4. Update to 2.1, Issue with PKI

Update to 2.1, Issue with PKI

  • W

    Hi,

    My setup from 2.0 does not seem to work with 2.1.  Here is the server log when I try to connect (newest to oldest):

    openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS handshake failed
Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS object -> incoming plaintext read error
Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 WARNING: Failed running command (--tls-verify script): could not execute external program

    I've re generated everything: CA, Server Cert, OpenVPN service instance, User Cert.  All correctly associated.  All else equal as previous setup.

    Client config:

    dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 102.106.12.15 1195 udp
tls-remote test1
auth-user-pass
pkcs12 test1.p12
tls-auth test1tls.key 1
ns-cert-type server
comp-lzo

    Any thoughts?

    Thanks.

    0
  • W

    I found that once I removed these advanced options on the server side:

    user nobody;group nobody

    It started to work.  I don't like this so much though, now the particular process is running as root.

    Any thoughts guys?

    Thanks.

    0
  • M

    You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.

    0
  • Rebel Alliance Developer Netgate

    The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

    If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…

    0
  • W

    @markn62:

    You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.

    I did.  Thanks for the suggestion.

    0
  • W

    @jimp:

    The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

    If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…

    Hey Jimp.  You probably understand the topic further than I do… but what about the security that is gained by running the exposed daemon (assuming firewall rules allow any) as "nobody", in case of some kind of exploit?

    Maybe I am missing the purpose of running only as root.  Help me out?  :-, then again... i guess you're stating that if I want nobody to be able to run the daemon, I have to modify the script... OK.

    0
  • Rebel Alliance Developer Netgate

    I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)

    0
  • W

    @jimp:

    I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)

    Hey Jimp, just to clarify, I had been running 2.0.x for many months using the nobody for group and user in the advanced options without a hitch, only to be woken up by 2.1 and finding that (removing the option(s)) as my only solution.  I am not sure why either but maybe there is an explanation.

    Oh one more thing, I have a site-to-site (shared keys) working fine with the user and group nobody, (in 2.1).

    But the PKI… using the SSL/TLS + User Auth gives me the hiccup.

    0
  • T

    I'm having the same problem, did creating the local user work as suggested? I created a local user and group and changed the config to use that but still get the error.  I'm not too sure what was meant by "add it to the server CA" though.  I did notice that the permissions on the tls-verify.php script are 755 so not sure why it gets the permissions problem since it's world readable/executable (unless freebsd has something similar to linux with security contexts)

    0
  • W

    This issue still exists.
    Can't seem to run the PKI server as user/group nobody with advanced option:

    user nobody;group nobody

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy