This report is for IPFire 2.29 (aarch64) - core183 with openssl version: OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024). Currently, the automatic generation of an openvpn server certificate via the IPFire web GUI fails preventing the user from setting up OpenVPN (with self generated CA + server cert) on IPFire 2.29 core183. Steps to reproduce: - IPFire 2.29. core 183 - OpenVPN no CA / cert present (remove X509) - Create CA / cert (services → openvpn → generate root/host certificates → generate root/host certificates) Expected outcome: New DH, CA and server/host certificate are created Observed outcome: DH and CA are created; Creation of server/host certificate fails. OpenSSL error 256 is shown in the upper left of the web GUI and the following errors are logged in the http error_log: A challenge password :An optional company name :Error adding request extensions from section server 20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426: 20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426: 20108990FFFF0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156: 20108990FFFF0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always Possible causes: This is most likely caused by a recent bugfix in OpenSSL making the openssql req subcommand pick up extensions correctly (https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738). In the current openssl/ovpn.cnf AKID is specified in the server section, but AKID can't be processed when creating certificate requests. Please see also the reply from @bonnietwin in the community forum: https://community.ipfire.org/t/openvpn-fails-to-generate-server-certificate/11128/2?u=aheinzel
'-extensions', 'server' is only used in ovpnmain.cgi and in that file only in two places. lines 1870 and 1887. The first is doing the CSR generation and the second looks to be signing the CSR by the CA. Removing the AKID and SKID from the [ server ] section allows the host certificate to be created. What is not clear to me is if other parts such as client connection certificate creation or certificate revocation would be affected by the CA signing of the CSR being done without the AKID/SKID. I suspect not, but I am not familiar enough with openssl operation and commands to be able to judge that on knowledge. I will test out creating RW and N2N connections and testing them out with the server section without AKID/SKID for both CSR generation and signing. Will also test out what happens if a restore is done from a backup to confirm that still works with the changed ovpn.cnf [ server ] section.
The -extensions option looks to only be used in those two lines within IPFire. I also checked the x509 creation on IPSec with CU183 and that worked without any problems, which is good. So the problem is specific to OpenVPN only.
*** Bug 13598 has been marked as a duplicate of this bug. ***
(In reply to Adolf Belka from comment #1) > > Removing the AKID and SKID from the [ server ] section allows the host > certificate to be created. > > What is not clear to me is if other parts such as client connection > certificate creation or certificate revocation would be affected by the CA > signing of the CSR being done without the AKID/SKID. > > I suspect not, but I am not familiar enough with openssl operation and > commands to be able to judge that on knowledge. > > I will test out creating RW and N2N connections and testing them out with > the server section without AKID/SKID for both CSR generation and signing. Tested out and worked with no problems for both a RW and a N2N. Also for the N2N the client end had a root/host certificate created before this issue from Openssl-3.2.x No problems with the XKID/SKID removed from the CSR generation and the signing of the CSR. > > Will also test out what happens if a restore is done from a backup to > confirm that still works with the changed ovpn.cnf [ server ] section. After doing a restore and a reboot both the RW and the N2N worked without any problems with the modified [ server ] section in the ovpn.cnf file. I will submit a patch to modify the [ server ] section and remove the AKID & SKID and look to have it added into CU184.
Patch has been submitted into the dev mailing list and into patchwork. https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/OXHTDWMHAK2UZSB2B5SL2LOXEYVBIG43/ https://patchwork.ipfire.org/project/ipfire/patch/20240219141632.14939-1-adolf.belka@ipfire.org/
I have reconfirmed, with a new vm clone, that removing the two lines from the server section of the ovpn.cnf file allows my RW connections to a Linux Laptop and to an Android phone both work without problems. Also created a new N2N connection from a system with the new root/host certificate connecting to an existing system that was created with the old system prior to OpenSSL-3.2 The N2N connection worked without problems. Then created a new N2N client end where I created a new root/host certificate set with OpenSSL-3.2.1 and the patch fix to ovpn.cnf and that N2N connection also worked without any problems. I am feeling confident now that for Linux and Android the fix is fine. Someone on the forum has tested with windows. Initially he had some problems but I believe that was due to a typo that got into the ovpnmain.cgi file. It soulnd like after that typo was fixed it worked but I have asked for confirmation of that result.
Patches have been merged into next which will become CU185 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3
CU185 Testing has been released https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing
Fix has been evaluated on a CU185 Testing system and confirmed to work for creating the root/host certificate set. Bug fix verified to be working.
*** Bug 13644 has been marked as a duplicate of this bug. ***
CU185 has been fully released but it has been found that the ovpn.cnf file has not been updated. The exclude file includes the line /var/ipfire/ovpn which looks to exclude all files and directories under ovpn. If that is the case then and change to the ovpn.cnf file will never get updated. However this also raises the question fo how my evaluation of CU185 Testing after the changes were merged, was successful, as this should also not be the case for the Testing release because this has the same exclude file. I do not understand what has happened but likely I made some error somehow and evaluated a vm system that had the changes manually applied. Historically, when I need to evaluate a change that has been merged and built, I create a new clone of the previous version to run the update on. I have moved this back to ON_QA as we need to find a solution to not excluding ovpn.cnf. Maybe this file needs to be moved to a different location.
Already exists in IPFire 2.29 (x86_64) - Core-Update 185 Coudn't add new RW-Connection ==> OpenSSL hat einen Fehler verursacht: 256 All connections deleted and also Root-Certificate deleted Add new root/Host-Cert ==> Also Error OpenSSL hat einen Fehler verursacht: 256
A patch set has been created that moves the OpenVPN openssl config file to a location outside of the /var/ipfire/ directory structure to ensure that any changes to it actually end up getting shipped. That has been the problem with this bug that for some people when the update occurred their version of the ovpn.cnf file was not updated. https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=73363b89bc6cb1749b83fb42e4f55d960f974f26 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=d545c338f0d14ecec48623e15efc1c28b44cbce7 These changes have been tested and shown to work. Once the master repo has been updated via the nightly build then I will confirm that a Core Update from 185 to 186 successfully ends up with the changes applied. Then this can be moved to Verified again and once CU186 is released then this bug can be closed.
The patch set has now been merged into the master Core Update 167 Testing release with the nightly build last night. I have now tested out on my vm. The CU185 vm failed to create the x509 cert set as expected due to this bug. I then ran the update to CU186 Testing and then rebooted. I then was able to successfully create the x509 cert set for openvpn. I also confirmed that creating a client connection using that x509 cert set was able to successfully create an OpenVPN Road Warrior connection, so the fix has been verified.
CU186 has been released https://www.ipfire.org/blog/ipfire-2-29-core-update-186-released