OpenVPN not working with certificates after updating from earlier pfSense to latest.
-
I created an issue in the bugtracker but was told to backup and reinstall, and post here in case it still doesn't work.
I did that, and it still doesn't work.
https://redmine.pfsense.org/issues/10560
That is the issue.
I will cut and paste the data from the issue:
When connecting using either OpenVPN Connect on Android using client certificate + username/password or OpenVPN client on a raspberry Pi using only certificate (different server instance of course) connection doesn't work.
It worked in pfSense 2.5.0 from 2019-09-19, but not in the daily named 2020-05-14.
I have tracked it down to /usr/local/sbin/ovpn_auth_verify calling fcgicli during cert validation.
The expected response to "RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")" is "OK", but the response received is "Something wrong happened while reading request" which is a response from inside the fcgicli binary:
===group
ch = read_packet(sb, fcgisock, header); if (ch < 0) { printf("Something wrong happened while reading request\n"); //sbuf_finish(sb); //sbuf_delete(sb); break; }
===
If I override the response with "OK" in the script file (which is obviously only a hack) the connection succeeds.
I get the exact same response if I call the binary on a command line using the same options.
Jim responded with that that is probably a red herring.
I have validated the certs (self signed, but they validate fine using the openssl tools).
I have also tried reinstalling the certs, to no avail.
EDIT: Currently on 2020-05-22 clean reinstall, with applied config.xml. Still no dice.
-
!!!! This is an untested solution, use at your own risk !!!!
Hello, we have found ourselves with the same issue recently and after some troubleshooting I've ended up finding your post.
We have pinpointed the problem to this:
the call in the file /usr/local/sbin/ovpn_auth_verify to /usr/local/sbin/fcgicli is causing a problem because of the length of the -d auth_args.In our case, the combination of username, password and common name was too long and produced the error message Something wrong happened while reading request
We tested by replacing the call to /usr/local/sbin/fcgicli with /usr/local/bin/php-cgi like so:
before
result=$("${fcgicli}" -f "${auth_user_php}" -d "${auth_args}")
after
result=$("${phpcgi}" -q "${auth_user_php}" "${auth_args}")
We also had to update the command definitions at the beginning of the file, like so:
# ---------- Command Definitions fcgicli="/usr/local/sbin/fcgicli" phpcgi="/usr/local/bin/php-cgi" openssl="/usr/bin/openssl" sed="/usr/bin/sed" auth_user_php="/etc/inc/openvpn.auth-user.php"
We believe that the use of fcgicli here is most likely historic, as it's used very little as opposed to php-cgi which is very present in the rest of the codebase. Most likely someone forgot to update it here.
Hope that helps ;)
-
We've also found this bug report that addresses the issue even further: https://redmine.pfsense.org/issues/4521
-
Hi,
Sorry for the late response. I did something similar and then I added it as a shellcmd. This is the specific shellcmd I use right now.
The SHA512-sum is updated whenever the source is updated. If it differs it means one of two things :- I have already modified the file.
- A new version of this file was released.
I will notice 2 by my VPN not working, and then just update the SHA512-sum.
Here it is in case someone wants to use it:
(/sbin/sha512 -c bbf2919171bf06301f4cbbefa11b61e7aff7538a70d95d081e96c66ebc032a4ba40f7c804eef5b6cf47bcc0346de422e40db0b9e6c11ded14f41196c7c02eeb1 /usr/local/sbin/ovpn_auth_verify >/dev/null; if [ $? -eq 0 ]; then /usr/bin/sed -i "" 's,sbin/fcgicli -f,bin/php-cgi -q,g' /usr/local/sbin/ovpn_auth_verify ; fi)
Just add it as a shellcmd.
It simply compares the SHA512-sum with a static one, and if it's the same (i.e. original known/unmodified), replaces the use of fcgicli with php-cgi in the file.
Works as it should for me.
Note: This isn't a real "fix", it's a workaround until the bug gets fixed, regardless of if that means a fixed fcgicli binary, using php-cgi or something else.
And yes, I know about that bug report. I'm following any changes in it.
// Stefan
-