To reproduce the bug:
vyos@crux-test:~$ generate vpn x509 key-pair test sudo: /opt/vyatta/sbin//vyatta-gen-x509-keypair: command not found
Tested and issue exists on all release trains.
Description
Description
Details
Details
- Difficulty level
- Easy (less than an hour)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Unspecified (please specify)
Related Objects
Related Objects
- Mentioned In
- 1.3.4
Event Timeline
Comment Actions
The main issue seems to be a lack of execute permissions on the script vyatta-gen-x509-keypair
Fixing that issue however seems to indicate the script has further issues
vyos@crux-test:~$ sudo chmod +x /opt/vyatta/sbin/vyatta-gen-x509-keypair
vyos@crux-test:~$ generate vpn x509 key-pair test
error on line -1 of /etc/key-pair.template
139925418890896:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/etc/key-pair.template','rb')
139925418890896:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
139925418890896:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:Comment Actions
Providing an entire path of the file i.e. /opt/vyatta/etc/key-pair.template instead of "@sysconfdir@/key-pair.template", makes the command executable.
IPSec VPN in X509 mode needs ca cert file, also server/client cert has to be signed by the CA for identification.
So, maybe rewriting this script will be helpful.
Any suggestions are welcome.
vyos@R2:~$ generate vpn x509 key-pair example Generating a RSA private key ...+++++ ...................+++++ writing new private key to '/config/auth/example.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []: State Name []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, department) []: Common Name (eg, Device hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password (optional) []:
Comment Actions
It's trying to find the template in /etc/, but it is located in /opt/vyatta/etc
vyos@r1:~$ generate vpn x509 key-pair testone
Can't open /etc/key-pair.template for reading, No such file or directory
140089191929024:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/key-pair.template','r')
140089191929024:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
vyos@r1:~$ cat /etc/key-pair.template
cat: /etc/key-pair.template: No such file or directory
vyos@r1:~$
vyos@r1:~$ sudo find / -name key-pair.template
/boot/rw/opt/vyatta/etc/key-pair.template
/opt/vyatta/etc/key-pair.templatePR https://github.com/vyos/vyatta-op-vpn/pull/35
vyos@r1:~$ vyos@r1:~$ generate vpn x509 key-pair testone Generating a RSA private key ......................+++++ ............+++++ writing new private key to '/config/auth/testone.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []: