Hello,
On 9 Jun 2024, at 08:58, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run.
I didn’t merge the patches into master right away, and so the latest testing update doesn’t have the fixes.
However, the latest patches fixed the problem, but ovpnmain.cgi is not part of the updater. So I have to do the final build again.
After updating that file, the certificates can be generated properly.
This is so messy :(
As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created.
Thank you for confirming.
-Michael
Regards,
Adolf.
On 08/06/2024 13:16, Adolf Belka wrote:
Re-sending with minor change as I think I left some bits in that made the mail server miss a section out.
Hi Michael,
With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set.
I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater.
The minor changes I made, compared to the existing openvpn lfs and rootfile are the following
config/rootfiles/common/openvpn | 2 +- lfs/openvpn | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater
- # Move the OpenSSL configuration file out of /var/ipfire
- mkdir -pv /usr/share/openvpn
- mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
/usr/share/openvpn/- rmdir -v /var/ipfire/ovpn/openssl
- # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator
So I think we are close to having it working.
I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now.
I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch.
Regards,
Adolf.
On 08/06/2024 12:43, Adolf Belka wrote:
Hi Michael,
I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location.
am now doing a build on my vm and will see if that then creates the certificates or not.
Regards, Adolf.
On 08/06/2024 12:14, Michael Tremer wrote:
Hello,
Thanks for testing this.
On 8 Jun 2024, at 09:40, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 07/06/2024 18:01, Michael Tremer wrote:
We should not have any configuration files that we share in this place, therefore this patch is moving it into /usr/share/openvpn where we should be able to update it without any issues.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/ovpn/openvpn-crl-updater | 3 +-- config/rootfiles/common/openvpn | 2 +- html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- lfs/openvpn | 6 ++++++ 4 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater index 5fbe21080..5008d6725 100644 --- a/config/ovpn/openvpn-crl-updater +++ b/config/ovpn/openvpn-crl-updater @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" CRL="${OVPN}/crls/cacrl.pem" CAKEY="${OVPN}/ca/cakey.pem" CACERT="${OVPN}/ca/cacert.pem" -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" # Check if CRL is presant or if OpenVPN is active if [ ! -e "${CAKEY}" ]; then @@ -76,7 +75,7 @@ UPDATE="14" ## Mainpart # Check if OpenVPNs CRL needs to be renewed if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then logger -t openvpn "CRL has been updated" else logger -t openvpn "error: Could not update CRL"
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..c0d49bfad 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/openssl.cnf
In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf
Oh.
var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..f0172978f 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1836,7 +1836,7 @@ END '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
- '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; }
@@ -1868,7 +1868,7 @@ END '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
- '-config', "/usr/share/openvpn/ovpn.cnf" )) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", '-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
- '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
- '-config', "/usr/share/openvpn/ovpn.cnf" ); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL
- &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); ### # m.a.d net2net
@@ -2480,7 +2480,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}};
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); } else { @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', $filename, '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
- '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
- '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
- '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..0704aa438 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater
- # Move the OpenSSL configuration file out of /var/ipfire
- mkdir -pv /usr/share/openvpn
This creates the new directory.
- mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
- /usr/share/openvpn/
This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change.
- rmdir -v /usr/share/openvpn
This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case.
Yes, I have no idea what I did when I developed this the first time. Nothing good obviously.
I will send patches.
-Michael
Regards, Adolf.
- # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator
-- Sent from my laptop