Project

General

Profile

Bug #2210

we need fresh certs for openvpn

Added by cpg over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
02/23/2017
Due date:
% Done:

0%


Description

the current ones are expiring imminently. https://forums.amahi.org/viewtopic.php?f=3&t=6766

mail-cert-update.sh View (3.39 KB) bigfoot65, 02/24/2017 06:25 PM

History

#1 Updated by bigfoot65 over 2 years ago

Could we build an update script that users could run?

I had something similar for the Amahi Mail System (see attached).

#2 Updated by bigfoot65 over 2 years ago

#3 Updated by bigfoot65 over 2 years ago

This might help those who need to do this for Fedora 21. May work on Fedora 23.

https://forums.amahi.org/viewtopic.php?f=3&t=6766&start=10#p38495

#4 Updated by cpg over 2 years ago

  • Status changed from New to Assigned

finally got my arms around this.

here are the server files with sha1sum 042d85885f8ec9c9e85976737bc00b5d18f1e9af

https://dl.dropboxusercontent.com/u/364883/Screenshots/openvpn-amahi-5.0.tar.bz2

here are the client files, with sha1sum 005e71a6b551487f6c0d789fee5eaa2b800e34ee

https://dl.dropboxusercontent.com/u/364883/Screenshots/client-files-0.1.tar.bz2

tested server on fedora 25, though I do not have too many reasons to believe it should not work on f23.

tested with tunnelblick client on mac os x so far.

could you post on the forums for others to test out?
it has to be tested from the outside of the local network where the server is running.

#5 Updated by bigfoot65 over 2 years ago

F25: Noticed that amahi-dup-cn.conf.off do not have the correct cert names. Honestly to keep it simple, we should leave the naming the same as it is in older Amahi versions.

F23: I just tested it and appears to be working.

However, I had to make some changes to file names for certs to match F23. I only used the certs on the Server and Client since the .conf files do not match for F23. This is due to the fact that the new certs and conf files have to be installed from the app since there are script variables that provide IP address, subnet, and domain along with a different naming convention for the certs.

To make it work, I did the following:

SERVER
1. Renamed
  • dh.pem to dh2048.pem (saw in the F25 amahi-dup-cn.conf.off file that it was named this way)
  • Amahi-Server-OpenVPN.crt to server.crt (this matches the F23 current server file)
  • Amahi-Server-OpenVPN.key to server.key (this matches the F23 current server file)
  • ca.crt to ca-cert-crt (this matches the F23 current server file)
2. Certs
  • Copied to /etc/openvpn/amahi
  • Ensured ownership permissions were set to root:root
  • Restarted
3. Modified the following files:
  • amahi.conf: changed line 6 change dh1024.pem to dh2048.pem
  • amahi-dup-cn.conf.off: changed line 9 change dh1024.pem to dh2048.pem
CLIENT
1. Renamed
  • Amahi-Client-OpenVPN.crt to AmahiHDAClient.cert
  • Amahi-Client-OpenVPN.key to AmahiHDAClient.key
  • ca.crt to ca-cert.crt

2. Uploaded them to my client device, overwriting the previous ones.

This may be a bit too much for users. Might want to just update the certs to match current F23 in the Wiki and the app. Users could then uninstall/reinstall OpenVPN for Fedora 23. We may need to do this for older Amahi versions or at least provide instructions on how to do so.

Thoughts?

#6 Updated by cpg over 2 years ago

Great work!

I renamed files to be a little more consistent (symmetrical Client/Server) to the way they are generated and also to avoid confusion in overriding older files. This was in part because I was getting confused earlier in the process. I was trying to test the older VPN settings, to verify it failed first, so I was a bit confused with identically-named files.

In the server side (the one-click app), I think it does not really matter, as it's one-click and the user does not have to do anything, I believe.

On the client side, there is a good argument to not having to change the documentation. However, I think it's only names of files. I wanted to make sure that if a user was installing for the first time (or even upgrading) the new names would ensure they are using the new files and procedure. In other words, if someone asked for help and we were using the old names, we would have to make sure that person did not have accidentally used stale files and we'd have to double check for that. Who knows what docs and mirrors in old articles may these files be referenced? I have to think about this a little bit more. What do you think?

Great job on the confirmation that it works!

#7 Updated by bigfoot65 over 2 years ago

That makes sense.

I see we need to be able to differentiate between them. Maybe leave the new ones as you have them, but fix the amahi-dup-cn.conf.off file. Then upload the new certs to the wiki and remove the old ones. No need to keep them since they are expired. I believe there are only listed in 1 or 2 places.

Probably would be good to update the F23 OpenVPN app with the new stuff as you did for F25.

Oh and need to update Windows HDA-Connect client too.

#8 Updated by bigfoot65 over 2 years ago

Are the files ready for the F23 app? Will they be in dl.amahi.org location?

I would like to get the app updated and the wiki soon.

Starting to see more users with the expired certificate issue on F23.

#9 Updated by cpg over 2 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from cpg to bigfoot65

I published them in dl.amahi.org.

I also changed the app for f23. I did fix two things in the dup-cn file, including the path to a library.

Feel free to disseminate the details to the forums and close.

Great work on updating the wiki!

#10 Updated by bigfoot65 over 2 years ago

  • Assignee changed from bigfoot65 to cpg
Updated the wiki guidance for all client devices to use new certificates with the exception of:

The wiki page includes the BZip2 archive for the client certificates for now. Would like to make it like the old ones. Put each cert in the dl.amahi.org file structure which is dl.amahi.org/vpn/certificatename.

#11 Updated by bigfoot65 over 2 years ago

For users checking on the status of the OpenVPN app/certificates, the issue is now resolved.

Uninstall/reinstall the application. Then download/install the new client certificates on your client devices.

The #Amahi wiki has been updated accordingly.

#12 Updated by rdagijones over 2 years ago

The Windows OpenVPN Client, HDA Connect, still has the old settings .ovpn file that do not match the names for the new .crt and .key files. All I had to do was delete the old .ca, .crt, .key and .conf file and add the updated files to the "C:\Program Files (x86)\HDA Connect\config" directory. Then I had to manually edit the .ovpn file with a text editor to match the names of the new files. Could these changes be made to the HDAConnect for Windows that users download?

#13 Updated by cpg over 2 years ago

Thanks @rdagijones.

For everyone trying to uninstall OpenVPN and failing, here is a work-around to be able to uninstall and reinstall. Ssh (or use a console if you have one) to your HDA and do the following commands as root (or with sudo):

mkdir -p  /var/hda/apps/wzjcdmbnqp
chmod 777  /var/hda/apps/wzjcdmbnqp

Then try uninstalling the OpenVPN app and that should work now. Then install it again and the new OpenVPN certs should be in place and your VPN should work again.

Please report here of failure (or success too!).

#14 Updated by pvanbeek over 2 years ago

Confirmed that CPG's modifications above allowed for the uninstall/reinstall of OpenVPN app on the server side.

I use HDAConnect on the client side, so all I needed after reinstalling on the Server side was to copy the new certificates to C:\Program Files (x86)\HDAConnect\config, and then modify the HomeHDA.ovpn file to use the new certificate names.

Thanks @CPG

#15 Updated by bigfoot65 over 2 years ago

Wiki pages have been updated to reflect the new certificates (along with MD5 checksums):

https://wiki.amahi.org/index.php/OpenVPN_Client_Certificates

Also updated the VPN Windows wiki page for the work around for HDAConnect3 installer:

https://wiki.amahi.org/index.php/VPNWindows#Updated_Client_Certificates

#16 Updated by meatballz over 2 years ago

bigfoot65 wrote:

Wiki pages have been updated to reflect the new certificates (along with MD5 checksums):

https://wiki.amahi.org/index.php/OpenVPN_Client_Certificates

Also updated the VPN Windows wiki page for the work around for HDAConnect3 installer:

https://wiki.amahi.org/index.php/VPNWindows#Updated_Client_Certificates

It is saying I don't have access to download these. Can you check the links? Thank you!

#17 Updated by cpg over 2 years ago

My bad. Permissions issue. Corrected.

#18 Updated by meatballz over 2 years ago

cpg wrote:

My bad. Permissions issue. Corrected.

Thanks! I uninstalled app, then reinstalled. Removed profile from OpenVPN client on iOS and reinstalled using the certificates you posted. For some reason I am still getting "Certificate verification failed". Did the certs get updated within the OpenVPN app in Amahi? I am on Amahi 8. Appreciate any help. I am on 2.3.2 of OpenVPN

#19 Updated by bigfoot65 over 2 years ago

It was updated for Amahi 9. Will have to check on Amahi 8.

More to follow.

#20 Updated by rdagijones over 2 years ago

Did a fresh install on Amahi 9 / F23 and installed the OpenVPN app from the Dashboard. Says OpenVPN server is not running. Double-checked it in terminal with "systemctl status " and found it was dead. Then, as terminal suggested, ran "journalctl -xe"

Comes back with
": failed with result exit-code
Unregistered Authentication Agent for unix-process 9617:4205"

Could this still be a certs issue?

#21 Updated by bigfoot65 over 2 years ago

@rdagijones

Not likely.

The correct syntax is:

sudo systemctl status openvpn@amahi.service

You might want to check #1910 with regards to it not listed as running in the Dashboard.

#22 Updated by bigfoot65 over 2 years ago

@meatballz

Updated OpenVPN app for Amahi 8. Please uninstall/reinstall the app.

If you still have issues, please let us know.

#23 Updated by bigfoot65 over 2 years ago

If we do not have any further issues, recommend this be closed.

#24 Updated by rdagijones over 2 years ago

I uninstalled and reinstalled the OpenVPN app and now it is working. I think that the install was interrupted and something was corrupted. Amahi.org has been having consistency problems.

#25 Updated by cpg over 2 years ago

  • Status changed from Feedback to Closed

#26 Updated by meatballz over 2 years ago

bigfoot65 wrote:

@meatballz

Updated OpenVPN app for Amahi 8. Please uninstall/reinstall the app.

If you still have issues, please let us know.

It works on Amahi 8 now. Thank you!

Also available in: Atom