Page MenuHomeVyOS Platform

PermissionError when generating/installing server Certificate (generate pki certificate sign ...)
Closed, ResolvedPublic

Description

When trying to generate, sign and install a server certificate, the process fails with a PermissionError.

fahad@vyos-vps# generate pki certificate sign ca-1 install v.my.domain
Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa) 
Enter private key bits: (Default: 2048) 
Enter country code: (Default: GB) 
Enter state: (Default: Some-State) SomeCity
Enter locality: (Default: Some-City) SomeCity
Enter organization name: (Default: VyOS) 
Enter common name: (Default: vyos.io) 
Do you want to configure Subject Alternative Names? [y/N] y
Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net
Enter Subject Alternative Names: ipv4:4.3.2.1,dns:v.my.domain,dns:v.mylab.local
Enter how many days certificate will be valid: (Default: 365) 3650
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 813, in <module>
    generate_certificate_sign(args.certificate, args.sign, install=args.install, file=args.file)
  File "/usr/libexec/vyos/op_mode/pki.py", line 487, in generate_certificate_sign
    install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=False)
  File "/usr/libexec/vyos/op_mode/pki.py", line 161, in install_certificate
    install_into_config(conf, config_paths)
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 961, in install_into_config
    cmd(f'/opt/vyatta/sbin/my_set {path}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: /opt/vyatta/sbin/my_set pki certificate v.my.domain certificate '<base64-cert-string-removed>'
returned: Configuration path: [pki certificate v.my.domain certificate <base64-cert-string-removed> is not valid

Set failed
exit code: 1

I ran into this error following the OpenVPN Server setup guide from the docs:
https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html

Steps to reproduce:

Note: This may or may not be significant but I am using a different admin account and not the default vyos account.

  1. Generate a CA cert with run generate pki ca install ca-1
  2. Try to generate and install a server cert with generate pki certificate sign ca-1 install v.my.domain
  3. Run through the prompts with the default values (or not).

Failure occurs when it tries to install the cert.

Version and Environment Details`

fahad@vyos-vps:~$ show version

Version:          VyOS 1.4-rolling-202201240317
Release train:    sagitta

Built by:         [email protected]
Built on:         Mon 24 Jan 2022 03:17 UTC
Build UUID:       26c39d9d-b4ad-451c-9754-b840469f909e
Build commit ID:  86b750c3f9c002

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    [REMOVED]

Copyright:        VyOS maintainers and contributors

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202201240317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Important to note that simply running the failing set command (pki certificate v.my.domain certificate <base64-cert-here>) in config mode works fine.

It looks like it’s trying to directly install the certificate into the config from op-mode, that is only supposed to happen while you're in configure mode calling the command using run generate pki ... install <name>.

Though In my tests, I can't reproduce this issue and it operates correctly both in op-mode, and in conf mode.

op-mode:

vyos@vyos:~$ generate pki certificate sign ca-1 install asd
Do you already have a certificate request? [y/N] 
Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
Enter private key bits: (Default: 256) 
Enter country code: (Default: GB) 
Enter state: (Default: Some-State) 
Enter locality: (Default: Some-City) 
Enter organization name: (Default: VyOS) 
Enter common name: (Default: vyos.io) 
Do you want to configure Subject Alternative Names? [y/N] 
Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
You are not in configure mode, commands to install manually from configure mode:
set pki certificate asd certificate '...'
set pki certificate asd private key '...'

conf mode:

vyos@vyos# run generate pki certificate sign ca-1 install asd
Do you already have a certificate request? [y/N] 
Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
Enter private key bits: (Default: 256) 
Enter country code: (Default: GB) 
Enter state: (Default: Some-State) 
Enter locality: (Default: Some-City) 
Enter organization name: (Default: VyOS) 
Enter common name: (Default: vyos.io) 
Do you want to configure Subject Alternative Names? [y/N] 
Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.

@sdev You are spot on. I did run it with "run" in conf mode (sorry for editing that out :). But it does bungle it in conf mode on VyOS 1.4-rolling-202201240317 with a non 'vyos' user. Maybe that (the non-vyos user) is what is tripping it up.

Actually.. re-testing now I'm also unable to reproduce this. I would guess it was some sort of environmental bug. This time I have ensured that I am using the exact input parameters I was using before and am also in conf mode but it just works. I would say let's close this issue for now and if I run into this again I'll double check the reproducability and ask to reopen this issue.

sarthurdev changed the task status from Open to In progress.Jan 26 2022, 3:33 PM
sarthurdev claimed this task.

As reproducing the exact issue seems to be difficult, I'm going to instead change the install function so it catches errors and outputs the set pki ... syntax so it behaves like generate pki ... install <name> is run from op-mode anyway.

sarthurdev moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.