From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Mon, 10 Jun 2024 17:02:57 +0100 Message-ID: <8B792CC2-4940-45F8-B7DB-61FAA9275308@ipfire.org> In-Reply-To: <81aab8c7-03f0-4cd8-aff0-ba496aff8795@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6596230969316254706==" List-Id: --===============6596230969316254706== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 9 Jun 2024, at 08:58, Adolf Belka wrote: >=20 > Hi Michael, >=20 > I saw that updated patches for the path changes had been merged into Core U= pdate 186 and the nightly run. I didn=E2=80=99t merge the patches into master right away, and so the latest = testing update doesn=E2=80=99t have the fixes. However, the latest patches fixed the problem, but ovpnmain.cgi is not part o= f the updater. So I have to do the final build again. After updating that file, the certificates can be generated properly. This is so messy :( > As soon as I see that the nightly for the master x86_64 has also been run t= hen I will test out the latest Core Update 186 Testing with those changes on = an update from 185 to 186 and confirm that afterwards the x509 certificate se= t can be successfully created. Thank you for confirming. -Michael > Regards, >=20 > Adolf. >=20 >=20 > On 08/06/2024 13:16, Adolf Belka wrote: >> Re-sending with minor change as I think I left some bits in that made the = mail server miss a section out. >>=20 >> Hi Michael, >>=20 >> With the small changes I made it now successfully built and also after ins= talling in a vm it has built the x509 certificate set. >>=20 >> I suspect successfully as I didn't change any of the changes you made to t= he ovpnmain.cgi or the openvpn-crl-updater. >>=20 >> The minor changes I made, compared to the existing openvpn lfs and rootfil= e are the following >>=20 >>=20 >>=20 >> config/rootfiles/common/openvpn | 2 +- >> lfs/openvpn | 6 ++++++ >> 2 files changed, 7 insertions(+), 1 deletion(-) >>=20 >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/ope= nvpn >> index d9848a579..8a36d4bb4 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/ovpn.cnf >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..b686cc930 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>=20 >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ >> + rmdir -v /var/ipfire/ovpn/openssl >> + >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator >>=20 >>=20 >> So I think we are close to having it working. >>=20 >> I will create an OpenVPN Roadwarrior connection with the x509 certificate = set that has been created to confirm that it is all working properly now. >>=20 >> I can in fact confirm that a successful road warrior connection was able t= o be made with the x509 cert set that was created with the modified patch. >>=20 >>=20 >> Regards, >>=20 >> Adolf. >>=20 >>=20 >> On 08/06/2024 12:43, Adolf Belka wrote: >>> Hi Michael, >>>=20 >>> I have made a change to the rootfile and the lfs file only and that has n= ow successfully built. That will only have ovpn.cnf in the new location. >>>=20 >>> am now doing a build on my vm and will see if that then creates the cert= ificates or not. >>>=20 >>> Regards, >>> Adolf. >>>=20 >>> On 08/06/2024 12:14, Michael Tremer wrote: >>>> Hello, >>>>=20 >>>> Thanks for testing this. >>>>=20 >>>>> On 8 Jun 2024, at 09:40, Adolf Belka wrote: >>>>>=20 >>>>> Hi Michael, >>>>>=20 >>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>> We should not have any configuration files that we share in this place, >>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>> should be able to update it without any issues. >>>>>>=20 >>>>>> Signed-off-by: Michael Tremer >>>>>> --- >>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>> lfs/openvpn | 6 ++++++ >>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>>=20 >>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl= -updater >>>>>> index 5fbe21080..5008d6725 100644 >>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>> @@ -43,7 +43,6 @@ OVPN=3D"/var/ipfire/ovpn" >>>>>> CRL=3D"${OVPN}/crls/cacrl.pem" >>>>>> CAKEY=3D"${OVPN}/ca/cakey.pem" >>>>>> CACERT=3D"${OVPN}/ca/cacert.pem" >>>>>> -OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf" >>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>> @@ -76,7 +75,7 @@ UPDATE=3D"14" >>>>>> ## Mainpart >>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out = "${CRL}" -config "${OPENSSLCONF}"; then >>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out = "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>> logger -t openvpn "CRL has been updated" >>>>>> else >>>>>> logger -t openvpn "error: Could not update CRL" >>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common= /openvpn >>>>>> index d9848a579..c0d49bfad 100644 >>>>>> --- a/config/rootfiles/common/openvpn >>>>>> +++ b/config/rootfiles/common/openvpn >>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>> #usr/share/man/man8/openvpn.8 >>>>>> +usr/share/openvpn/openssl.cnf >>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/o= penssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the= code continues to use ovpn.cnf >>>>=20 >>>> Oh. >>>>=20 >>>>>> var/ipfire/ovpn/ca >>>>>> var/ipfire/ovpn/caconfig >>>>>> var/ipfire/ovpn/ccd >>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>> var/ipfire/ovpn/crls >>>>>> var/ipfire/ovpn/n2nconf >>>>>> #var/ipfire/ovpn/openssl >>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>> var/ipfire/ovpn/ovpnconfig >>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>> index c92d0237d..f0172978f 100755 >>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>> @@ -1836,7 +1836,7 @@ END >>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>> goto ROOTCERT_ERROR; >>>>>> } >>>>>> @@ -1868,7 +1868,7 @@ END >>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>> @@ -1885,7 +1885,7 @@ END >>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>> @@ -1904,7 +1904,7 @@ END >>>>>> # System call is safe, because all arguments are passed as array. >>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>> if ($?) { >>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> @@ -2426,8 +2426,8 @@ else >>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::sw= root}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${Ge= neral::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gen= eral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/opens= sl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::sw= root}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr= /share/openvpn/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gen= eral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> ### >>>>>> # m.a.d net2net >>>>>> @@ -2480,7 +2480,7 @@ else >>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighas= h{$cgiparams{'KEY'}}[1]"); >>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gen= eral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/opens= sl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Gen= eral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confi= ghash); >>>>>> } else { >>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', $filename, >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ($filename); >>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-newkey', 'rsa:4096', >>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem= ", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pe= m"); >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pe= m"); >>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>> index b71b4ccc9..0704aa438 100644 >>>>>> --- a/lfs/openvpn >>>>>> +++ b/lfs/openvpn >>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>> This creates the new directory. >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/ >>>>> This then moves the ovpn.cnf file from the old location to the new one = but keeps the name the same. This will then mismatch with the rootfile change. >>>>>> + rmdir -v /usr/share/openvpn >>>>> This then seems to me to be trying to delete the newly created director= y which seems incorrect to me unless I have misunderstood what is trying to b= e done with this overall patch, which could also be the case. >>>>=20 >>>> Yes, I have no idea what I did when I developed this the first time. Not= hing good obviously. >>>>=20 >>>> I will send patches. >>>>=20 >>>> -Michael >>>>=20 >>>>> Regards, >>>>> Adolf. >>>>>> + >>>>>> # Install authenticator >>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>> /usr/sbin/openvpn-authenticator >>>>>=20 >>>>> --=20 >>>>> Sent from my laptop >>>>=20 >>>>=20 --===============6596230969316254706==--