/ipfire/ovpn/n2nconf
>>>>> #var/ipfire/ovpn/openssl
>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf
>>>>> var/ipfire/ovpn/openvpn-authenticator
>>>>> var/ipfire/ovpn/ovpn-leases.db
>>>>> var/ipfire/ovpn/ovpnconfig
>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>>>> index c92d0237d..f0172978f 100755
>>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>>>> @@ -1836,7 +1836,7 @@ END
>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!";
>>>>> goto ROOTCERT_ERROR;
>>>>> }
>>>>> @@ -1868,7 +1868,7 @@ END
>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
>>>>> '-extensions', 'server',
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) {
>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!";
>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
>>>>> @@ -1885,7 +1885,7 @@ END
>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem",
>>>>> '-extensions', 'server',
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> if ($?) {
>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem");
>>>>> @@ -1904,7 +1904,7 @@ END
>>>>> # System call is safe, because all arguments are passed as array.
>>>>> system('/usr/bin/openssl', 'ca', '-gencrl',
>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" );
>>>>> if ($?) {
>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
>>>>> @@ -2426,8 +2426,8 @@ else
>>>>> if ($confighash{$cgiparams{'KEY'}}) {
>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL
>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>>> ###
>>>>> # m.a.d net2net
>>>>> @@ -2480,7 +2480,7 @@ else
>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
>>>>> delete $confighash{$cgiparams{'KEY'}};
>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
>>>>> } else {
>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> '-batch', '-notext',
>>>>> '-in', $filename,
>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> if ($?) {
>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>>>>> unlink ($filename);
>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> '-newkey', 'rsa:4096',
>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!";
>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> '-batch', '-notext',
>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> if ($?) {
>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
>>>>> diff --git a/lfs/openvpn b/lfs/openvpn
>>>>> index b71b4ccc9..0704aa438 100644
>>>>> --- a/lfs/openvpn
>>>>> +++ b/lfs/openvpn
>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater
>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater
>>>>> + # Move the OpenSSL configuration file out of /var/ipfire
>>>>> + mkdir -pv /usr/share/openvpn
>>>> This creates the new directory.
>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>>>> + /usr/share/openvpn/
>>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change.
>>>>> + rmdir -v /usr/share/openvpn
>>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case.
>>>
>>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously.
>>>
>>> I will send patches.
>>>
>>> -Michael
>>>
>>>> Regards,
>>>> Adolf.
>>>>> +
>>>>> # Install authenticator
>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
>>>>> /usr/sbin/openvpn-authenticator
>>>>
>>>> --
>>>> Sent from my laptop
>>>
>>>
next prev parent reply other threads:[~2024-06-09 7:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 21:36 [PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally Michael Tremer
2024-04-18 21:36 ` [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Michael Tremer
2024-06-05 11:26 ` Adolf Belka
2024-06-05 11:33 ` Adolf Belka
2024-06-05 11:52 ` Adolf Belka
2024-06-07 8:22 ` Adolf Belka
2024-06-07 16:01 ` [PATCH] " Michael Tremer
2024-06-08 8:40 ` Adolf Belka
2024-06-08 10:14 ` Michael Tremer
2024-06-08 10:43 ` Adolf Belka
2024-06-08 11:00 ` Adolf Belka
2024-06-08 11:16 ` Adolf Belka
2024-06-09 7:58 ` Adolf Belka [this message]
2024-06-10 16:02 ` Michael Tremer
2024-06-11 9:09 ` Adolf Belka
2024-06-07 16:03 ` [PATCH 2/3] " Michael Tremer
2024-06-07 16:24 ` Adolf Belka
2024-06-07 19:46 ` Adolf Belka
2024-04-18 21:36 ` [PATCH 3/3] openvpn-crl-updater: Update for the changed configuration file Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=81aab8c7-03f0-4cd8-aff0-ba496aff8795@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox