Topic: Problem OpenVPN Bridge Contrib (Exiting due to fatal error)

[joost]

Hi, I'n new a this forum, not new to SME 9.1:

I've got a problem after installing OpenVPN bridge contribs in comination with PHPki. The ouput of

Code: [Select]

tailf /var/log/openvpn-bridge/current
Output:

Code: [Select]

@400000005746fb0b0b6f73bc OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016
@400000005746fb0b0b6f7b8c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005746fb0b0b741354 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005746fb0b0b74a3dc NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005746fb0b0b7d7994 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005746fb0b0ba05b44 Diffie-Hellman initialized with 1024 bit key
@400000005746fb0b0ba5c214 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
@400000005746fb0b0ba5cdcc Exiting due to fatal error
Could anyone please help me. I don't know where to start.

[Daniel B.]

The private key associated with the server certificate is password protected. It must not be password protected for the daemon to start. You should create a new cert and be sure not to password protect its key (or play with openssl to remove the password protection on the existing key, but it's a bit harder)

[joost]

Thanks. That worked!

[guest22]

Hi, I'n new a this forum, not new to SME 9.1:

Welcome Joost!

[globalsi]

Hi,
I have the same problem on SME 9.2

Code: [Select]

tailf /var/log/openvpn-bridge/current

Code: [Select]

@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible
@400000005e70ab3c0a8b6104 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
@400000005e70ab3c0a8b93cc library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e70ab3c0a8ec434 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e70ab3c0a8fc9ec NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e70ab3c0a951d34 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e70ab3c0a9822a4 OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e70ab3c0a98362c Cannot load DH parameters from pub/dh.pem
@400000005e70ab3c0a9841e4 Exiting due to fatal error
Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)

[globalsi]

sorry, i miss  this -> https://forums.contribs.org/index.php/topic,54169.0.html
and this -> https://bugs.contribs.org/show_bug.cgi?id=6741

any solution ?

[ReetP]

Hi,
I have the same problem on SME 9.2

No you don't.

You are jumping to too many conclusions and not reading your logs.

Code: [Select]

tailf /var/log/openvpn-bridge/current

Code: [Select]

@400000005e70ab3c0a8b5d1c WARNING: file 'priv/key.pem' is group or others accessible

That's your first issue. I'd try fixing that.

It should look like this - 0600 root:root

-rw------- 1 root root 1679 Sep 30  2019 key.pem

You then might want to look at this

Code: [Select]

Cannot load DH parameters from pub/dh.pem

It should look like this - 0600 root:root

-rw------- 1 root root  245 Sep 30  2019 dh.pem

Can you explain how create a new cert and be sure not to password protect its key ?
I have never set password except for https://wiki.contribs.org/PHPki#Configure_your_new_PKI (can't do without)

That ONLY applies to the ROOT CA when you create it. You ALWAYS set a password on that.

When you create the client/server certificates you can create them without passwords, but that currently is NOT your issue.

Fix the bits above first.

[Edited wrong permissions]

[globalsi]

Hi,
Thanks for your explains.
It's ok for priv/key.pem but not for pub/dh.pem

Code: [Select]

[root@sme pub]# ll /etc/openvpn/bridge/pub/dh.pem
-rw------- 1 root root 219 17 mars  10:57 /etc/openvpn/bridge/pub/dh.pem
[root@sme pub]# ll /etc/openvpn/bridge/priv/key.pem
-rw------- 1 root root 1860 17 mars  10:57 /etc/openvpn/bridge/priv/key.pem

Code: [Select]

[root@sme pub]# tailf /var/log/openvpn-bridge/current
@400000005e7140ea1dfc5a7c Cannot load DH parameters from pub/dh.pem
@400000005e7140ea1dfc5e64 Exiting due to fatal error
@400000005e7140eb249b50a4 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
@400000005e7140eb249b548c library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
@400000005e7140eb249dae1c MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@400000005e7140eb249e522c NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@400000005e7140eb24a2da54 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@400000005e7140eb24a602ec OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
@400000005e7140eb24a602ec Cannot load DH parameters from pub/dh.pem
@400000005e7140eb24a602ec Exiting due to fatal error

pub/dh.pem must be 600 or 644 root:root ?

[ReetP]

Sorry.

Both should be 0600 root:root

[globalsi]

ok, i set 600 root:root but still "Cannot load DH parameters from pub/dh.pem"

[ReetP]

I can only think you either haven't generated the certificated correctly or not copied them across correctly.

If you are creating a new install I'd suggest you try the updated version we are testing which is more secure.

It will also not be possible to migrate from.0.82 to 0.83 due to increased encryption levels.

I'll post some info tomorrow.

[globalsi]

Yes, it's a new openvpn install (covid-19... work at home ....)
I'll wait for news
thanks.

[ReetP]

Cool. It needs some testing!!

[globalsi]

contribs vpn is new but SME9 is "old" and in production...

[ReetP]

contribs vpn is new but SME9 is "old" and in production...

We've already tested it.

The reason we haven't released it yet is because we aren't sure what to do about in place upgrades.

Seems to work ok (it can't actually break much anyway)

If you had a Rocket account you could have helped test....

[ReetP]

OK, if you want to then try this.

Note. To upgrade the encryption strength you have to create a new CA, and then all new certificates. There is no easy way to convert existing certificates.

So be prepared before you embark on this.

First, uninstall old version. This new version will try and backup your certificates if they exist.

If you want to keep them then you can also do this manually first:

Code: [Select]

cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
Now:

Code: [Select]

yum remove phpki
You may need a reboot to clear up.

Add my testing repo.

BEWARE. Do NOT try and do a general 'upgrade' from this repo. It may break your machine!!!!

Just install as we instruct. If this tests OK it will go into smecontribs fairly soon.

You can manually grab a copy for a local install if you want:
https://www.reetspetit.com/smetest/6/repoview/phpki.html

Then something like this:

Code: [Select]

yum --enablerepo=epel, smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
Otherwise use my test repo:

Code: [Select]

db yum_repositories set reetpTest repository \
BaseURL https://www.reetspetit.com/smetest/\$releasever \
EnableGroups no \
GPGCheck no \
Name "ReetP Repo" \
GPGKey https://www.reetspetit.com/RPM-GPG-KEY \
Visible yes \
status disabled

Code: [Select]

signal-event yum-modify
config set UnsavedChanges no

Now install:

Code: [Select]

yum --enablerepo=reetpTest,smecontribs,epel install phpki

You may see a warning about unable to write 'random state' but you can ignore it.

Code: [Select]

signal-event post-upgrade; signal-event reboot

Go to Server-manager

Create your CA certificate with a password.

Get your DH key, and generate your certificates.

The DH key will now be 2048 bits.

Really we should set everything to default to 4096 - at least make the CA and certs 4096

Let us know how you get along.

[globalsi]

Hi,
mmm...
Here are my commands :

Code: [Select]

yum --enablerepo=smecontribs install smeserver-bridge-interface
yum --enablerepo=smecontribs install smeserver-phpki
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
signal-event post-upgrade; signal-event reboot
cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
yum remove phpki
wget https://www.reetspetit.com/smetest/6/noarch/phpki-0.83-9.el6.sme.noarch.rpm
yum --enablerepo=epel,smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
signal-event post-upgrade; signal-event reboot
After, i create the root certificate (with password).
Then I want the server certificate. A password is asked. If I try to create with or without password, i've got an  error :

Signing vpn_server certificate request.
Using configuration from /tmp/cnf-7QjxPJ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'PACA'
localityName          :PRINTABLE:'MYTOWN'
organizationName      :PRINTABLE:'MYCOMPANY'
organizationName      :PRINTABLE:'xxxxxxxxxx111111222222333333333'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'openvpn-bridge'
emailAddress          :IA5STRING:'contact@mycompany.fr'
Certificate is to be certified until Mar 26 16:15:14 2025 GMT (1826 days)
failed to update database
TXT_DB error number 2
Click on the "Help" link above for information on how to report this problem.

can you help me ?
bg

[ReetP]

can you help me ?

Only if you follow what we said...


If you are intending to run openvpn-bridge I would

Install smeserver-phpki + phpki

If you are going to use my test version it is better not to install the original 0.82 version. My version *should* move the original certificate directory out of the way.

Note - we are probably going to rename this to phpki-ng shortly because we want avoid breaking older installs.

Note - we have have tested successful openvpn-routed connections with the new version so we know it works.

We have not tested bridge or 2to2 yet - they should work but need testing.

Reboot

Create create your CA and server/client certificates to complete the install

Now install the smeserver-bridge-interface and smeserver-openvpn-bridge rpms.

Reboot and finish your bridge setup

failed to update database
TXT_DB error number 2

Terry noticed it once when creating a couple of certs - I haven't had a chance to look at it as I have been too busy shutting down our company. I don't think it was serious. Phpki stores a counter in a text file so it can number the certificates and I think it may be this.

Check the certificates in the /opt/phpki-store