openvpn openssl.cnf file missing

Bug #998918 reported by David Maxwell on 2012-05-13
90
This bug affects 20 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Medium
Unassigned

Bug Description

Using Ubuntu 12.04
Package openvpn (1.0.1-4ubuntu5)
There is no .cnf file for the 1.0.1 version of the software.
The problem is the openvpn package needs a openssl.cnf file for the correct version of openssl which is 1.0.1.
As it does not have one, it defaults to openssl.cnf which does not exist.
Creating a link openssl.cnf >> openssl-1.0.0.cnf seems to solve the problem.

source ./vars indicates the file is missing

I created a link named openssl.cnf >> openssl-1.0.0.cnf which seems to solve the problem

David Maxwell (david-maxwell) wrote :

Sory - thats is porely explained.

The problem is the openvpn package needs a openssl.cnf file for the correct version of openssl which is 1.0.1.
As it does not have one, it defaults to openssl.cnf which does not exist.
Creating a link openssl.cnf >> openssl-1.0.0.cnf seems to solve the problem.
Hope that explains it a bit better.

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/998918/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
description: updated
Fabio Marconi (fabiomarconi) wrote :

Hello
Can you try to reinstall openssl, i've got the file and the link under
/etc/ssl
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Changed in ubuntu:
status: New → Incomplete
tags: added: precise
David Maxwell (david-maxwell) wrote :

so have I, but the script whichopensslcnf (in the easy-rsa directory of openvpn) expects to find an openssl.cnf file in the same directory as itself

affects: ubuntu → openvpn (Ubuntu)
Changed in openvpn (Ubuntu):
status: Incomplete → New
Scott Moser (smoser) on 2012-05-17
Changed in openvpn (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Paul Renzulli (zulli1942) wrote :

I hope this helps clarify things. Below are the instructions on how to set up an openvpn server from the ubuntu help page (ill keep them brief) located here - https://help.ubuntu.com/community/OpenVPN.

Following the instructions are my results.

Create the CA:

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Results:

Using CA Common Name: changeme
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
username@vpnserver001:/etc/openvpn/easy-rsa$ ./pkitool --server server
Using Common Name: changeme
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
username@vpnserver001:/etc/openvpn/easy-rsa$ cd keys
username@vpnserver001:/etc/openvpn/easy-rsa/keys$ openvpn --genkey --secret ta.key
username@vpnserver001:/etc/openvpn/easy-rsa/keys$ sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
cp: cannot stat `server.crt': No such file or directory
cp: cannot stat `server.key': No such file or directory
cp: cannot stat `ca.crt': No such file or directory

 I am running the above commands on Ubuntu 12.04 64Bit, I installed Ubuntu using the Alternative install.

I appreciate everything that everyone here does to make Ubuntu what it is. Getting this problem fixed is going to allow me to fully migrate over to 12.04. Let me know if I can be of any assistance.

David Maxwell (david-maxwell) wrote :

This is exactly the problem I encountered and which needs fixing.

As a work around, I added a link to openssl-1.0.0.cnf with the name of openssl.cnf in the same directory:

cd /etc/openvpn/easy-rsa
sudo ln -s openssl-1.0.0.cnf openssl.cnf

This worked, created the necessary certificate file and it is all working fine now.

But that means that something is wrong with the package, as it seems to be missing a file.
It also strikes me that there may be a missing openssl-1.0.1.cnf file.

eas (especkman) wrote :

I spent a little time debugging this. I don't think it is a matter of a missing config file.

When you 'source vars', one of the things that happens is this:

> # This variable should point to
> # the openssl.cnf file included
> # with easy-rsa.
> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

If you look at whichopensslcnf, you see that the first section includes logic for determining the correct config file to used based on the OpenSSL version installed on the system.

On my system (12.04 lts), 'openssl version' produces the following output:

> # openssl version
> OpenSSL 1.0.1 14 Mar 2012

Which, presumably, should generate a match in this code in whichopensslcnf:

> elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
> cnf="$1/openssl-1.0.0.cnf"
> else
> cnf="$1/openssl.cnf"
> fi

Instead it is falling through to the default value (tested by running the grep command on its own) , which results in the output noted by others above.

One workaround is to symlink openssl.cnf to the appropriate config file mentioned above. The solution is to fix the pattern matching...

Jean Paul Galea (jp-l) wrote :

Hi,

I am running into this problem too. The issue, as eas mentioned, is in the pattern matching.

On Ubuntu 12.04.2 LTS (Precise):

> ~# dpkg -l | grep -i openssl
> ii openssl 1.0.1-4ubuntu5.9 Secure Socket Layer (SSL) binary and related cryptographic tools
> ~# openssl version
> OpenSSL 1.0.1 14 Mar 2012

On Debian 7 (Wheezy):

> ~# dpkg -l | grep -i openssl
> ii openssl 1.0.1e-2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
> ~# openssl version
> OpenSSL 1.0.1e 11 Feb 2013

In ./easy-rsa/whichopensslcnf, this line tries to match [[:alnum:]] after [[:digit:]], which is non existent for the Ubuntu package.

> elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then

Running this pattern match manually reproduces this;

On Ubuntu 12.04.2 LTS (Precise):

> ~# openssl version | grep -E "1\.0\.([[:digit:]][[:alnum:]])"
> ~# echo $?
> 1

On Debian 7 (Wheezy):

> ~ # openssl version | grep -E "1\.0\.([[:digit:]][[:alnum:]])"
> OpenSSL 1.0.1e 11 Feb 2013
> ~# echo $?
> 0

The easy fix is to remove [[:alnum:]] from the regex, but I am not sure if that would introduce regressions.

More foolproof solution would be for the script to check if it's running on Debian or Ubuntu and take that into consideration when doing the pattern match.

It will also be interesting to know why the Debian package has "e" in its version number and the Ubuntu package doesn't.

valent (valent-turkovic) wrote :

This is really sloppy package management, come on guys, please provide a fix for this.

ps. and people still ask me why I recommend Debian and Fedora over Ubuntu...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments