From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Sat, 08 Jun 2024 12:43:26 +0200 Message-ID: <866c130a-15e7-440d-912e-3508e4fdb065@ipfire.org> In-Reply-To: <6BC29D7D-B469-49A2-B16E-6198A683AE26@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3784025217846842832==" List-Id: --===============3784025217846842832== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, I have made a change to the rootfile and the lfs file only and that has now s= uccessfully built. That will only have ovpn.cnf in the new location. am now doing a build on my vm and will see if that then creates the certifi= cates or not. Regards, Adolf. On 08/06/2024 12:14, Michael Tremer wrote: > Hello, >=20 > Thanks for testing this. >=20 >> On 8 Jun 2024, at 09:40, Adolf Belka wrote: >> >> Hi Michael, >> >> On 07/06/2024 18:01, Michael Tremer wrote: >>> We should not have any configuration files that we share in this place, >>> therefore this patch is moving it into /usr/share/openvpn where we >>> should be able to update it without any issues. >>> >>> Signed-off-by: Michael Tremer >>> --- >>> config/ovpn/openvpn-crl-updater | 3 +-- >>> config/rootfiles/common/openvpn | 2 +- >>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>> lfs/openvpn | 6 ++++++ >>> 4 files changed, 18 insertions(+), 13 deletions(-) >>> >>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-up= dater >>> index 5fbe21080..5008d6725 100644 >>> --- a/config/ovpn/openvpn-crl-updater >>> +++ b/config/ovpn/openvpn-crl-updater >>> @@ -43,7 +43,6 @@ OVPN=3D"/var/ipfire/ovpn" >>> CRL=3D"${OVPN}/crls/cacrl.pem" >>> CAKEY=3D"${OVPN}/ca/cakey.pem" >>> CACERT=3D"${OVPN}/ca/cacert.pem" >>> -OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf" >>> # Check if CRL is presant or if OpenVPN is active >>> if [ ! -e "${CAKEY}" ]; then >>> @@ -76,7 +75,7 @@ UPDATE=3D"14" >>> ## Mainpart >>> # Check if OpenVPNs CRL needs to be renewed >>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${= CRL}" -config "${OPENSSLCONF}"; then >>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${= CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>> logger -t openvpn "CRL has been updated" >>> else >>> logger -t openvpn "error: Could not update CRL" >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/op= envpn >>> index d9848a579..c0d49bfad 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/openssl.cnf >> In the rootfile the file name is not only moved from /var/ipfire/ovpn/open= ssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the co= de continues to use ovpn.cnf >=20 > Oh. >=20 >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index c92d0237d..f0172978f 100755 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >>> @@ -1836,7 +1836,7 @@ END >>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>> goto ROOTCERT_ERROR; >>> } >>> @@ -1868,7 +1868,7 @@ END >>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>> @@ -1885,7 +1885,7 @@ END >>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>> @@ -1904,7 +1904,7 @@ END >>> # System call is safe, because all arguments are passed as array. >>> system('/usr/bin/openssl', 'ca', '-gencrl', >>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>> if ($?) { >>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> @@ -2426,8 +2426,8 @@ else >>> if ($confighash{$cgiparams{'KEY'}}) { >>> # Revoke certificate if certificate was deleted and rewrite the CRL >>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroo= t}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${Gener= al::swroot}/ovpn/openssl/ovpn.cnf"); >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Genera= l::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/= ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroo= t}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/sh= are/openvpn/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Genera= l::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> ### >>> # m.a.d net2net >>> @@ -2480,7 +2480,7 @@ else >>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$= cgiparams{'KEY'}}[1]"); >>> delete $confighash{$cgiparams{'KEY'}}; >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Genera= l::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/= ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Genera= l::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confi= ghash); >>> } else { >>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', $filename, >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ($filename); >>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-newkey', 'rsa:4096', >>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..0704aa438 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >> This creates the new directory. >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >> This then moves the ovpn.cnf file from the old location to the new one but= keeps the name the same. This will then mismatch with the rootfile change. >>> + rmdir -v /usr/share/openvpn >> This then seems to me to be trying to delete the newly created directory w= hich seems incorrect to me unless I have misunderstood what is trying to be d= one with this overall patch, which could also be the case. >=20 > Yes, I have no idea what I did when I developed this the first time. Nothin= g good obviously. >=20 > I will send patches. >=20 > -Michael >=20 >> Regards, >> Adolf. >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >> >> --=20 >> Sent from my laptop >=20 >=20 --===============3784025217846842832==--