From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
Date: Sun, 09 Jun 2024 09:58:42 +0200
Message-ID: <81aab8c7-03f0-4cd8-aff0-ba496aff8795@ipfire.org>
In-Reply-To: <7bd9e80c-a0b2-4283-8d15-c39f9444c45a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2858228478598820239=="
List-Id: <development.lists.ipfire.org>

--===============2858228478598820239==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,

I saw that updated patches for the path changes had been merged into Core Upd=
ate 186 and the nightly run.

As soon as I see that the nightly for the master x86_64 has also been run the=
n I will test out the latest Core Update 186 Testing with those changes on an=
 update from 185 to 186 and confirm that afterwards the x509 certificate set =
can be successfully created.

Regards,

Adolf.


On 08/06/2024 13:16, Adolf Belka wrote:
> Re-sending with minor change as I think I left some bits in that made the m=
ail server miss a section out.
>
> Hi Michael,
>
> With the small changes I made it now successfully built and also after inst=
alling in a vm it has built the x509 certificate set.
>
> I suspect successfully as I didn't change any of the changes you made to th=
e ovpnmain.cgi or the openvpn-crl-updater.
>
> The minor changes I made, compared to the existing openvpn lfs and rootfile=
 are the following
>
>
>
> =C2=A0config/rootfiles/common/openvpn | 2 +-
> =C2=A0lfs/openvpn=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 6 ++++++
> =C2=A02 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/open=
vpn
> index d9848a579..8a36d4bb4 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
> =C2=A0#usr/share/doc/openvpn/openvpn.8.html
> =C2=A0#usr/share/man/man5/openvpn-examples.5
> =C2=A0#usr/share/man/man8/openvpn.8
> +usr/share/openvpn/ovpn.cnf
> =C2=A0var/ipfire/ovpn/ca
> =C2=A0var/ipfire/ovpn/caconfig
> =C2=A0var/ipfire/ovpn/ccd
> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
> =C2=A0var/ipfire/ovpn/crls
> =C2=A0var/ipfire/ovpn/n2nconf
> =C2=A0#var/ipfire/ovpn/openssl
> -var/ipfire/ovpn/openssl/ovpn.cnf
> =C2=A0var/ipfire/ovpn/openvpn-authenticator
> =C2=A0var/ipfire/ovpn/ovpn-leases.db
> =C2=A0var/ipfire/ovpn/ovpnconfig
> diff --git a/lfs/openvpn b/lfs/openvpn
> index b71b4ccc9..b686cc930 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> =C2=A0=C2=A0=C2=A0=C2=A0 chown root:root /etc/fcron.daily/openvpn-crl-updat=
er
> =C2=A0=C2=A0=C2=A0=C2=A0 chmod 750 /etc/fcron.daily/openvpn-crl-updater
>
> +=C2=A0=C2=A0=C2=A0 # Move the OpenSSL configuration file out of /var/ipfire
> +=C2=A0=C2=A0=C2=A0 mkdir -pv /usr/share/openvpn
> +=C2=A0=C2=A0=C2=A0 mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
> +=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /usr/share/openvpn/
> +=C2=A0=C2=A0=C2=A0 rmdir -v /var/ipfire/ovpn/openssl
> +
> =C2=A0=C2=A0=C2=A0=C2=A0 # Install authenticator
> =C2=A0=C2=A0=C2=A0=C2=A0 install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-a=
uthenticator \
> =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /usr/sbin/openvpn-authenticator
>
>
> So I think we are close to having it working.
>
> I will create an OpenVPN Roadwarrior connection with the x509 certificate s=
et that has been created to confirm that it is all working properly now.
>
> I can in fact confirm that a successful road warrior connection was able to=
 be made with the x509 cert set that was created with the modified patch.
>
>
> Regards,
>
> Adolf.
>
>
> On 08/06/2024 12:43, Adolf Belka wrote:
>> Hi Michael,
>>
>> I have made a change to the rootfile and the lfs file only and that has no=
w successfully built. That will only have ovpn.cnf in the new location.
>>
>> =C2=A0am now doing a build on my vm and will see if that then creates the =
certificates or not.
>>
>> Regards,
>> Adolf.
>>
>> On 08/06/2024 12:14, Michael Tremer wrote:
>>> Hello,
>>>
>>> Thanks for testing this.
>>>
>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>>
>>>> Hi Michael,
>>>>
>>>> On 07/06/2024 18:01, Michael Tremer wrote:
>>>>> We should not have any configuration files that we share in this place,
>>>>> therefore this patch is moving it into /usr/share/openvpn where we
>>>>> should be able to update it without any issues.
>>>>>
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>> =C2=A0 config/ovpn/openvpn-crl-updater |=C2=A0 3 +--
>>>>> =C2=A0 config/rootfiles/common/openvpn |=C2=A0 2 +-
>>>>> =C2=A0 html/cgi-bin/ovpnmain.cgi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | =
20 ++++++++++----------
>>>>> =C2=A0 lfs/openvpn=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=
 6 ++++++
>>>>> =C2=A0 4 files changed, 18 insertions(+), 13 deletions(-)
>>>>>
>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-=
updater
>>>>> index 5fbe21080..5008d6725 100644
>>>>> --- a/config/ovpn/openvpn-crl-updater
>>>>> +++ b/config/ovpn/openvpn-crl-updater
>>>>> @@ -43,7 +43,6 @@ OVPN=3D"/var/ipfire/ovpn"
>>>>> =C2=A0 CRL=3D"${OVPN}/crls/cacrl.pem"
>>>>> =C2=A0 CAKEY=3D"${OVPN}/ca/cakey.pem"
>>>>> =C2=A0 CACERT=3D"${OVPN}/ca/cacert.pem"
>>>>> -OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf"
>>>>> =C2=A0=C2=A0=C2=A0 # Check if CRL is presant or if OpenVPN is active
>>>>> =C2=A0 if [ ! -e "${CAKEY}" ]; then
>>>>> @@ -76,7 +75,7 @@ UPDATE=3D"14"
>>>>> =C2=A0 ## Mainpart
>>>>> =C2=A0 # Check if OpenVPNs CRL needs to be renewed
>>>>> =C2=A0 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
>>>>> -=C2=A0=C2=A0=C2=A0 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${=
CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
>>>>> +=C2=A0=C2=A0=C2=A0 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${=
CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
>>>>> =C2=A0=C2=A0 logger -t openvpn "CRL has been updated"
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 else
>>>>> =C2=A0=C2=A0 logger -t openvpn "error: Could not update CRL"
>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/=
openvpn
>>>>> index d9848a579..c0d49bfad 100644
>>>>> --- a/config/rootfiles/common/openvpn
>>>>> +++ b/config/rootfiles/common/openvpn
>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
>>>>> =C2=A0 #usr/share/doc/openvpn/openvpn.8.html
>>>>> =C2=A0 #usr/share/man/man5/openvpn-examples.5
>>>>> =C2=A0 #usr/share/man/man8/openvpn.8
>>>>> +usr/share/openvpn/openssl.cnf
>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/op=
enssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the =
code continues to use ovpn.cnf
>>>
>>> Oh.
>>>
>>>>> =C2=A0 var/ipfire/ovpn/ca
>>>>> =C2=A0 var/ipfire/ovpn/caconfig
>>>>> =C2=A0 var/ipfire/ovpn/ccd
>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
>>>>> =C2=A0 var/ipfire/ovpn/crls
>>>>> =C2=A0 var/ipfire/ovpn/n2nconf
>>>>> =C2=A0 #var/ipfire/ovpn/openssl
>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf
>>>>> =C2=A0 var/ipfire/ovpn/openvpn-authenticator
>>>>> =C2=A0 var/ipfire/ovpn/ovpn-leases.db
>>>>> =C2=A0 var/ipfire/ovpn/ovpnconfig
>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>>>> index c92d0237d..f0172978f 100755
>>>>> --- a/html/cgi-bin/ovpnmain.cgi
>>>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>>>> @@ -1836,7 +1836,7 @@ END
>>>>> =C2=A0=C2=A0 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
>>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant start openssl'}: $!";
>>>>> =C2=A0=C2=A0 goto ROOTCERT_ERROR;
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
>>>>> @@ -1868,7 +1868,7 @@ END
>>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
>>>>> =C2=A0=C2=A0 '-extensions', 'server',
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) {
>>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant start openssl'}: $!";
>>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
>>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
>>>>> @@ -1885,7 +1885,7 @@ END
>>>>> =C2=A0=C2=A0 '-in',=C2=A0 "${General::swroot}/ovpn/certs/serverreq.pem",
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
>>>>> =C2=A0=C2=A0 '-extensions', 'server',
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> =C2=A0=C2=A0 if ($?) {
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'open=
ssl produced an error'}: $?";
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/c=
a/cakey.pem");
>>>>> @@ -1904,7 +1904,7 @@ END
>>>>> =C2=A0=C2=A0 # System call is safe, because all arguments are passed as=
 array.
>>>>> =C2=A0=C2=A0 system('/usr/bin/openssl', 'ca', '-gencrl',
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" );
>>>>> =C2=A0=C2=A0 if ($?) {
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'open=
ssl produced an error'}: $?";
