Page MenuHomeVyOS Platform

Generating vpn x509 key pair fails with command not found
Closed, ResolvedPublicBUG

Description

To reproduce the bug:

vyos@crux-test:~$ generate vpn x509 key-pair test
sudo: /opt/vyatta/sbin//vyatta-gen-x509-keypair: command not found

Tested and issue exists on all release trains.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Mentioned In
1.3.4

Event Timeline

The main issue seems to be a lack of execute permissions on the script vyatta-gen-x509-keypair

Fixing that issue however seems to indicate the script has further issues

vyos@crux-test:~$ sudo chmod +x /opt/vyatta/sbin/vyatta-gen-x509-keypair
vyos@crux-test:~$ generate vpn x509 key-pair test
error on line -1 of /etc/key-pair.template
139925418890896:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/etc/key-pair.template','rb')
139925418890896:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
139925418890896:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
Viacheslav added a subscriber: SrividyaA.

Providing an entire path of the file i.e. /opt/vyatta/etc/key-pair.template instead of "@sysconfdir@/key-pair.template", makes the command executable.
IPSec VPN in X509 mode needs ca cert file, also server/client cert has to be signed by the CA for identification.
So, maybe rewriting this script will be helpful.
Any suggestions are welcome.

vyos@R2:~$ generate vpn x509 key-pair example
Generating a RSA private key
...+++++
...................+++++
writing new private key to '/config/auth/example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:
State Name []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, department) []:
Common Name (eg, Device hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password (optional) []:
syncer triaged this task as Normal priority.Oct 17 2021, 3:12 PM
dmbaturin set Issue type to Unspecified (please specify).

It's trying to find the template in /etc/, but it is located in /opt/vyatta/etc

vyos@r1:~$ generate vpn x509 key-pair testone
Can't open /etc/key-pair.template for reading, No such file or directory
140089191929024:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/key-pair.template','r')
140089191929024:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
vyos@r1:~$ cat /etc/key-pair.template
cat: /etc/key-pair.template: No such file or directory
vyos@r1:~$ 
vyos@r1:~$ sudo find / -name key-pair.template
/boot/rw/opt/vyatta/etc/key-pair.template
/opt/vyatta/etc/key-pair.template

PR https://github.com/vyos/vyatta-op-vpn/pull/35

vyos@r1:~$ 
vyos@r1:~$ generate vpn x509 key-pair testone
Generating a RSA private key
......................+++++
............+++++
writing new private key to '/config/auth/testone.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.4) board.