| Message ID | 20240607160107.3478827-1-michael.tremer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VwmCG53J0z3wxb for <patchwork@web04.haj.ipfire.org>; Fri, 7 Jun 2024 16:01:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VwmCC6XXYz148; Fri, 7 Jun 2024 16:01:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VwmCC44KWz32P4; Fri, 7 Jun 2024 16:01:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VwmC95q6Mz2xfm for <development@lists.ipfire.org>; Fri, 7 Jun 2024 16:01:09 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VwmC90P5Mz3B; Fri, 7 Jun 2024 16:01:09 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VwmC84XpDzThDS; Fri, 7 Jun 2024 16:01:08 +0000 (UTC) From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Fri, 7 Jun 2024 16:01:07 +0000 Message-Id: <20240607160107.3478827-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org> References: <2b73ec17-94ab-4c2d-8aa3-b11d218f2457@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: AIGRQQIAPH4OGE5O55SYEQKJDX3YMDSD X-Message-ID-Hash: AIGRQQIAPH4OGE5O55SYEQKJDX3YMDSD X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer <michael.tremer@ipfire.org> X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/AIGRQQIAPH4OGE5O55SYEQKJDX3YMDSD/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
| Series |
OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
|
|
Commit Message
Michael Tremer
June 7, 2024, 4:01 p.m. UTC
We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
config/ovpn/openvpn-crl-updater | 3 +--
config/rootfiles/common/openvpn | 2 +-
html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
lfs/openvpn | 6 ++++++
4 files changed, 18 insertions(+), 13 deletions(-)
Comments
Hi Michael, On 07/06/2024 18:01, Michael Tremer wrote: > We should not have any configuration files that we share in this place, > therefore this patch is moving it into /usr/share/openvpn where we > should be able to update it without any issues. > > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> > --- > config/ovpn/openvpn-crl-updater | 3 +-- > config/rootfiles/common/openvpn | 2 +- > html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- > lfs/openvpn | 6 ++++++ > 4 files changed, 18 insertions(+), 13 deletions(-) > > diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater > index 5fbe21080..5008d6725 100644 > --- a/config/ovpn/openvpn-crl-updater > +++ b/config/ovpn/openvpn-crl-updater > @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" > CRL="${OVPN}/crls/cacrl.pem" > CAKEY="${OVPN}/ca/cakey.pem" > CACERT="${OVPN}/ca/cacert.pem" > -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" > > # Check if CRL is presant or if OpenVPN is active > if [ ! -e "${CAKEY}" ]; then > @@ -76,7 +75,7 @@ UPDATE="14" > ## Mainpart > # Check if OpenVPNs CRL needs to be renewed > if [ ${NEXTUPDATE} -le ${UPDATE} ]; then > - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then > + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then > logger -t openvpn "CRL has been updated" > else > logger -t openvpn "error: Could not update CRL" > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index d9848a579..c0d49bfad 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator > #usr/share/doc/openvpn/openvpn.8.html > #usr/share/man/man5/openvpn-examples.5 > #usr/share/man/man8/openvpn.8 > +usr/share/openvpn/openssl.cnf In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial > var/ipfire/ovpn/crls > var/ipfire/ovpn/n2nconf > #var/ipfire/ovpn/openssl > -var/ipfire/ovpn/openssl/ovpn.cnf > var/ipfire/ovpn/openvpn-authenticator > var/ipfire/ovpn/ovpn-leases.db > var/ipfire/ovpn/ovpnconfig > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index c92d0237d..f0172978f 100755 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -1836,7 +1836,7 @@ END > '-days', '999999', '-newkey', 'rsa:4096', '-sha512', > '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", > '-out', "${General::swroot}/ovpn/ca/cacert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { > + '-config', "/usr/share/openvpn/ovpn.cnf")) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > goto ROOTCERT_ERROR; > } > @@ -1868,7 +1868,7 @@ END > '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", > '-out', "${General::swroot}/ovpn/certs/serverreq.pem", > '-extensions', 'server', > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { > + '-config', "/usr/share/openvpn/ovpn.cnf" )) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); > unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); > @@ -1885,7 +1885,7 @@ END > '-in', "${General::swroot}/ovpn/certs/serverreq.pem", > '-out', "${General::swroot}/ovpn/certs/servercert.pem", > '-extensions', 'server', > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/ca/cakey.pem"); > @@ -1904,7 +1904,7 @@ END > # System call is safe, because all arguments are passed as array. > system('/usr/bin/openssl', 'ca', '-gencrl', > '-out', "${General::swroot}/ovpn/crls/cacrl.pem", > - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); > + '-config', "/usr/share/openvpn/ovpn.cnf" ); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); > @@ -2426,8 +2426,8 @@ else > > if ($confighash{$cgiparams{'KEY'}}) { > # Revoke certificate if certificate was deleted and rewrite the CRL > - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > > ### > # m.a.d net2net > @@ -2480,7 +2480,7 @@ else > &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); > > delete $confighash{$cgiparams{'KEY'}}; > - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); > + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); > &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); > > } else { > @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-batch', '-notext', > '-in', $filename, > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ($filename); > @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-newkey', 'rsa:4096', > '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { > + '-config', "/usr/share/openvpn/ovpn.cnf")) { > $errormessage = "$Lang::tr{'cant start openssl'}: $!"; > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); > @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > '-batch', '-notext', > '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", > '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", > - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); > + '-config', "/usr/share/openvpn/ovpn.cnf"); > if ($?) { > $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; > unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); > diff --git a/lfs/openvpn b/lfs/openvpn > index b71b4ccc9..0704aa438 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > chown root:root /etc/fcron.daily/openvpn-crl-updater > chmod 750 /etc/fcron.daily/openvpn-crl-updater > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn This creates the new directory. > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/ This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. > + rmdir -v /usr/share/openvpn This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. Regards, Adolf. > + > # Install authenticator > install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ > /usr/sbin/openvpn-authenticator
Hello, Thanks for testing this. > On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > On 07/06/2024 18:01, Michael Tremer wrote: >> We should not have any configuration files that we share in this place, >> therefore this patch is moving it into /usr/share/openvpn where we >> should be able to update it without any issues. >> >> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >> --- >> config/ovpn/openvpn-crl-updater | 3 +-- >> config/rootfiles/common/openvpn | 2 +- >> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >> lfs/openvpn | 6 ++++++ >> 4 files changed, 18 insertions(+), 13 deletions(-) >> >> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >> index 5fbe21080..5008d6725 100644 >> --- a/config/ovpn/openvpn-crl-updater >> +++ b/config/ovpn/openvpn-crl-updater >> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >> CRL="${OVPN}/crls/cacrl.pem" >> CAKEY="${OVPN}/ca/cakey.pem" >> CACERT="${OVPN}/ca/cacert.pem" >> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >> # Check if CRL is presant or if OpenVPN is active >> if [ ! -e "${CAKEY}" ]; then >> @@ -76,7 +75,7 @@ UPDATE="14" >> ## Mainpart >> # Check if OpenVPNs CRL needs to be renewed >> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >> logger -t openvpn "CRL has been updated" >> else >> logger -t openvpn "error: Could not update CRL" >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index d9848a579..c0d49bfad 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/openssl.cnf > In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf Oh. >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >> index c92d0237d..f0172978f 100755 >> --- a/html/cgi-bin/ovpnmain.cgi >> +++ b/html/cgi-bin/ovpnmain.cgi >> @@ -1836,7 +1836,7 @@ END >> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> goto ROOTCERT_ERROR; >> } >> @@ -1868,7 +1868,7 @@ END >> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >> '-extensions', 'server', >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >> @@ -1885,7 +1885,7 @@ END >> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >> '-extensions', 'server', >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >> @@ -1904,7 +1904,7 @@ END >> # System call is safe, because all arguments are passed as array. >> system('/usr/bin/openssl', 'ca', '-gencrl', >> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >> @@ -2426,8 +2426,8 @@ else >> if ($confighash{$cgiparams{'KEY'}}) { >> # Revoke certificate if certificate was deleted and rewrite the CRL >> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> ### >> # m.a.d net2net >> @@ -2480,7 +2480,7 @@ else >> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >> delete $confighash{$cgiparams{'KEY'}}; >> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >> } else { >> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-batch', '-notext', >> '-in', $filename, >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ($filename); >> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-newkey', 'rsa:4096', >> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >> '-batch', '-notext', >> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >> + '-config', "/usr/share/openvpn/ovpn.cnf"); >> if ($?) { >> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..0704aa438 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn > This creates the new directory. >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ > This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >> + rmdir -v /usr/share/openvpn > This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. I will send patches. -Michael > Regards, > Adolf. >> + >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator > > -- > Sent from my laptop
Hi Michael, I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. am now doing a build on my vm and will see if that then creates the certificates or not. Regards, Adolf. On 08/06/2024 12:14, Michael Tremer wrote: > Hello, > > Thanks for testing this. > >> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> Hi Michael, >> >> On 07/06/2024 18:01, Michael Tremer wrote: >>> We should not have any configuration files that we share in this place, >>> therefore this patch is moving it into /usr/share/openvpn where we >>> should be able to update it without any issues. >>> >>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>> --- >>> config/ovpn/openvpn-crl-updater | 3 +-- >>> config/rootfiles/common/openvpn | 2 +- >>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>> lfs/openvpn | 6 ++++++ >>> 4 files changed, 18 insertions(+), 13 deletions(-) >>> >>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>> index 5fbe21080..5008d6725 100644 >>> --- a/config/ovpn/openvpn-crl-updater >>> +++ b/config/ovpn/openvpn-crl-updater >>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>> CRL="${OVPN}/crls/cacrl.pem" >>> CAKEY="${OVPN}/ca/cakey.pem" >>> CACERT="${OVPN}/ca/cacert.pem" >>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>> # Check if CRL is presant or if OpenVPN is active >>> if [ ! -e "${CAKEY}" ]; then >>> @@ -76,7 +75,7 @@ UPDATE="14" >>> ## Mainpart >>> # Check if OpenVPNs CRL needs to be renewed >>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>> logger -t openvpn "CRL has been updated" >>> else >>> logger -t openvpn "error: Could not update CRL" >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>> index d9848a579..c0d49bfad 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/openssl.cnf >> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf > > Oh. > >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index c92d0237d..f0172978f 100755 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >>> @@ -1836,7 +1836,7 @@ END >>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> goto ROOTCERT_ERROR; >>> } >>> @@ -1868,7 +1868,7 @@ END >>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>> @@ -1885,7 +1885,7 @@ END >>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>> '-extensions', 'server', >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>> @@ -1904,7 +1904,7 @@ END >>> # System call is safe, because all arguments are passed as array. >>> system('/usr/bin/openssl', 'ca', '-gencrl', >>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>> @@ -2426,8 +2426,8 @@ else >>> if ($confighash{$cgiparams{'KEY'}}) { >>> # Revoke certificate if certificate was deleted and rewrite the CRL >>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> ### >>> # m.a.d net2net >>> @@ -2480,7 +2480,7 @@ else >>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>> delete $confighash{$cgiparams{'KEY'}}; >>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>> } else { >>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', $filename, >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ($filename); >>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-newkey', 'rsa:4096', >>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>> '-batch', '-notext', >>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>> if ($?) { >>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..0704aa438 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >> This creates the new directory. >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>> + rmdir -v /usr/share/openvpn >> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. > > Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. > > I will send patches. > > -Michael > >> Regards, >> Adolf. >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >> >> -- >> Sent from my laptop > >
Hi Michael, With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. The minor changes I made, compared to the existing openvpn lfs and rootfile are the following --- config/rootfiles/common/openvpn | 2 +- lfs/openvpn | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /var/ipfire/ovpn/openssl + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator
Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. Hi Michael, With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. The minor changes I made, compared to the existing openvpn lfs and rootfile are the following config/rootfiles/common/openvpn | 2 +- lfs/openvpn | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /var/ipfire/ovpn/openssl + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator So I think we are close to having it working. I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. Regards, Adolf. On 08/06/2024 12:43, Adolf Belka wrote: > Hi Michael, > > I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. > > am now doing a build on my vm and will see if that then creates the certificates or not. > > Regards, > Adolf. > > On 08/06/2024 12:14, Michael Tremer wrote: >> Hello, >> >> Thanks for testing this. >> >>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> On 07/06/2024 18:01, Michael Tremer wrote: >>>> We should not have any configuration files that we share in this place, >>>> therefore this patch is moving it into /usr/share/openvpn where we >>>> should be able to update it without any issues. >>>> >>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>> --- >>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>> config/rootfiles/common/openvpn | 2 +- >>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>> lfs/openvpn | 6 ++++++ >>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>> >>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>> index 5fbe21080..5008d6725 100644 >>>> --- a/config/ovpn/openvpn-crl-updater >>>> +++ b/config/ovpn/openvpn-crl-updater >>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>> CRL="${OVPN}/crls/cacrl.pem" >>>> CAKEY="${OVPN}/ca/cakey.pem" >>>> CACERT="${OVPN}/ca/cacert.pem" >>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>> # Check if CRL is presant or if OpenVPN is active >>>> if [ ! -e "${CAKEY}" ]; then >>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>> ## Mainpart >>>> # Check if OpenVPNs CRL needs to be renewed >>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>> logger -t openvpn "CRL has been updated" >>>> else >>>> logger -t openvpn "error: Could not update CRL" >>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>> index d9848a579..c0d49bfad 100644 >>>> --- a/config/rootfiles/common/openvpn >>>> +++ b/config/rootfiles/common/openvpn >>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>> #usr/share/doc/openvpn/openvpn.8.html >>>> #usr/share/man/man5/openvpn-examples.5 >>>> #usr/share/man/man8/openvpn.8 >>>> +usr/share/openvpn/openssl.cnf >>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >> >> Oh. >> >>>> var/ipfire/ovpn/ca >>>> var/ipfire/ovpn/caconfig >>>> var/ipfire/ovpn/ccd >>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>> var/ipfire/ovpn/crls >>>> var/ipfire/ovpn/n2nconf >>>> #var/ipfire/ovpn/openssl >>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>> var/ipfire/ovpn/openvpn-authenticator >>>> var/ipfire/ovpn/ovpn-leases.db >>>> var/ipfire/ovpn/ovpnconfig >>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>> index c92d0237d..f0172978f 100755 >>>> --- a/html/cgi-bin/ovpnmain.cgi >>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>> @@ -1836,7 +1836,7 @@ END >>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> goto ROOTCERT_ERROR; >>>> } >>>> @@ -1868,7 +1868,7 @@ END >>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>> @@ -1885,7 +1885,7 @@ END >>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>> '-extensions', 'server', >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>> @@ -1904,7 +1904,7 @@ END >>>> # System call is safe, because all arguments are passed as array. >>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>> @@ -2426,8 +2426,8 @@ else >>>> if ($confighash{$cgiparams{'KEY'}}) { >>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> ### >>>> # m.a.d net2net >>>> @@ -2480,7 +2480,7 @@ else >>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>> delete $confighash{$cgiparams{'KEY'}}; >>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>> } else { >>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', $filename, >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ($filename); >>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-newkey', 'rsa:4096', >>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>> '-batch', '-notext', >>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>> if ($?) { >>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>> index b71b4ccc9..0704aa438 100644 >>>> --- a/lfs/openvpn >>>> +++ b/lfs/openvpn >>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>> + mkdir -pv /usr/share/openvpn >>> This creates the new directory. >>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>> + /usr/share/openvpn/ >>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>> + rmdir -v /usr/share/openvpn >>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >> >> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >> >> I will send patches. >> >> -Michael >> >>> Regards, >>> Adolf. >>>> + >>>> # Install authenticator >>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>> /usr/sbin/openvpn-authenticator >>> >>> -- >>> Sent from my laptop >> >>
Hi Michael, I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. Regards, Adolf. On 08/06/2024 13:16, Adolf Belka wrote: > Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. > > Hi Michael, > > With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. > > I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. > > The minor changes I made, compared to the existing openvpn lfs and rootfile are the following > > > > config/rootfiles/common/openvpn | 2 +- > lfs/openvpn | 6 ++++++ > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index d9848a579..8a36d4bb4 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator > #usr/share/doc/openvpn/openvpn.8.html > #usr/share/man/man5/openvpn-examples.5 > #usr/share/man/man8/openvpn.8 > +usr/share/openvpn/ovpn.cnf > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial > var/ipfire/ovpn/crls > var/ipfire/ovpn/n2nconf > #var/ipfire/ovpn/openssl > -var/ipfire/ovpn/openssl/ovpn.cnf > var/ipfire/ovpn/openvpn-authenticator > var/ipfire/ovpn/ovpn-leases.db > var/ipfire/ovpn/ovpnconfig > diff --git a/lfs/openvpn b/lfs/openvpn > index b71b4ccc9..b686cc930 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > chown root:root /etc/fcron.daily/openvpn-crl-updater > chmod 750 /etc/fcron.daily/openvpn-crl-updater > > + # Move the OpenSSL configuration file out of /var/ipfire > + mkdir -pv /usr/share/openvpn > + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ > + /usr/share/openvpn/ > + rmdir -v /var/ipfire/ovpn/openssl > + > # Install authenticator > install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ > /usr/sbin/openvpn-authenticator > > > So I think we are close to having it working. > > I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. > > I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. > > > Regards, > > Adolf. > > > On 08/06/2024 12:43, Adolf Belka wrote: >> Hi Michael, >> >> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >> >> am now doing a build on my vm and will see if that then creates the certificates or not. >> >> Regards, >> Adolf. >> >> On 08/06/2024 12:14, Michael Tremer wrote: >>> Hello, >>> >>> Thanks for testing this. >>> >>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>> >>>> Hi Michael, >>>> >>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>> We should not have any configuration files that we share in this place, >>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>> should be able to update it without any issues. >>>>> >>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>>> --- >>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>> config/rootfiles/common/openvpn | 2 +- >>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>> lfs/openvpn | 6 ++++++ >>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>> >>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>> index 5fbe21080..5008d6725 100644 >>>>> --- a/config/ovpn/openvpn-crl-updater >>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>> # Check if CRL is presant or if OpenVPN is active >>>>> if [ ! -e "${CAKEY}" ]; then >>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>> ## Mainpart >>>>> # Check if OpenVPNs CRL needs to be renewed >>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>> logger -t openvpn "CRL has been updated" >>>>> else >>>>> logger -t openvpn "error: Could not update CRL" >>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>> index d9848a579..c0d49bfad 100644 >>>>> --- a/config/rootfiles/common/openvpn >>>>> +++ b/config/rootfiles/common/openvpn >>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>> #usr/share/man/man5/openvpn-examples.5 >>>>> #usr/share/man/man8/openvpn.8 >>>>> +usr/share/openvpn/openssl.cnf >>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>> >>> Oh. >>> >>>>> var/ipfire/ovpn/ca >>>>> var/ipfire/ovpn/caconfig >>>>> var/ipfire/ovpn/ccd >>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>> var/ipfire/ovpn/crls >>>>> var/ipfire/ovpn/n2nconf >>>>> #var/ipfire/ovpn/openssl >>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>> var/ipfire/ovpn/openvpn-authenticator >>>>> var/ipfire/ovpn/ovpn-leases.db >>>>> var/ipfire/ovpn/ovpnconfig >>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>> index c92d0237d..f0172978f 100755 >>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>> @@ -1836,7 +1836,7 @@ END >>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> goto ROOTCERT_ERROR; >>>>> } >>>>> @@ -1868,7 +1868,7 @@ END >>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>> '-extensions', 'server', >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>> @@ -1885,7 +1885,7 @@ END >>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>> '-extensions', 'server', >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>> @@ -1904,7 +1904,7 @@ END >>>>> # System call is safe, because all arguments are passed as array. >>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>> @@ -2426,8 +2426,8 @@ else >>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> ### >>>>> # m.a.d net2net >>>>> @@ -2480,7 +2480,7 @@ else >>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>> } else { >>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-batch', '-notext', >>>>> '-in', $filename, >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ($filename); >>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-newkey', 'rsa:4096', >>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>> '-batch', '-notext', >>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>> if ($?) { >>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>> index b71b4ccc9..0704aa438 100644 >>>>> --- a/lfs/openvpn >>>>> +++ b/lfs/openvpn >>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>> This creates the new directory. >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/ >>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>> + rmdir -v /usr/share/openvpn >>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>> >>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>> >>> I will send patches. >>> >>> -Michael >>> >>>> Regards, >>>> Adolf. >>>>> + >>>>> # Install authenticator >>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>> /usr/sbin/openvpn-authenticator >>>> >>>> -- >>>> Sent from my laptop >>> >>>
Hello, > On 9 Jun 2024, at 08:58, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. I didn’t merge the patches into master right away, and so the latest testing update doesn’t have the fixes. However, the latest patches fixed the problem, but ovpnmain.cgi is not part of the updater. So I have to do the final build again. After updating that file, the certificates can be generated properly. This is so messy :( > As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. Thank you for confirming. -Michael > Regards, > > Adolf. > > > On 08/06/2024 13:16, Adolf Belka wrote: >> Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. >> >> Hi Michael, >> >> With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. >> >> I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. >> >> The minor changes I made, compared to the existing openvpn lfs and rootfile are the following >> >> >> >> config/rootfiles/common/openvpn | 2 +- >> lfs/openvpn | 6 ++++++ >> 2 files changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index d9848a579..8a36d4bb4 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >> #usr/share/doc/openvpn/openvpn.8.html >> #usr/share/man/man5/openvpn-examples.5 >> #usr/share/man/man8/openvpn.8 >> +usr/share/openvpn/ovpn.cnf >> var/ipfire/ovpn/ca >> var/ipfire/ovpn/caconfig >> var/ipfire/ovpn/ccd >> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >> var/ipfire/ovpn/crls >> var/ipfire/ovpn/n2nconf >> #var/ipfire/ovpn/openssl >> -var/ipfire/ovpn/openssl/ovpn.cnf >> var/ipfire/ovpn/openvpn-authenticator >> var/ipfire/ovpn/ovpn-leases.db >> var/ipfire/ovpn/ovpnconfig >> diff --git a/lfs/openvpn b/lfs/openvpn >> index b71b4ccc9..b686cc930 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> chown root:root /etc/fcron.daily/openvpn-crl-updater >> chmod 750 /etc/fcron.daily/openvpn-crl-updater >> >> + # Move the OpenSSL configuration file out of /var/ipfire >> + mkdir -pv /usr/share/openvpn >> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >> + /usr/share/openvpn/ >> + rmdir -v /var/ipfire/ovpn/openssl >> + >> # Install authenticator >> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >> /usr/sbin/openvpn-authenticator >> >> >> So I think we are close to having it working. >> >> I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. >> >> I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. >> >> >> Regards, >> >> Adolf. >> >> >> On 08/06/2024 12:43, Adolf Belka wrote: >>> Hi Michael, >>> >>> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >>> >>> am now doing a build on my vm and will see if that then creates the certificates or not. >>> >>> Regards, >>> Adolf. >>> >>> On 08/06/2024 12:14, Michael Tremer wrote: >>>> Hello, >>>> >>>> Thanks for testing this. >>>> >>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>>> >>>>> Hi Michael, >>>>> >>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>> We should not have any configuration files that we share in this place, >>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>> should be able to update it without any issues. >>>>>> >>>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>>>> --- >>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>> lfs/openvpn | 6 ++++++ >>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>> >>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>>> index 5fbe21080..5008d6725 100644 >>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>>> ## Mainpart >>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>> logger -t openvpn "CRL has been updated" >>>>>> else >>>>>> logger -t openvpn "error: Could not update CRL" >>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>> index d9848a579..c0d49bfad 100644 >>>>>> --- a/config/rootfiles/common/openvpn >>>>>> +++ b/config/rootfiles/common/openvpn >>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>> #usr/share/man/man8/openvpn.8 >>>>>> +usr/share/openvpn/openssl.cnf >>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>>> >>>> Oh. >>>> >>>>>> var/ipfire/ovpn/ca >>>>>> var/ipfire/ovpn/caconfig >>>>>> var/ipfire/ovpn/ccd >>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>> var/ipfire/ovpn/crls >>>>>> var/ipfire/ovpn/n2nconf >>>>>> #var/ipfire/ovpn/openssl >>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>> var/ipfire/ovpn/ovpnconfig >>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>> index c92d0237d..f0172978f 100755 >>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>> @@ -1836,7 +1836,7 @@ END >>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> goto ROOTCERT_ERROR; >>>>>> } >>>>>> @@ -1868,7 +1868,7 @@ END >>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>> @@ -1885,7 +1885,7 @@ END >>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>> '-extensions', 'server', >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>> @@ -1904,7 +1904,7 @@ END >>>>>> # System call is safe, because all arguments are passed as array. >>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>> @@ -2426,8 +2426,8 @@ else >>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> ### >>>>>> # m.a.d net2net >>>>>> @@ -2480,7 +2480,7 @@ else >>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>>> } else { >>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', $filename, >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ($filename); >>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-newkey', 'rsa:4096', >>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>> '-batch', '-notext', >>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>> if ($?) { >>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>> index b71b4ccc9..0704aa438 100644 >>>>>> --- a/lfs/openvpn >>>>>> +++ b/lfs/openvpn >>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>> This creates the new directory. >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/ >>>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>>> + rmdir -v /usr/share/openvpn >>>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>>> >>>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>>> >>>> I will send patches. >>>> >>>> -Michael >>>> >>>>> Regards, >>>>> Adolf. >>>>>> + >>>>>> # Install authenticator >>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>> /usr/sbin/openvpn-authenticator >>>>> >>>>> -- >>>>> Sent from my laptop >>>> >>>>
Hi Michael, On 10/06/2024 18:02, Michael Tremer wrote: > Hello, > >> On 9 Jun 2024, at 08:58, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> Hi Michael, >> >> I saw that updated patches for the path changes had been merged into Core Update 186 and the nightly run. > > I didn’t merge the patches into master right away, and so the latest testing update doesn’t have the fixes. > > However, the latest patches fixed the problem, but ovpnmain.cgi is not part of the updater. So I have to do the final build again. > > After updating that file, the certificates can be generated properly. > > This is so messy :( > >> As soon as I see that the nightly for the master x86_64 has also been run then I will test out the latest Core Update 186 Testing with those changes on an update from 185 to 186 and confirm that afterwards the x509 certificate set can be successfully created. > > Thank you for confirming. The master nightly was updated last night so I have tested today. Testing the x509 creation on the CU185 vm failed, as would be expected. I then ran the update to CU186 Testing. Checked the /usr/share/openvpn/ directory. It was present and contained ovpn.cnf. I then rebooted and then ran the x509 creation. It was successful in that it created the root and host certificates. I then created an