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/c=
erts/serverkey.pem");
>>>>> @@ -2426,8 +2426,8 @@ else
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}) {
>>>>> =C2=A0=C2=A0 # Revoke certificate if certificate was deleted and rewrit=
e the CRL
>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swr=
oot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${Gen=
eral::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gene=
ral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openss=
l/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swr=
oot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/=
share/openvpn/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gene=
ral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>>> =C2=A0=C2=A0=C2=A0 ###
>>>>> =C2=A0 # m.a.d net2net
>>>>> @@ -2480,7 +2480,7 @@ else
>>>>> =C2=A0=C2=A0 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$=
confighash{$cgiparams{'KEY'}}[1]");
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0 delete $confighash{$cgiparams{'KEY'}};
>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gene=
ral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openss=
l/ovpn.cnf");
>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gene=
ral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%config=
hash);
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0 } else {
>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> =C2=A0=C2=A0 '-batch', '-notext',
>>>>> =C2=A0=C2=A0 '-in', $filename,
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}c=
ert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ($?) {
>>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'openssl produced an error'}:=
 $?";
>>>>> =C2=A0=C2=A0 unlink ($filename);
>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> =C2=A0=C2=A0 '-newkey', 'rsa:4096',
>>>>> =C2=A0=C2=A0 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME=
'}key.pem",
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}r=
eq.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) {
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'cant=
 start openssl'}: $!";
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/c=
erts/$cgiparams{'NAME'}key.pem");
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/c=
erts/$cgiparams{'NAME'}req.pem");
>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>>>> =C2=A0=C2=A0 '-batch', '-notext',
>>>>> =C2=A0=C2=A0 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}re=
q.pem",
>>>>> =C2=A0=C2=A0 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}c=
ert.pem",
>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf");
>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ($?) {
>>>>> =C2=A0=C2=A0 $errormessage =3D "$Lang::tr{'openssl produced an error'}:=
 $?";
>>>>> =C2=A0=C2=A0 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}k=
ey.pem");
>>>>> diff --git a/lfs/openvpn b/lfs/openvpn
>>>>> index b71b4ccc9..0704aa438 100644
>>>>> --- a/lfs/openvpn
>>>>> +++ b/lfs/openvpn
>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>>> =C2=A0=C2=A0 chown root:root /etc/fcron.daily/openvpn-crl-updater
>>>>> =C2=A0=C2=A0 chmod 750 /etc/fcron.daily/openvpn-crl-updater
>>>>> =C2=A0 + # Move the OpenSSL configuration file out of /var/ipfire
>>>>> + mkdir -pv /usr/share/openvpn
>>>> This creates the new directory.
>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
>>>>> + /usr/share/openvpn/
>>>> This then moves the ovpn.cnf file from the old location to the new one b=
ut keeps the name the same. This will then mismatch with the rootfile change.
>>>>> + rmdir -v /usr/share/openvpn
>>>> This then seems to me to be trying to delete the newly created directory=
 which seems incorrect to me unless I have misunderstood what is trying to be=
 done with this overall patch, which could also be the case.
>>>
>>> Yes, I have no idea what I did when I developed this the first time. Noth=
ing good obviously.
>>>
>>> I will send patches.
>>>
>>> -Michael
>>>
>>>> Regards,
>>>> Adolf.
>>>>> +
>>>>> =C2=A0=C2=A0 # Install authenticator
>>>>> =C2=A0=C2=A0 install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authentic=
ator \
>>>>> =C2=A0=C2=A0 /usr/sbin/openvpn-authenticator
>>>>
>>>> --=20
>>>> Sent from my laptop
>>>
>>>

--===============2858228478598820239==--