Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config error on Ubuntu 14.04 #64

Merged
merged 1 commit into from
May 17, 2014
Merged

Config error on Ubuntu 14.04 #64

merged 1 commit into from
May 17, 2014

Conversation

luxflux
Copy link
Contributor

@luxflux luxflux commented May 17, 2014

Hey, thanks for the prompt resolution on the previous bug, I was about to have a look at it myself but you beat me to it.

I've come across another issue (note - replaced my domain name):

Notice: /Stage[main]/Main/Node[vpn.blah.net]/Openvpn::Server[vpn.blah.net]/Exec[create crl.pem on vpn.blah.net]/returns: Using configuration from /etc/openvpn/vpn.blah.net/easy-rsa/openssl.cnf
Notice: /Stage[main]/Main/Node[vpn.blah.net]/Openvpn::Server[vpn.blah.net]/Exec[create crl.pem on vpn.blah.net]/returns: error on line 198 of config file '/etc/openvpn/vpn.blah.net/easy-rsa/openssl.cnf'
Notice: /Stage[main]/Main/Node[vpn.blah.net]/Openvpn::Server[vpn.blah.net]/Exec[create crl.pem on vpn.blah.net]/returns: 140001620666016:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198
Error: . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' openssl ca -gencrl -out /etc/openvpn/vpn.blah.net/crl.pem -config /etc/openvpn/vpn.blah.net/easy-rsa/openssl.cnf returned 1 instead of one of [0]
Error: /Stage[main]/Main/Node[vpn.blah.net]/Openvpn::Server[vpn.blah.net]/Exec[create crl.pem on vpn.blah.net]/returns: change from notrun to 0 failed: . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' openssl ca -gencrl -out /etc/openvpn/vpn.blah.net/crl.pem -config /etc/openvpn/vpn.blah.net/easy-rsa/openssl.cnf returned 1 instead of one of [0]

Line 198 was this:

subjectAltName=$ENV::KEY_ALTNAMES

I commented it out and got another one:

Notice: /Stage[main]/Main/Node[vpn.blah.net]/Openvpn::Server[vpn.blah.net]/Exec[create crl.pem on vpn.blah.net]/returns: error on line 220 of config file '/etc/openvpn/vpn.blah.net/easy-rsa/openssl.cnf'

Line 220 is the same:

subjectAltName=$ENV::KEY_ALTNAMES

Commented out again and worked. Let me know if I can provide anything else to assist.

@Philio
Copy link
Contributor Author

Philio commented May 2, 2014

Did a little more digging, looks like it's a change in the easy-rsa package.

This is from Ubuntu 12.04:

# cat /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-1.0.0.cnf | grep subjectAltName
# This stuff is for subjectAltName and issuerAltname.
# subjectAltName=email:copy
# subjectAltName=email:copy

The subjectAltName lines are all commented by default.

This is from 14.04:

# cat /usr/share/easy-rsa/openssl-1.0.0.cnf | grep subjectAltName
# This stuff is for subjectAltName and issuerAltname.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
subjectAltName=$ENV::KEY_ALTNAMES
# subjectAltName=email:copy

@luxflux
Copy link
Contributor

luxflux commented May 3, 2014

Thanks for reporting!

Could you check whether the format of the vars file has changed as well?

@Philio
Copy link
Contributor Author

Philio commented May 3, 2014

Here's the full file:

# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*

# This definition stops the following lines choking if HOME isn't
# defined.
HOME      = .
RANDFILE    = $ENV::HOME/.rnd
openssl_conf    = openssl_init

[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file   = $ENV::HOME/.oid
oid_section   = new_oids
engines     = engine_section

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions    =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca  = CA_default    # The default ca section

####################################################################
[ CA_default ]

dir   = $ENV::KEY_DIR   # Where everything is kept
certs   = $dir      # Where the issued certs are kept
crl_dir   = $dir      # Where the issued crl are kept
database  = $dir/index.txt  # database index file.
new_certs_dir = $dir      # default place for new certs.

