When trying to generate, sign and install a server certificate, the process fails with a PermissionError.
fahad@vyos-vps# generate pki certificate sign ca-1 install v.my.domain Do you already have a certificate request? [y/N] N Enter private key type: [rsa, dsa, ec] (Default: rsa) Enter private key bits: (Default: 2048) Enter country code: (Default: GB) Enter state: (Default: Some-State) SomeCity Enter locality: (Default: Some-City) SomeCity Enter organization name: (Default: VyOS) Enter common name: (Default: vyos.io) Do you want to configure Subject Alternative Names? [y/N] y Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net Enter Subject Alternative Names: ipv4:4.3.2.1,dns:v.my.domain,dns:v.mylab.local Enter how many days certificate will be valid: (Default: 365) 3650 Enter certificate type: (client, server) (Default: server) Note: If you plan to use the generated key on this router, do not encrypt the private key. Do you want to encrypt the private key with a passphrase? [y/N] Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 813, in <module> generate_certificate_sign(args.certificate, args.sign, install=args.install, file=args.file) File "/usr/libexec/vyos/op_mode/pki.py", line 487, in generate_certificate_sign install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=False) File "/usr/libexec/vyos/op_mode/pki.py", line 161, in install_certificate install_into_config(conf, config_paths) File "/usr/lib/python3/dist-packages/vyos/util.py", line 961, in install_into_config cmd(f'/opt/vyatta/sbin/my_set {path}') File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd raise OSError(code, feedback) PermissionError: [Errno 1] failed to run command: /opt/vyatta/sbin/my_set pki certificate v.my.domain certificate '<base64-cert-string-removed>' returned: Configuration path: [pki certificate v.my.domain certificate <base64-cert-string-removed> is not valid Set failed exit code: 1
I ran into this error following the OpenVPN Server setup guide from the docs:
https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html
Steps to reproduce:
Note: This may or may not be significant but I am using a different admin account and not the default vyos account.
- Generate a CA cert with run generate pki ca install ca-1
- Try to generate and install a server cert with generate pki certificate sign ca-1 install v.my.domain
- Run through the prompts with the default values (or not).
Failure occurs when it tries to install the cert.
Version and Environment Details`
fahad@vyos-vps:~$ show version Version: VyOS 1.4-rolling-202201240317 Release train: sagitta Built by: [email protected] Built on: Mon 24 Jan 2022 03:17 UTC Build UUID: 26c39d9d-b4ad-451c-9754-b840469f909e Build commit ID: 86b750c3f9c002 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Standard PC (i440FX + PIIX, 1996) Hardware S/N: Hardware UUID: [REMOVED] Copyright: VyOS maintainers and contributors