This report is for IPFire 2.29 (aarch64) - core183 with openssl version: OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024). Currently, the automatic generation of an openvpn server certificate via the IPFire web GUI fails preventing the user from setting up OpenVPN (with self generated CA + server cert) on IPFire 2.29 core183. Steps to reproduce: - IPFire 2.29. core 183 - OpenVPN no CA / cert present (remove X509) - Create CA / cert (services → openvpn → generate root/host certificates → generate root/host certificates) Expected outcome: New DH, CA and server/host certificate are created Observed outcome: DH and CA are created; Creation of server/host certificate fails. OpenSSL error 256 is shown in the upper left of the web GUI and the following errors are logged in the http error_log: A challenge password :An optional company name :Error adding request extensions from section server 20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426: 20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426: 20108990FFFF0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156: 20108990FFFF0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always Possible causes: This is most likely caused by a recent bugfix in OpenSSL making the openssql req subcommand pick up extensions correctly (https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738). In the current openssl/ovpn.cnf AKID is specified in the server section, but AKID can't be processed when creating certificate requests. Please see also the reply from @bonnietwin in the community forum: https://community.ipfire.org/t/openvpn-fails-to-generate-server-certificate/11128/2?u=aheinzel
'-extensions', 'server' is only used in ovpnmain.cgi and in that file only in two places. lines 1870 and 1887. The first is doing the CSR generation and the second looks to be signing the CSR by the CA. Removing the AKID and SKID from the [ server ] section allows the host certificate to be created. What is not clear to me is if other parts such as client connection certificate creation or certificate revocation would be affected by the CA signing of the CSR being done without the AKID/SKID. I suspect not, but I am not familiar enough with openssl operation and commands to be able to judge that on knowledge. I will test out creating RW and N2N connections and testing them out with the server section without AKID/SKID for both CSR generation and signing. Will also test out what happens if a restore is done from a backup to confirm that still works with the changed ovpn.cnf [ server ] section.
The -extensions option looks to only be used in those two lines within IPFire. I also checked the x509 creation on IPSec with CU183 and that worked without any problems, which is good. So the problem is specific to OpenVPN only.
*** Bug 13598 has been marked as a duplicate of this bug. ***
(In reply to Adolf Belka from comment #1) > > Removing the AKID and SKID from the [ server ] section allows the host > certificate to be created. > > What is not clear to me is if other parts such as client connection > certificate creation or certificate revocation would be affected by the CA > signing of the CSR being done without the AKID/SKID. > > I suspect not, but I am not familiar enough with openssl operation and > commands to be able to judge that on knowledge. > > I will test out creating RW and N2N connections and testing them out with > the server section without AKID/SKID for both CSR generation and signing. Tested out and worked with no problems for both a RW and a N2N. Also for the N2N the client end had a root/host certificate created before this issue from Openssl-3.2.x No problems with the XKID/SKID removed from the CSR generation and the signing of the CSR. > > Will also test out what happens if a restore is done from a backup to > confirm that still works with the changed ovpn.cnf [ server ] section. After doing a restore and a reboot both the RW and the N2N worked without any problems with the modified [ server ] section in the ovpn.cnf file. I will submit a patch to modify the [ server ] section and remove the AKID & SKID and look to have it added into CU184.
Patch has been submitted into the dev mailing list and into patchwork. https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/OXHTDWMHAK2UZSB2B5SL2LOXEYVBIG43/ https://patchwork.ipfire.org/project/ipfire/patch/20240219141632.14939-1-adolf.belka@ipfire.org/
I have reconfirmed, with a new vm clone, that removing the two lines from the server section of the ovpn.cnf file allows my RW connections to a Linux Laptop and to an Android phone both work without problems. Also created a new N2N connection from a system with the new root/host certificate connecting to an existing system that was created with the old system prior to OpenSSL-3.2 The N2N connection worked without problems. Then created a new N2N client end where I created a new root/host certificate set with OpenSSL-3.2.1 and the patch fix to ovpn.cnf and that N2N connection also worked without any problems. I am feeling confident now that for Linux and Android the fix is fine. Someone on the forum has tested with windows. Initially he had some problems but I believe that was due to a typo that got into the ovpnmain.cgi file. It soulnd like after that typo was fixed it worked but I have asked for confirmation of that result.
Patches have been merged into next which will become CU185 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3
CU185 Testing has been released https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing
Fix has been evaluated on a CU185 Testing system and confirmed to work for creating the root/host certificate set. Bug fix verified to be working.
*** Bug 13644 has been marked as a duplicate of this bug. ***
CU185 has been fully released but it has been found that the ovpn.cnf file has not been updated. The exclude file includes the line /var/ipfire/ovpn which looks to exclude all files and directories under ovpn. If that is the case then and change to the ovpn.cnf file will never get updated. However this also raises the question fo how my evaluation of CU185 Testing after the changes were merged, was successful, as this should also not be the case for the Testing release because this has the same exclude file. I do not understand what has happened but likely I made some error somehow and evaluated a vm system that had the changes manually applied. Historically, when I need to evaluate a change that has been merged and built, I create a new clone of the previous version to run the update on. I have moved this back to ON_QA as we need to find a solution to not excluding ovpn.cnf. Maybe this file needs to be moved to a different location.