certificate = $dir/ca.crt   # The CA certificate
serial    = $dir/serial     # The current serial number
crl   = $dir/crl.pem    # The current CRL
private_key = $dir/ca.key   # The private key
RANDFILE  = $dir/.rand    # private random number file

x509_extensions = usr_cert    # The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions  = crl_ext

default_days  = 3650      # how long to certify for
default_crl_days= 30      # how long before next CRL
default_md  = sha256    # use public key default MD
preserve  = no      # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy    = policy_anything

# For the CA policy
[ policy_match ]
countryName   = match
stateOrProvinceName = match
organizationName  = match
organizationalUnitName  = optional
commonName    = supplied
name      = optional
emailAddress    = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName   = optional
stateOrProvinceName = optional
localityName    = optional
organizationName  = optional
organizationalUnitName  = optional
commonName    = supplied
name      = optional
emailAddress    = optional

####################################################################
[ req ]
default_bits    = $ENV::KEY_SIZE
default_keyfile   = privkey.pem
default_md    = sha256
distinguished_name  = req_distinguished_name
attributes    = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName     = Country Name (2 letter code)
countryName_default   = $ENV::KEY_COUNTRY
countryName_min     = 2
countryName_max     = 2

stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE

localityName      = Locality Name (eg, city)
localityName_default    = $ENV::KEY_CITY

0.organizationName    = Organization Name (eg, company)
0.organizationName_default  = $ENV::KEY_ORG

# we can do this but it is not needed normally :-)
#1.organizationName   = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName    = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName      = Common Name (eg, your name or your server\'s hostname)
commonName_max      = 64

name        = Name
name_max      = 64

emailAddress      = Email Address
emailAddress_default    = $ENV::KEY_EMAIL
emailAddress_max    = 40

# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME


# SET-ex3     = SET extension number 3

[ req_attributes ]
challengePassword   = A challenge password
challengePassword_min   = 4
challengePassword_max   = 20

unstructuredName    = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType      = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment     = "Easy-RSA Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature


# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl    = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType                     = server
nsComment                      = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

@luxflux
Copy link
Contributor

luxflux commented May 3, 2014

This looks like the openssl-1.0.0.cnf file. There should be a file called vars. You can find it at /usr/share/easy-rsa/2.0/vars or so.

@Philio
Copy link
Contributor Author

Philio commented May 3, 2014

Sorry wrong file, here's the default vars:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field
export KEY_NAME="EasyRSA"

# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

@Philio
Copy link
Contributor Author

Philio commented May 3, 2014

I forked and added a simple fix which works for me:

https://github.com/Philio/puppet-openvpn/blob/master/manifests/server.pp#L345-L354

Note: updated link, first attempt was a little buggy!

@luxflux
Copy link
Contributor

luxflux commented May 10, 2014

As the failing command is something which has not been provided by easy-rsa its maybe saver to set the variable for this one call. So your workaround would not be needed.

When I add KEY_ALTNAMES='' to the command on the line https://github.com/luxflux/puppet-openvpn/blob/master/manifests/server.pp#L383, it works out for me.

Does this work out for you too?

@Philio
Copy link
Contributor Author

Philio commented May 16, 2014

Just tried this out myself and can confirm you fix worked perfectly on Ubuntu 14.04.

Thanks for your help!

Completes support for Ubuntu Trusty, fixes #64
luxflux added a commit that referenced this pull request May 17, 2014
@luxflux luxflux merged commit c94d335 into master May 17, 2014
@luxflux luxflux deleted the 64-fix-trusty-support branch May 17, 2014 10:39
luxflux added a commit that referenced this pull request May 17, 2014
@luxflux
Copy link
Contributor

luxflux commented May 17, 2014

Thanks for reporting back! It's now fixed and will be released with Version 2.4.0.

@luxflux luxflux restored the 64-fix-trusty-support branch May 17, 2014 10:49
@luxflux luxflux deleted the 64-fix-trusty-support branch May 17, 2014 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants