Koozali.org: home of the SME Server

OpenVPN problem

Offline nicolatiana

  • *
  • 721
  • +0/-0
OpenVPN problem
« on: March 08, 2020, 05:03:41 PM »
Newly configurated OpenVPN. Appearently I've performed all steps. In server manager panel there's no error concerning certificates.
In log file I can find:
Quote
2020-03-08 16:56:36.766208500 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
2020-03-08 16:56:36.766228500 Exiting due to fatal error
and I'm not able to connect with clients.
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline nicolatiana

  • *
  • 721
  • +0/-0
Re: OpenVPN problem
« Reply #1 on: March 08, 2020, 07:17:01 PM »
I reply to myself. For some reason my insane brain has forced me to put password in server certificate .....  :(


Regenarated server certificate in the correct way. Sorry.
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: OpenVPN problem
« Reply #2 on: March 09, 2020, 01:08:04 AM »
Currently helping John get latest phpki working, testing his changes, I know the feeling LOL  :lol: :lol: :lol: :lol:
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN problem
« Reply #3 on: March 09, 2020, 09:59:41 AM »
Nicolatiana

Yes that'll be the issue :-)

Do you use phpki or another method to create certificates?

I am doing a major update to phpki and I would like to find another user for opinion!

Let us know (ask for a login to Rocket.Chat as well.....)

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline nicolatiana

  • *
  • 721
  • +0/-0
Re: OpenVPN problem
« Reply #4 on: March 09, 2020, 11:21:59 AM »
Using Phpki contrib.
Upgrade in smetest repo ?
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: OpenVPN problem
« Reply #5 on: March 09, 2020, 11:52:38 AM »
Using Phpki contrib.
Upgrade in smetest repo ?

Yes, BUT, wait, just sorting what happens to old ver certs if you upgrade, John is trying to sort it, I think keeping a roof over his head and food on the table is interfering :-)
and sorry adding, the version we are playing with is in Johns testing repo, not updated to CVS yet
« Last Edit: March 09, 2020, 11:55:38 AM by TerryF »
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN problem
« Reply #6 on: March 09, 2020, 03:10:55 PM »
Using Phpki contrib.

That is the RIGHT answer :-)

OK, I know your version is probably a bit flawed.... the dates are wrong in the panel & other stuff.

I have done a patched version of v0.82 but not released it yet as we are testing it. It fixes a few basic issues like the dates and some formatting. The updated version is in smetest phpki-0.82-20

Please test it - Terry has and it seems OK but note I give NO guarantees that it won't break things so make a backup of your certs in /opt/phpki/phpki-store before upgrading, or better still install on a test machine. Install the original, create a few certs then upgrade.

However, it doesn't fix the current encryption level which is not high.

I have cloned the radicand repo which in itself was a copy of the 0.83 code with fixes and have updated it

https://github.com/reetp/phpki

It is STILL a work in progress.

The big issue is upgrading. The new 0.83 version will use SHA512 which is far stronger than the SHA1 used in 0.82 which is a busted flush.

However, it means you need to generate a new CA, and then new certificates.

So to upgrade to 0.83 means we need to backup the old certs and reinstall.

I have a personal build of 0.83+ if you want to try it - let me know.

Also, if you want to test this (please!!!!) ask me for a Rocket.Chat account and you can talk to me and Terry directly as we build and test it. No coding required - just some enthusiasm....

Relevant bugs
https://bugs.contribs.org/show_bug.cgi?id=6741
https://bugs.contribs.org/show_bug.cgi?id=8911 << fixed in phpki-0.82-20
https://bugs.contribs.org/show_bug.cgi?id=8685

Hope you jump in and help - we really need it!

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation