Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: joost on May 26, 2016, 03:57:05 PM
-
Hi, I'n new a this forum, not new to SME 9.1:
I've got a problem after installing OpenVPN bridge contribs in comination with PHPki. The ouput of
tailf /var/log/openvpn-bridge/current
Output:
@400000005746fb0b0b6f73bc OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 4 2016
@400000005746fb0b0b6f7b8c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005746fb0b0b741354 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005746fb0b0b74a3dc NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005746fb0b0b7d7994 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005746fb0b0ba05b44 Diffie-Hellman initialized with 1024 bit key
@400000005746fb0b0ba5c214 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
@400000005746fb0b0ba5cdcc Exiting due to fatal error
Could anyone please help me. I don't know where to start.
-
The private key associated with the server certificate is password protected. It must not be password protected for the daemon to start. You should create a new cert and be sure not to password protect its key (or play with openssl to remove the password protection on the existing key, but it's a bit harder)
-
Thanks. That worked!
-
Hi, I'n new a this forum, not new to SME 9.1:
Welcome Joost!
-
Hi,
I have the same problem on SME 9.2
tailf /var/log/openvpn-bridge/current@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible
@400000005e70ab3c0a8b6104 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
@400000005e70ab3c0a8b93cc library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e70ab3c0a8ec434 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e70ab3c0a8fc9ec NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e70ab3c0a951d34 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e70ab3c0a9822a4 OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e70ab3c0a98362c Cannot load DH parameters from pub/dh.pem
@400000005e70ab3c0a9841e4 Exiting due to fatal error
Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)
-
sorry, i miss this -> https://forums.contribs.org/index.php/topic,54169.0.html
and this -> https://bugs.contribs.org/show_bug.cgi?id=6741
any solution ?
-
Hi,
I have the same problem on SME 9.2
No you don't.
You are jumping to too many conclusions and not reading your logs.
tailf /var/log/openvpn-bridge/current@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible
That's your first issue. I'd try fixing that.
It should look like this - 0600 root:root
-rw------- 1 root root 1679 Sep 30 2019 key.pem
You then might want to look at this
Cannot load DH parameters from pub/dh.pem
It should look like this - 0600 root:root
-rw------- 1 root root 245 Sep 30 2019 dh.pem
Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)
That ONLY applies to the ROOT CA when you create it. You ALWAYS set a password on that.
When you create the client/server certificates you can create them without passwords, but that currently is NOT your issue.
Fix the bits above first.
[Edited wrong permissions]
-
Hi,
Thanks for your explains.
It's ok for priv/key.pem but not for pub/dh.pem
[root@sme pub]# ll /etc/openvpn/bridge/pub/dh.pem
-rw------- 1 root root 219 17 mars 10:57 /etc/openvpn/bridge/pub/dh.pem
[root@sme pub]# ll /etc/openvpn/bridge/priv/key.pem
-rw------- 1 root root 1860 17 mars 10:57 /etc/openvpn/bridge/priv/key.pem[root@sme pub]# tailf /var/log/openvpn-bridge/current
@400000005e7140ea1dfc5a7c Cannot load DH parameters from pub/dh.pem
@400000005e7140ea1dfc5e64 Exiting due to fatal error
@400000005e7140eb249b50a4 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
@400000005e7140eb249b548c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e7140eb249dae1c MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e7140eb249e522c NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e7140eb24a2da54 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e7140eb24a602ec OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e7140eb24a602ec Cannot load DH parameters from pub/dh.pem
@400000005e7140eb24a602ec Exiting due to fatal error
pub/dh.pem must be 600 or 644 root:root ?
-
Sorry.
Both should be 0600 root:root
-
ok, i set 600 root:root but still "Cannot load DH parameters from pub/dh.pem"
-
I can only think you either haven't generated the certificated correctly or not copied them across correctly.
If you are creating a new install I'd suggest you try the updated version we are testing which is more secure.
It will also not be possible to migrate from.0.82 to 0.83 due to increased encryption levels.
I'll post some info tomorrow.
-
Yes, it's a new openvpn install (covid-19... work at home ....)
