Topic: Questions re PHPKI

[mauro]

I'm in the process of upgrading from SME9.2 to 10 and migrating the contribs.

1) What's the difference between phpki and phpki-ng?

2) Installation does not work:

Code: [Select]

yum install --enablerepo=smecontribs,epel smeserver-phpki
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: ftp.plusline.net
 * epel: ftp-stud.hs-esslingen.de
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: ftp.wrz.de
1035 packages excluded due to repository priority protections
No package smeserver-phpki available.
Error: Nothing to do

[sages]

Looking here https://wiki.koozali.org/Category:Contrib PHPKi is still in smetest and then looking here https://wiki.koozali.org/PHPki it states that PHPKi is no longer in use and PHPKi-ng is the replacement. And at the bottom of the PHPKi wiki entry is a number of bug links that are worth investigating.

[ReetP]

Use smerserver-phpki-ng - the old version likely won't work at all.

It has updated default security settings and a whole pile of fixes.

It should work, but needs testing. Please help verify any of the existing bugs.

On install when you click to create the CA just click once and be VERY patient as it takes a while to generate it.

[mauro]

Thanks, I'll go for the new version then.
As I am upgrading from SM9.2 to 10, is there any chance to import the existing certificates into phpki-ng or is it not compatible any more?

[sages]

Please read the bug reports and the wiki, your question may have been answered already

[Jean-Philippe Pialasse]

you have to start from scratch to upgrade the level of security : keys have to be stronger nowaday and this is the reason you need to be patient for its creation.

[ReetP]

You could theoretically use them, but I really don't recommend it, and am not going to try and document how to do it.

Use it as an opportunity to create new more secure certs. If you don't do it now you'll keep putting it off and all the while your certs become less secure.

[mauro]

Actually during the installation it's written clearly on the console to create new certificates, if one pays attention... 

So I created new certificates  from scratch, however I must have done something wrong because every now and then I get from the console:

Code: [Select]

Broadcast message from root@xxxx (Mon 2021-08-02 08:38:01 CEST):

Password entry required for 'Enter Private Key Password:' (PID 3253).
Please enter password with the systemd-tty-ask-password-agent tool!
If I don't enter that password, the openvpn-bridge does not start.

[ReetP]

You set a password for the certificate which you did not need to do.

You can set an 'askpass' variable in openvpn but you then store your password in plain text. So pretty pointless.

Go back and create the cert (not the CA) without a password.

[mauro]

Thanks

[mauro]

I thought I have solved the problem, but on reboot it asked me for the password again.
To be sure I understood correctly, I have now:
- the root certificate with password
- one certificate for openvpn server-side without pass (the old one with password has been revoked)
- more certificates for openvpn clients without pass

[ReetP]

I've patched smeserver-phpki-ng

https://bugs.koozali.org/show_bug.cgi?id=11402

Patched phpki-ng

https://bugs.koozali.org/show_bug.cgi?id=11402

Please test them.

[ReetP]

I thought I have solved the problem, but on reboot it asked me for the password again.
To be sure I understood correctly, I have now:
- the root certificate with password
- one certificate for openvpn server-side without pass (the old one with password has been revoked)
- more certificates for openvpn clients without pass

That should be correct.

What flavour of openvpn are you using? Routed/Bridged/S2S ?

But I don't know what certificates you have actually added to openvpn - possible the private CA by mistake?? That should only be the public cert?

You can test if certs requires a password with openssl.

[mauro]

Well, that's embarassing, either I forgot to put the new password-less certificate and key into openvpn, or I did not press save...
Should be ok now, thanks

[ReetP]

Well, that's embarassing, either I forgot to put the new password-less certificate and key into openvpn, or I did not press save...
Should be ok now, thanks

We've all been there

Your penance is to test and verify bugs please!!

https://bugs.koozali.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&f0=OP&f1=OP&f2=product&f3=component&f4=alias&f5=short_desc&f7=content&f8=CP&f9=CP&j1=OR&list_id=95049&o2=substring&o3=substring&o4=substring&o5=substring&o7=matches&query_format=advanced&v2=phpki-ng&v3=phpki-ng&v4=phpki-ng&v5=phpki-ng&v7=%22phpki-ng%22


If you want to chat to "Terry the Testing King" then ask for a Rocket.Chat account on my server and you can go through how to do testing & verification. He is a great teacher!