Hi Michael,
Any comments on my feedback, did I make some errors or were there some issues with the code not working as intended? It sounded like you wanted to get any fix from this added into CU186 which would mean giving it some good testing, which I am willing and available to do.
Regards,
Adolf.
On 05/06/2024 13:52, Adolf Belka wrote:
I re-did the vm build and first did a restore of my system so I could access the logs via ssh.
Then I cleared the x509 system and cleared the error_log and then ran the x509 create and the following is the output in the error_log file
...+.......+..+....+..+.......+..+.+...+.........+..................+........+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+.........+............+....+..+.......+......+..+++++++++++++++++++++++++++++++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+......+.....+....+........+...+.........................+....................+....+......+........+.........+......+......+...+..........+..+.+..+......+....+......+.........+...+.........+.....+..........+...+........+............+............+......+...+.......+............+..+.........+...........................+............+...............+.+............+.....+...+......+.+........+......+...............+.+..............+................+..+.+...........+.+..+......+++++ ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+..............+.........+.......+..+...+.........+....+......+........+.+..+...+....+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..+.......+.....+......+...+.+..............+.......+...+.....+............+............+.+......+...+.....+.+..+...+....+..+.........+...............+.+...+..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+....................+....+..............+.+.....+.+...+..+...+......+.+.........+.........+......+..............+...............+.........+.............+..+.......+.........+..............+.+..+.........+...+.+.....+..........+..+...+......+....+............+........+.+.................................+......+......+........+...............+......+.........+.............+..+.+.........+..+..........+...........+...+......+...+.........................+.....+...............+.+............+...+..+.......+.....+......+......+...............+...................+......+......+..+...+.........+.........................+...+..+......+...+...............+.......+...+......+...+..+.........+....+.....+..........+...+..+...............+......+......+...+..................+.......+...............+......+..+............+...+...+....+...+.........+.....+..........+...+..+.........+.......+............+.....+..........+..+......+....+........................+.....+......+...+..........+...+.....+....+......+........+.......+..+...+............+......+....+...+............+..+....+...........+...+......+.+.....+..........+..........................+............+.+..+...+.........+.................................+....+..............+....+...+..............+......+.......+..+................+...+.....+.+........+............+.............+...............+......+..+.......+...+.....+.......+++++
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [DE]:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Error checking request extension section server
So you can see explicitly what it came back with.
Regards,
Adolf
On 05/06/2024 13:33, Adolf Belka wrote:
Hi All,
I should have also added to the end of this message that patches 1 and 3 were applied, as far as I could tell as per the patch.
I then installed the built iso into a vm machine and ran the x509 install and got the root certificate and no host certificate with the standard openssl error message.
In the httpd/error_log file it had the following message
Email Address []:Error checking request extension section server
Regards,
Adolf.
On 05/06/2024 13:26, Adolf Belka wrote:
Hi Michael,
Here is my feedback on these three patches and the issues I found when I tried to use them.
I had to manually apply them so there is also the possibility that I made a typo somewhere.
On 18/04/2024 23:36, Michael Tremer wrote:
We should not have any configuration files that we share in this place, therefore this patch is moving it into /usr/share/openvpn where we should be able to update it without any issues.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/rootfiles/common/openvpn | 2 +- html/cgi-bin/ovpnmain.cgi | 2 +- lfs/openvpn | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..c0d49bfad 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn
These changes were no problem.
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/openssl.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9b8ff5aa5..ed80fef7d 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi
Also this change no problem.
@@ -54,7 +54,7 @@ my %mainsettings = (); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", %color); # Use a custom OpenSSL configuration file for all operations -$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; +$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf"; ### ### Initialize variables diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..0704aa438 100644 --- a/lfs/openvpn +++ b/lfs/openvpn
This change refused to build as it said the directory removal was for a non empty directory. When I looked at it I believe that it needed to be different.
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /usr/share/openvpn
The above lines I changed to
+ # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/openssl.cnf + rmdir -v /var/ipfire/ovpn/openssl/
with my changes in the last two lines. When I changed just the last line to start with then the openvpn lfs built but then later on in the cdrom stage it complained about openssl.cnf not being found, hence I also then added the change to the one before last line.
Regards, Adolf.
# Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator