CRL files are not accessible for the Verify CRL options

Status changed to 'Confirmed' because the bug affects multiple users.

the problem persists on Ubuntu 19.10:

nm-openvpn[2459]: Options error: --crl-verify fails with '/var/lib/openvpn/chroot//etc/openvpn/crl.pem': No such file or directory (errno=2)

The problem persists on 20.04 (network-manager-openvpn, network-manager-openvpn-gnome 1.8.12-1)

This is a serious problem compromising the security of OpenVPN on Linux. Every time I try to use crl-verify I get the following error:

nm-openvpn[3957]: Options error: --crl-verify fails with '/var/lib/openvpn/chroot/[insert path to pem file selected here]': No such file or directory (errno=2)

The network manager cannot find the specified .pem file because for some reason the path is being prepended with "/var/lib/openvpn/chroot/". This bug needs to be fixed ASAP, I had no idea this was an issue until "upgrading" to this broken version of the network manager in Ubuntu 20.04. This bug is completely unacceptable and frankly ridiculous in that it has not been fixed or addressed. Please fix this issue.

Looking at the source code for nm-openvpn-service.c, before this bug was introduced it doesn't appear that the crl-verify option was ever implemented or used, as it is not found within the code. The only lines that refer to crl-verify were introduced in Ubuntu 19.04, and consist of the following:

tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CRL_VERIFY_FILE);
 if (tmp)
  args_add_strv (args, "--crl-verify", tmp);
 else {
  tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CRL_VERIFY_DIR);
  if (tmp)
   args_add_strv (args, "--crl-verify", tmp, "dir");
 }

Frankly I do not know how or why "/var/lib/openvpn/chroot/" gets incorrectly prepended to the file path in the openvpn argument string, but the crl-verify option clearly doesn't work (or may never have worked after it was introduced). This needs fixing ASAP.

The option was added some years ago

https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/214815f7

The chroot directory seems to come from this define
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/blob/master/shared/nm-service-defines.h#L133

could you give some details on where and how is crl.rsa.4096.pem configured?

do you also have a crl-verify-dir in your configuration?

I'm trying to set the crl-verify option via the network-manager UI:
nm-connection-editor -> Edit -> Advanced... -> Security -> "Verify CRL from file".
I didn't use the crl-verify-dir setting.

Could you report the issue upstream on https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues since it's likely a problem in the upstream codebase?

(Voila)[https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/57]

thanks!

This seems to also happen when you specify any cert inline in an imported openvpn config.