I'll wait for news
thanks.
-
Cool. It needs some testing!!
-
contribs vpn is new but SME9 is "old" and in production...
-
contribs vpn is new but SME9 is "old" and in production...
We've already tested it.
The reason we haven't released it yet is because we aren't sure what to do about in place upgrades.
Seems to work ok (it can't actually break much anyway)
If you had a Rocket account you could have helped test....
-
OK, if you want to then try this.
Note. To upgrade the encryption strength you have to create a new CA, and then all new certificates. There is no easy way to convert existing certificates.
So be prepared before you embark on this.
First, uninstall old version. This new version will try and backup your certificates if they exist.
If you want to keep them then you can also do this manually first:
cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
Now:
yum remove phpki
You may need a reboot to clear up.
Add my testing repo.
BEWARE. Do NOT try and do a general 'upgrade' from this repo. It may break your machine!!!!
Just install as we instruct. If this tests OK it will go into smecontribs fairly soon.
You can manually grab a copy for a local install if you want:
https://www.reetspetit.com/smetest/6/repoview/phpki.html
Then something like this:
yum --enablerepo=epel, smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
Otherwise use my test repo:
db yum_repositories set reetpTest repository \
BaseURL https://www.reetspetit.com/smetest/\$releasever \
EnableGroups no \
GPGCheck no \
Name "ReetP Repo" \
GPGKey https://www.reetspetit.com/RPM-GPG-KEY \
Visible yes \
status disabled
signal-event yum-modify
config set UnsavedChanges no
Now install:
yum --enablerepo=reetpTest,smecontribs,epel install phpki
You may see a warning about unable to write 'random state' but you can ignore it.
signal-event post-upgrade; signal-event reboot
Go to Server-manager
Create your CA certificate with a password.
Get your DH key, and generate your certificates.
The DH key will now be 2048 bits.
Really we should set everything to default to 4096 - at least make the CA and certs 4096
Let us know how you get along.
-
Hi,
mmm...
Here are my commands :
yum --enablerepo=smecontribs install smeserver-bridge-interface
yum --enablerepo=smecontribs install smeserver-phpki
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
signal-event post-upgrade; signal-event reboot
cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
yum remove phpki
wget https://www.reetspetit.com/smetest/6/noarch/phpki-0.83-9.el6.sme.noarch.rpm
yum --enablerepo=epel,smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
signal-event post-upgrade; signal-event reboot
After, i create the root certificate (with password).
Then I want the server certificate. A password is asked. If I try to create with or without password, i've got an error :
Signing vpn_server certificate request.
Using configuration from /tmp/cnf-7QjxPJ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'PACA'
localityName :PRINTABLE:'MYTOWN'
organizationName :PRINTABLE:'MYCOMPANY'
organizationName :PRINTABLE:'xxxxxxxxxx111111222222333333333'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'openvpn-bridge'
emailAddress :IA5STRING:'contact@mycompany.fr'
Certificate is to be certified until Mar 26 16:15:14 2025 GMT (1826 days)
failed to update database
TXT_DB error number 2
Click on the "Help" link above for information on how to report this problem.
can you help me ?
bg
-
can you help me ?
Only if you follow what we said... :-)
If you are intending to run openvpn-bridge I would
Install smeserver-phpki + phpki
If you are going to use my test version it is better not to install the original 0.82 version. My version *should* move the original certificate directory out of the way.
Note - we are probably going to rename this to phpki-ng shortly because we want avoid breaking older installs.
Note - we have have tested successful openvpn-routed connections with the new version so we know it works.
We have not tested bridge or 2to2 yet - they should work but need testing.
Reboot
Create create your CA and server/client certificates to complete the install
Now install the smeserver-bridge-interface and smeserver-openvpn-bridge rpms.
Reboot and finish your bridge setup
failed to update database
TXT_DB error number 2
Terry noticed it once when creating a couple of certs - I haven't had a chance to look at it as I have been too busy shutting down our company. I don't think it was serious. Phpki stores a counter in a text file so it can number the certificates and I think it may be this.
Check the certificates in the /opt/phpki-store