openvpn client connection from it to my laptop. I was able to successfully create an OpenVPN Road Warrior connection. So it looks (fingers crossed) that it is now working correctly in that the openssl config file for openvpn is getting updated with the Core Update. Regards, Adolf. > > -Michael > >> Regards, >> >> Adolf. >> >> >> On 08/06/2024 13:16, Adolf Belka wrote: >>> Re-sending with minor change as I think I left some bits in that made the mail server miss a section out. >>> >>> Hi Michael, >>> >>> With the small changes I made it now successfully built and also after installing in a vm it has built the x509 certificate set. >>> >>> I suspect successfully as I didn't change any of the changes you made to the ovpnmain.cgi or the openvpn-crl-updater. >>> >>> The minor changes I made, compared to the existing openvpn lfs and rootfile are the following >>> >>> >>> >>> config/rootfiles/common/openvpn | 2 +- >>> lfs/openvpn | 6 ++++++ >>> 2 files changed, 7 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>> index d9848a579..8a36d4bb4 100644 >>> --- a/config/rootfiles/common/openvpn >>> +++ b/config/rootfiles/common/openvpn >>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>> #usr/share/doc/openvpn/openvpn.8.html >>> #usr/share/man/man5/openvpn-examples.5 >>> #usr/share/man/man8/openvpn.8 >>> +usr/share/openvpn/ovpn.cnf >>> var/ipfire/ovpn/ca >>> var/ipfire/ovpn/caconfig >>> var/ipfire/ovpn/ccd >>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>> var/ipfire/ovpn/crls >>> var/ipfire/ovpn/n2nconf >>> #var/ipfire/ovpn/openssl >>> -var/ipfire/ovpn/openssl/ovpn.cnf >>> var/ipfire/ovpn/openvpn-authenticator >>> var/ipfire/ovpn/ovpn-leases.db >>> var/ipfire/ovpn/ovpnconfig >>> diff --git a/lfs/openvpn b/lfs/openvpn >>> index b71b4ccc9..b686cc930 100644 >>> --- a/lfs/openvpn >>> +++ b/lfs/openvpn >>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>> >>> + # Move the OpenSSL configuration file out of /var/ipfire >>> + mkdir -pv /usr/share/openvpn >>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>> + /usr/share/openvpn/ >>> + rmdir -v /var/ipfire/ovpn/openssl >>> + >>> # Install authenticator >>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>> /usr/sbin/openvpn-authenticator >>> >>> >>> So I think we are close to having it working. >>> >>> I will create an OpenVPN Roadwarrior connection with the x509 certificate set that has been created to confirm that it is all working properly now. >>> >>> I can in fact confirm that a successful road warrior connection was able to be made with the x509 cert set that was created with the modified patch. >>> >>> >>> Regards, >>> >>> Adolf. >>> >>> >>> On 08/06/2024 12:43, Adolf Belka wrote: >>>> Hi Michael, >>>> >>>> I have made a change to the rootfile and the lfs file only and that has now successfully built. That will only have ovpn.cnf in the new location. >>>> >>>> am now doing a build on my vm and will see if that then creates the certificates or not. >>>> >>>> Regards, >>>> Adolf. >>>> >>>> On 08/06/2024 12:14, Michael Tremer wrote: >>>>> Hello, >>>>> >>>>> Thanks for testing this. >>>>> >>>>>> On 8 Jun 2024, at 09:40, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>>>> >>>>>> Hi Michael, >>>>>> >>>>>> On 07/06/2024 18:01, Michael Tremer wrote: >>>>>>> We should not have any configuration files that we share in this place, >>>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>>> should be able to update it without any issues. >>>>>>> >>>>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>>>>> --- >>>>>>> config/ovpn/openvpn-crl-updater | 3 +-- >>>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>>> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- >>>>>>> lfs/openvpn | 6 ++++++ >>>>>>> 4 files changed, 18 insertions(+), 13 deletions(-) >>>>>>> >>>>>>> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater >>>>>>> index 5fbe21080..5008d6725 100644 >>>>>>> --- a/config/ovpn/openvpn-crl-updater >>>>>>> +++ b/config/ovpn/openvpn-crl-updater >>>>>>> @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" >>>>>>> CRL="${OVPN}/crls/cacrl.pem" >>>>>>> CAKEY="${OVPN}/ca/cakey.pem" >>>>>>> CACERT="${OVPN}/ca/cacert.pem" >>>>>>> -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" >>>>>>> # Check if CRL is presant or if OpenVPN is active >>>>>>> if [ ! -e "${CAKEY}" ]; then >>>>>>> @@ -76,7 +75,7 @@ UPDATE="14" >>>>>>> ## Mainpart >>>>>>> # Check if OpenVPNs CRL needs to be renewed >>>>>>> if [ ${NEXTUPDATE} -le ${UPDATE} ]; then >>>>>>> - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then >>>>>>> + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then >>>>>>> logger -t openvpn "CRL has been updated" >>>>>>> else >>>>>>> logger -t openvpn "error: Could not update CRL" >>>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >>>>>>> index d9848a579..c0d49bfad 100644 >>>>>>> --- a/config/rootfiles/common/openvpn >>>>>>> +++ b/config/rootfiles/common/openvpn >>>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>>> #usr/share/man/man8/openvpn.8 >>>>>>> +usr/share/openvpn/openssl.cnf >>>>>> In the rootfile the file name is not only moved from /var/ipfire/ovpn/openssl/ but also renamed from ovpn.cnf to openssl.cnf but all the rest of the code continues to use ovpn.cnf >>>>> >>>>> Oh. >>>>> >>>>>>> var/ipfire/ovpn/ca >>>>>>> var/ipfire/ovpn/caconfig >>>>>>> var/ipfire/ovpn/ccd >>>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>>> var/ipfire/ovpn/crls >>>>>>> var/ipfire/ovpn/n2nconf >>>>>>> #var/ipfire/ovpn/openssl >>>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>>> var/ipfire/ovpn/ovpnconfig >>>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>>> index c92d0237d..f0172978f 100755 >>>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>>>> @@ -1836,7 +1836,7 @@ END >>>>>>> '-days', '999999', '-newkey', 'rsa:4096', '-sha512', >>>>>>> '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/ca/cacert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> goto ROOTCERT_ERROR; >>>>>>> } >>>>>>> @@ -1868,7 +1868,7 @@ END >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" )) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); >>>>>>> @@ -1885,7 +1885,7 @@ END >>>>>>> '-in', "${General::swroot}/ovpn/certs/serverreq.