From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Fri, 07 Jun 2024 17:03:25 +0100 Message-ID: In-Reply-To: <2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6680947126989510309==" List-Id: --===============6680947126989510309== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, No, you are right. This does not work. I submitted a new patch does solves this in a more boring, but functioning wa= y. https://patchwork.ipfire.org/project/ipfire/patch/20240607160107.3478827-1-= michael.tremer(a)ipfire.org/ I tried to send this patch as a reply to this thread, but weirdly this doesn= =E2=80=99t seem to work for me. Best, -Michael > On 7 Jun 2024, at 09:22, Adolf Belka wrote: >=20 > Hi Michael, >=20 > Any comments on my feedback, did I make some errors or were there some issu= es with the code not working as intended? It sounded like you wanted to get a= ny fix from this added into CU186 which would mean giving it some good testin= g, which I am willing and available to do. >=20 > Regards, >=20 > Adolf. >=20 > On 05/06/2024 13:52, Adolf Belka wrote: >> I re-did the vm build and first did a restore of my system so I could acce= ss the logs via ssh. >>=20 >> Then I cleared the x509 system and cleared the error_log and then ran the = x509 create and the following is the output in the error_log file >>=20 >> ...+.......+..+....+..+.......+..+.+...+.........+..................+.....= ...+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.= ........+............+....+..+.......+......+..++++++++++++++++++++++++++++++= +++++++++++++++*.+.........+...+...............+........+....++++++++++++++++= +++++++++++++++++++++++++++++*...+...............+...+....+..............+.+.= .....+.....+....+........+...+.........................+....................+= ....+......+........+.........+......+......+...+..........+..+.+..+......+..= ..+......+.........+...+.........+.....+..........+...+........+............+= ............+......+...+.......+............+..+.........+...................= ........+............+...............+.+............+.....+...+......+.+.....= ...+......+...............+.+..............+................+..+.+...........= +.+..+......+++++ >> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+......= ........+.........+.......+..+...+.........+....+......+........+.+..+...+...= .+..+...............+...+...+...+......+.++++++++++++++++++++++++++++++++++++= +++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+= .......+.....+......+...+.+..............+.......+...+.....+............+....= ........+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+= ..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+.................= ...+....+..............+.+.....+.+...+..+...+......+.+.........+.........+...= ...+..............+...............+.........+.............+..+.......+.......= ..+..............+.+..+.........+...+.+.....+..........+..+...+......+....+..= ..........+........+.+.................................+......+......+.......= .+...............+......+.........+.............+..+.+.........+..+..........= +...........+...+......+...+.........................+.....+...............+.= +............+...+..+.......+.....+......+......+...............+............= .......+......+......+..+...+.........+.........................+...+..+.....= .+...+...............+.......+...+......+...+..+.........+....+.....+........= ..+...+..+...............+......+......+...+..................+.......+......= .........+......+..+............+...+...+....+...+.........+.....+..........+= ...+..+.........+.......+............+.....+..........+..+......+....+.......= .................+.....+......+...+..........+...+.....+....+......+........+= .......+..+...+............+......+....+...+............+..+....+...........+= ...+......+.+.....+..........+..........................+............+.+..+..= .+.........+.................................+....+..............+....+...+..= ............+......+.......+..+................+...+.....+.+........+........= ....+.............+...............+......+..+.......+...+.....+.......+++++=20 >> ----- >> You are about to be asked to enter information that will be incorporated >> into your certificate request. >> What you are about to enter is what is called a Distinguished Name or a DN. >> There are quite a few fields but you can leave some blank >> For some fields there will be a default value, >> If you enter '.', the field will be left blank. >> ----- >> Country Name (2 letter code) [DE]:State or Province Name (full name) []:Lo= cality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizati= onal Unit Name (eg, section) []:Common Name (eg, your name or your server's h= ostname) []:Email Address []:Error checking request extension section server >>=20 >> So you can see explicitly what it came back with. >>=20 >> Regards, >>=20 >> Adolf >>=20 >>=20 >> On 05/06/2024 13:33, Adolf Belka wrote: >>> Hi All, >>>=20 >>> I should have also added to the end of this message that patches 1 and 3 = were applied, as far as I could tell as per the patch. >>>=20 >>> I then installed the built iso into a vm machine and ran the x509 install= and got the root certificate and no host certificate with the standard opens= sl error message. >>>=20 >>> In the httpd/error_log file it had the following message >>>=20 >>> Email Address []:Error checking request extension section server >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>> On 05/06/2024 13:26, Adolf Belka wrote: >>>> Hi Michael, >>>>=20 >>>> Here is my feedback on these three patches and the issues I found when I= tried to use them. >>>>=20 >>>> I had to manually apply them so there is also the possibility that I mad= e a typo somewhere. >>>>=20 >>>> On 18/04/2024 23:36, Michael Tremer wrote: >>>>> We should not have any configuration files that we share in this place, >>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>> should be able to update it without any issues. >>>>>=20 >>>>> Signed-off-by: Michael Tremer >>>>> --- >>>>> config/rootfiles/common/openvpn | 2 +- >>>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>>> lfs/openvpn | 6 ++++++ >>>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>>>=20 >>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/= openvpn >>>>> index d9848a579..c0d49bfad 100644 >>>>> --- a/config/rootfiles/common/openvpn >>>>> +++ b/config/rootfiles/common/openvpn >>>> These changes were no problem. >>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>> #usr/share/man/man5/openvpn-examples.5 >>>>> #usr/share/man/man8/openvpn.8 >>>>> +usr/share/openvpn/openssl.cnf >>>>> var/ipfire/ovpn/ca >>>>> var/ipfire/ovpn/caconfig >>>>> var/ipfire/ovpn/ccd >>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>> var/ipfire/ovpn/crls >>>>> var/ipfire/ovpn/n2nconf >>>>> #var/ipfire/ovpn/openssl >>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>> var/ipfire/ovpn/openvpn-authenticator >>>>> var/ipfire/ovpn/ovpn-leases.db >>>>> var/ipfire/ovpn/ovpnconfig >>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>> index 9b8ff5aa5..ed80fef7d 100755 >>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>> Also this change no problem. >>>>> @@ -54,7 +54,7 @@ my %mainsettings =3D (); >>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.t= xt", \%color); >>>>> # Use a custom OpenSSL configuration file for all operations >>>>> -$ENV["OPENSSL_CONF"] =3D "${General::swroot}/ovpn/ca/cacert.pem"; >>>>> +$ENV["OPENSSL_CONF"] =3D "/usr/share/openvpn/openssl.cnf"; >>>>> ### >>>>> ### Initialize variables >>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>> index b71b4ccc9..0704aa438 100644 >>>>> --- a/lfs/openvpn >>>>> +++ b/lfs/openvpn >>>> This change refused to build as it said the directory removal was for a = non empty directory. When I looked at it I believe that it needed to be diffe= rent. >>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/ >>>>> + rmdir -v /usr/share/openvpn >>>>> + >>>>=20 >>>> The above lines I changed to >>>>=20 >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/openssl.cnf >>>> + rmdir -v /var/ipfire/ovpn/openssl/ >>>> + >>>> with my changes in the last two lines. >>>> When I changed just the last line to start with then the openvpn lfs bui= lt but then later on in the cdrom stage it complained about openssl.cnf not b= eing found, hence I also then added the change to the one before last line. >>>>=20 >>>> Regards, >>>> Adolf. >>>>=20 >>>>> # Install authenticator >>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>> /usr/sbin/openvpn-authenticator --===============6680947126989510309==--