From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Tue, 11 Jun 2024 11:09:55 +0200 Message-ID: <9309caad-5aea-48ec-8e65-9491ba1b40fd@ipfire.org> In-Reply-To: <8B792CC2-4940-45F8-B7DB-61FAA9275308@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5746859944617562367==" List-Id: --===============5746859944617562367== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 10/06/2024 18:02, Michael Tremer wrote: > Hello, >=20 >> On 9 Jun 2024, at 08:58, Adolf Belka wrote: >> >> Hi Michael, >> >> I saw that updated patches for the path changes had been merged into Core = Update 186 and the nightly run. >=20 > I didn=E2=80=99t merge the patches into master right away, and so the lates= t testing update doesn=E2=80=99t have the fixes. >=20 > However, the latest patches fixed the problem, but ovpnmain.cgi is not part= of the updater. So I have to do the final build again. >=20 > After updating that file, the certificates can be generated properly. >=20 > This is so messy :( >=20 >> As soon as I see that the nightly for the master x86_64 has also been run = then I will test out the latest Core Update 186 Testing with those changes on= an update from 185 to 186 and confirm that afterwards the x509 certificate s= et can be successfully created. >=20 > Thank you for confirming. The master nightly was updated last night so I have tested today. Testing the x509 creation on the CU185 vm failed, as would be expected. I then ran the update to CU186 Testing. Checked the /usr/share/openvpn/ direc= tory. It was present and contained ovpn.cnf. I then rebooted and then ran the x509 creation. It was successful in that it created the root and host certificates. I then created an openvpn client connection from it to my laptop. I was able = to successfully create an OpenVPN Road Warrior connection. So it looks (fingers crossed) that it is now working correctly in that the op= enssl config file for openvpn is getting updated with the Core Update. Regards, Adolf. >=20 > -Michael >=20 >> Regards, >> >> Adolf. >> >> >> On 08/06/2024 13:16, Adolf Belka wrote: >>> Re-sending with minor change as I think I left some bits in that made the= mail server miss a section out. >>> >>> Hi Michael, >>> >>> With the small changes I made it now successfully built and also after in= stalling in a vm it has built the x509 certificate set. >>> >>> I suspect successfully as I didn't change any of the changes you made to = the ovpnmain.cgi or the openvpn-crl-updater. >>> >>> The minor changes I made, compared to the existing openvpn lfs and rootfi= le are the following >>> >>> >>> >>> config/rootfiles/common/openvpn | 2 +- >>> lfs/openvpn | 6 ++++++ >>> 2 files changed, 7 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/op= envpn >>> index d9848a579..8a36d4bb4 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/ovpn.cnf >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..b686cc930 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >>> + rmdir -v /var/ipfire/ovpn/openssl >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >>> >>> >>> So I think we are close to having it working. >>> >>> I will create an OpenVPN Roadwarrior connection with the x509 certificate= set that has been created to confirm that it is all working properly now. >>> >>> I can in fact confirm that a successful road warrior connection was able = to be made with the x509 cert set that was created with the modified patch. >>> >>> >>> Regards, >>> >>> Adolf. >>> >>> >>> On 08/06/2024 12:43, Adolf Belka wrote: >>>> Hi Michael, >>>> >>>> I have made a change to the rootfile and the lfs file only and that has = now successfully built. That will only have ovpn.cnf in the new location. >>>> >>>> am now doing a build on my vm and will see if that then creates the ce= rtificates or not. >>>> >>>> Regards, >>>> Adolf. >>>> >>>> On 08/06/2024 12:14, Michael Tremer wrote: >>>>> Hello, >>>>> >>>>> Thanks for testing this. >>>>> >>>>>> On 8 Jun 2024, at 09:40, Adolf Belka wrote: >>>>>> >>>>>> Hi Michael, >>>>>> >>>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>>> We should not have any configuration files that we share in this plac= e, >>>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>>> should be able to update it without any issues. >>>>>>> >>>>>>> Signed-off-by: Michael Tremer >>>>>>> --- >>>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>>> lfs/openvpn | 6 ++++++ >>>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>>> >>>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-cr= l-updater >>>>>>> index 5fbe21080..5008d6725 100644 >>>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>>> @@ -43,7 +43,6 @@ OVPN=3D"/var/ipfire/ovpn" >>>>>>> CRL=3D"${OVPN}/crls/cacrl.pem" >>>>>>> CAKEY=3D"${OVPN}/ca/cakey.pem" >>>>>>> CACERT=3D"${OVPN}/ca/cacert.pem" >>>>>>> -OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf" >>>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>>> @@ -76,7 +75,7 @@ UPDATE=3D"14" >>>>>>> ## Mainpart >>>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out= "${CRL}" -config "${OPENSSLCONF}"; then >>>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out= "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>>> logger -t openvpn "CRL has been updated" >>>>>>> else >>>>>>> logger -t openvpn "error: Could not update CRL" >>>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/commo= n/openvpn >>>>>>> index d9848a579..c0d49bfad 100644 >>>>>>> --- a/config/rootfiles/common/openvpn >>>>>>> +++ b/config/rootfiles/common/openvpn >>>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>>> #usr/share/man/man8/openvpn.8 >>>>>>> +usr/share/openvpn/openssl.cnf >>>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/= openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of th= e code continues to use ovpn.cnf >>>>> >>>>> Oh. >>>>> >>>>>>> var/ipfire/ovpn/ca >>>>>>> var/ipfire/ovpn/caconfig >>>>>>> var/ipfire/ovpn/ccd >>>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>>> var/ipfire/ovpn/crls >>>>>>> var/ipfire/ovpn/n2nconf >>>>>>> #var/ipfire/ovpn/openssl >>>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>>> var/ipfire/ovpn/ovpnconfig >>>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>>> index c92d0237d..f0172978f 100755 >>>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>>> @@ -1836,7 +1836,7 @@ END >>>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> goto ROOTCERT_ERROR; >>>>>>> } >>>>>>> @@ -1868,7 +1868,7 @@ END >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>>> @@ -1885,7 +1885,7 @@ END >>>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?= "; >>>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>>> @@ -1904,7 +1904,7 @@ END >>>>>>> # System call is safe, because all arguments are passed as array. >>>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>>> if ($?) { >>>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?= "; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> @@ -2426,8 +2426,8 @@ else >>>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>>> # Revoke certificate if certificate was deleted and rewrite the C= RL >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::s= wroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${G= eneral::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Ge= neral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/open= ssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::s= wroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/us= r/share/openvpn/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Ge= neral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"= ); >>>>>>> ### >>>>>>> # m.a.d net2net >>>>>>> @@ -2480,7 +2480,7 @@ else >>>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$configh= ash{$cgiparams{'KEY'}}[1]"); >>>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Ge= neral::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/open= ssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${Ge= neral::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"= ); >>>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%conf= ighash); >>>>>>> } else { >>>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', $filename, >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem= ", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ($filename); >>>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-newkey', 'rsa:4096', >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.p= em", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage =3D "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.= pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.= pem"); >>>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem= ", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"= ); >>>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>>> index b71b4ccc9..0704aa438 100644 >>>>>>> --- a/lfs/openvpn >>>>>>> +++ b/lfs/openvpn >>>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>>> + mkdir -pv /usr/share/openvpn >>>>>> This creates the new directory. >>>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>>> + /usr/share/openvpn/ >>>>>> This then moves the ovpn.cnf file from the old location to the new one= but keeps the name the same. This will then mismatch with the rootfile chang= e. >>>>>>> + rmdir -v /usr/share/openvpn >>>>>> This then seems to me to be trying to delete the newly created directo= ry which seems incorrect to me unless I have misunderstood what is trying to = be done with this overall patch, which could also be the case. >>>>> >>>>> Yes, I have no idea what I did when I developed this the first time. No= thing good obviously. >>>>> >>>>> I will send patches. >>>>> >>>>> -Michael >>>>> >>>>>> Regards, >>>>>> Adolf. >>>>>>> + >>>>>>> # Install authenticator >>>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>>> /usr/sbin/openvpn-authenticator >>>>>> >>>>>> --=20 >>>>>> Sent from my laptop >>>>> >>>>> >=20 --===============5746859944617562367==--