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/servercert.pem", >>>>>>> '-extensions', 'server', >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/ca/cakey.pem"); >>>>>>> @@ -1904,7 +1904,7 @@ END >>>>>>> # System call is safe, because all arguments are passed as array. >>>>>>> system('/usr/bin/openssl', 'ca', '-gencrl', >>>>>>> '-out', "${General::swroot}/ovpn/crls/cacrl.pem", >>>>>>> - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf" ); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); >>>>>>> @@ -2426,8 +2426,8 @@ else >>>>>>> if ($confighash{$cgiparams{'KEY'}}) { >>>>>>> # Revoke certificate if certificate was deleted and rewrite the CRL >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> ### >>>>>>> # m.a.d net2net >>>>>>> @@ -2480,7 +2480,7 @@ else >>>>>>> &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); >>>>>>> delete $confighash{$cgiparams{'KEY'}}; >>>>>>> - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); >>>>>>> &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); >>>>>>> } else { >>>>>>> @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', $filename, >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ($filename); >>>>>>> @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-newkey', 'rsa:4096', >>>>>>> '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf")) { >>>>>>> $errormessage = "$Lang::tr{'cant start openssl'}: $!"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); >>>>>>> @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >>>>>>> '-batch', '-notext', >>>>>>> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", >>>>>>> '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", >>>>>>> - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); >>>>>>> + '-config', "/usr/share/openvpn/ovpn.cnf"); >>>>>>> if ($?) { >>>>>>> $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; >>>>>>> unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); >>>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>>> index b71b4ccc9..0704aa438 100644 >>>>>>> --- a/lfs/openvpn >>>>>>> +++ b/lfs/openvpn >>>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>>> + mkdir -pv /usr/share/openvpn >>>>>> This creates the new directory. >>>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>>> + /usr/share/openvpn/ >>>>>> This then moves the ovpn.cnf file from the old location to the new one but keeps the name the same. This will then mismatch with the rootfile change. >>>>>>> + rmdir -v /usr/share/openvpn >>>>>> This then seems to me to be trying to delete the newly created directory which seems incorrect to me unless I have misunderstood what is trying to be done with this overall patch, which could also be the case. >>>>> >>>>> Yes, I have no idea what I did when I developed this the first time. Nothing good obviously. >>>>> >>>>> I will send patches. >>>>> >>>>> -Michael >>>>> >>>>>> Regards, >>>>>> Adolf. >>>>>>> + >>>>>>> # Install authenticator >>>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>>> /usr/sbin/openvpn-authenticator >>>>>> >>>>>> -- >>>>>> Sent from my laptop >>>>> >>>>> >
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater index 5fbe21080..5008d6725 100644 --- a/config/ovpn/openvpn-crl-updater +++ b/config/ovpn/openvpn-crl-updater @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" CRL="${OVPN}/crls/cacrl.pem" CAKEY="${OVPN}/ca/cakey.pem" CACERT="${OVPN}/ca/cacert.pem" -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" # Check if CRL is presant or if OpenVPN is active if [ ! -e "${CAKEY}" ]; then @@ -76,7 +75,7 @@ UPDATE="14" ## Mainpart # Check if OpenVPNs CRL needs to be renewed if [ ${NEXTUPDATE} -le ${UPDATE} ]; then - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then logger -t openvpn "CRL has been updated" else logger -t openvpn "error: Could not update CRL" diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..c0d49bfad 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/openssl.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..f0172978f 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1836,7 +1836,7 @@ END '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; } @@ -1868,7 +1868,7 @@ END '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { + '-config', "/usr/share/openvpn/ovpn.cnf" )) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); @@ -1885,7 +1885,7 @@ END '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem"); @@ -1904,7 +1904,7 @@ END # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem", - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); + '-config', "/usr/share/openvpn/ovpn.cnf" ); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2426,8 +2426,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); ### # m.a.d net2net @@ -2480,7 +2480,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', $filename, '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename); @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..0704aa438 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater + # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /usr/share/openvpn + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator