Topic: Problem OpenVPN Bridge Contrib (Exiting due to fatal error)

[joost]

Hi, I'n new a this forum, not new to SME 9.1:

I've got a problem after installing OpenVPN bridge contribs in comination with PHPki. The ouput of

Code: [Select]

tailf /var/log/openvpn-bridge/current
Output:

Code: [Select]

@400000005746fb0b0b6f73bc OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016
@400000005746fb0b0b6f7b8c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005746fb0b0b741354 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005746fb0b0b74a3dc NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005746fb0b0b7d7994 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005746fb0b0ba05b44 Diffie-Hellman initialized with 1024 bit key
@400000005746fb0b0ba5c214 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
@400000005746fb0b0ba5cdcc Exiting due to fatal error
Could anyone please help me. I don't know where to start.

[Daniel B.]

The private key associated with the server certificate is password protected. It must not be password protected for the daemon to start. You should create a new cert and be sure not to password protect its key (or play with openssl to remove the password protection on the existing key, but it's a bit harder)

[joost]

Thanks. That worked!

[guest22]

Hi, I'n new a this forum, not new to SME 9.1:

Welcome Joost!

[globalsi]

Hi,
I have the same problem on SME 9.2

Code: [Select]

tailf /var/log/openvpn-bridge/current

Code: [Select]

@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible
@400000005e70ab3c0a8b6104 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
@400000005e70ab3c0a8b93cc library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e70ab3c0a8ec434 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e70ab3c0a8fc9ec NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e70ab3c0a951d34 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e70ab3c0a9822a4 OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e70ab3c0a98362c Cannot load DH parameters from pub/dh.pem
@400000005e70ab3c0a9841e4 Exiting due to fatal error
Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)

[globalsi]

sorry, i miss  this -> https://forums.contribs.org/index.php/topic,54169.0.html
and this -> https://bugs.contribs.org/show_bug.cgi?id=6741

any solution ?

[ReetP]

Hi,
I have the same problem on SME 9.2

No you don't.

You are jumping to too many conclusions and not reading your logs.

Code: [Select]

tailf /var/log/openvpn-bridge/current

Code: [Select]

@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible

That's your first issue. I'd try fixing that.

It should look like this - 0600 root:root

-rw------- 1 root root 1679 Sep 30  2019 key.pem

You then might want to look at this

Code: [Select]

Cannot load DH parameters from pub/dh.pem

It should look like this - 0600 root:root

-rw------- 1 root root  245 Sep 30  2019 dh.pem

Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)

That ONLY applies to the ROOT CA when you create it. You ALWAYS set a password on that.

When you create the client/server certificates you can create them without passwords, but that currently is NOT your issue.

Fix the bits above first.

[Edited wrong permissions]

[globalsi]

Hi,
Thanks for your explains.
It's ok for priv/key.pem but not for pub/dh.pem

Code: [Select]

[root@sme pub]# ll /etc/openvpn/bridge/pub/dh.pem
-rw------- 1 root root 219 17 mars  10:57 /etc/openvpn/bridge/pub/dh.pem
[root@sme pub]# ll /etc/openvpn/bridge/priv/key.pem
-rw------- 1 root root 1860 17 mars  10:57 /etc/openvpn/bridge/priv/key.pem

Code: [Select]

[root@sme pub]# tailf /var/log/openvpn-bridge/current
@400000005e7140ea1dfc5a7c Cannot load DH parameters from pub/dh.pem
@400000005e7140ea1dfc5e64 Exiting due to fatal error
@400000005e7140eb249b50a4 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
@400000005e7140eb249b548c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e7140eb249dae1c MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e7140eb249e522c NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e7140eb24a2da54 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e7140eb24a602ec OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e7140eb24a602ec Cannot load DH parameters from pub/dh.pem
@400000005e7140eb24a602ec Exiting due to fatal error

pub/dh.pem must be 600 or 644 root:root ?

[ReetP]

Sorry.

Both should be 0600 root:root

[globalsi]

ok, i set 600 root:root but still "Cannot load DH parameters from pub/dh.pem"

[ReetP]

I can only think you either haven't generated the certificated correctly or not copied them across correctly.

If you are creating a new install I'd suggest you try the updated version we are testing which is more secure.

It will also not be possible to migrate from.0.82 to 0.83 due to increased encryption levels.

I'll post some info tomorrow.

[globalsi]

Yes, it's a new openvpn install (covid-19... work at home ....)
I'll wait for news
thanks.

[ReetP]

Cool. It needs some testing!!

[globalsi]

contribs vpn is new but SME9 is "old" and in production...

[ReetP]

contribs vpn is new but SME9 is "old" and in production...

We've already tested it.

The reason we haven't released it yet is because we aren't sure what to do about in place upgrades.

Seems to work ok (it can't actually break much anyway)

If you had a Rocket account you could have helped test....