OpenVPN server dh-params that are not in PKI error
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	Nov 12 2023, 11:26 AM

Description

OpenVPN dh-params that are not in PKI error
To reproduce add OpenVPN server configuration but don't generate PKI dh parameters

set pki ca ca certificate 'MIIDjzCCAnegAwIBAgIUICKJfkL4fawptTdRBIha+kQZlOMwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTIzMTExMjEwNTcwOVoXDTI4MTExMDEwNTcwOVowUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoLHRtXwvYs4bPZxtlUCe1WpFbBbCaXxXQkyCH8rpgBgmckZchC6UVGLE3vSq6eN1/ugXYkDsDxBOFCtwo0FkrKsTad583nuCRP9lKPGGthWvNEwwReNR7Hin3naidEUeMzUp0ukKThcvwVwOZd2BAITAMWJiBuM4PVEyFqmvFlgjZLvXmeOZfjje9s1IpChBi2okJse+QAxA4mE/JdzruJY7ab8Sxx5qmyJPD69GaLMBODnDBYNeqgw2JU1oC6bIXmLf3KH1DUNUNSKqqkuUx+88yu6n4UpJUDFErvmLCcAcOAOvNKZxsszb5W38Acfif0Oth8n5fxdq+c+VbEIiJwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFNOvs0zwUb8Dxowsss4OCyeNA3u7MA0GCSqGSIb3DQEBCwUAA4IBAQCfQp462djveD7jrwLgccVJ98UjmsgFujJTwmi0tJYGjGI/dlOyjYyca4VIrXSE4xiGqpc15qNvKqL8ZV1zXe74yFv2tF/e5e88l6TeNO+0z5QFkdaL/IQMC4AAo0aUSePQm/NMVUXyEF4MyVrm9mE5LPKeQHcsGWDcXuPxFcgFHToY3ZN0t19Mi+UrHjK8D5e+smVMRbyT/S1qAegSC/PM4WXHfLmH2+zyJgA1JjsDH0z/ZEMzcDBqwFlU+qmDToUNdDnQZZpjA0htM2b3bXhjqvI5Iw9JJsMfIbLg4KJX15vRgIb0o4lW1CLizI4OLl/aEbhm15GtZmre3nf3MwXH'
set pki ca ca private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgsdG1fC9izhs9nG2VQJ7VakVsFsJpfFdCTIIfyumAGCZyRlyELpRUYsTe9Krp43X+6BdiQOwPEE4UK3CjQWSsqxNp3nzee4JE/2Uo8Ya2Fa80TDBF41HseKfedqJ0RR4zNSnS6QpOFy/BXA5l3YEAhMAxYmIG4zg9UTIWqa8WWCNku9eZ45l+ON72zUikKEGLaiQmx75ADEDiYT8l3Ou4ljtpvxLHHmqbIk8Pr0ZoswE4OcMFg16qDDYlTWgLpsheYt/cofUNQ1Q1IqqqS5TH7zzK7qfhSklQMUSu+YsJwBw4A680pnGyzNvlbfwBx+J/Q62Hyfl/F2r5z5VsQiInAgMBAAECggEAJDJ57RoYqHaJ31J9wrmILcWe9q6Xw2AtXbNTOmsgNuj5vBMKYwIFCo8nDpvpZf8FRNKt9cVvByOimtuAJ14jGdv9ZwMleI40tWscM+FX+WsgCLVCyHNgsFYrZiquBGfPWjSXA7nXxuhlKvacDakcFmxQyK8DKs8DC5jfIgi99levmrmE8JtPd+Zxuldlxo79YLsjh6g+WrhhbIGxWN5j7IHR+pZv/C52kuSBW4l1ADHjuYp3HZmGIyCg2Sr7HkWCY9AhHOA/65OJVoRa2wyJni+EcMdGqVHzULlgAPEgRCYEbjRDYc2NWkeePP3dKuPWZ75GRjNb4TdqpGJpKthvsQKBgQDasgy9+XraX3QwMTUJjqdOJr5fUt6dIdQw1GrNuKak9l2cNnA1mVGJG65mW0u94nYDy8UhZQgi7zLm7ZQlz3E6llWoLp7JnXmu8jDja/7dg5svWEwqeDijCRB0WwLO2X7nSyy8fe5vX4xjQ+zIdDQdGUbZLNCNrv4tmgoMGivz0QKBgQC8Gv9/+O6M3JQMBy+OK2I9k0IGsX4DKWQvW4CCAy7/JlqaLoX5IYPTk0ougJxwGvMtqNWgePnCcVFCWqA4wPrrmcJFHEU1aTCpo6T+Vo/ZfqCRjFbf3Raq3shcYQT+oqZh//ayyvUHutuJRsyxlbFeEbkyyZm0bZG4blQkI4YMdwKBgFnT/oXdvoeJ46iT3awiSzg/k7yFxmiWZ5jy9zeu28wwYbzzY12wrxv5IcZrQ44oQb9HaJ5R6GipBahy94IcVe7xpxdgpto7c6rXUhtn1ZTZJNnqk8ZyARl+dKLGaz3ZelW4vBRkSZa3kWuIj+66RFmbc01rKfK4aTED75KPAXSxAoGAbNgqc8B1OKkCOZuG1vsfk4W8NOdLhUTUJdsKlzCEZzuoPYMiHrBX+XtG93WQEAZoJEmHo52c1/h+DqkmAPEZwG5uTVM4cNl3QRHiDRHFlxKAkvfj5RGnZiQXR+0T2MwA/r//3iE2e8yR7/M5yqBVy5rx0QN6nz6vjUq6AVdU360CgYEAua8mBmhJ7WUxNLLQRzoet/KyhYm4DnkMQgwoojH151SPz9MWHWD39zj4zXHKd3o7So8PzMlIsC0Od7wQ5BWIiHhZUscGcvKpQ+Qlk0O5Z94hNPtaSpxs5+nXUqmj7UJVpj5kA2fzTRzphNufmtvZu8GYjA4WLd9JjOMuafmYcHc='
set pki certificate cert certificate 'MIIDozCCAougAwIBAgIUbvvYGwcft+YkRpqQ7W1tKZTVmfcwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTIzMTExMjEwNTk0M1oXDTI0MTExMTEwNTk0M1owUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/k/YLalpNjW1Og4L3SXWS5F73+3COwXWUr+F50msQ3FJzdBbKyZ6R8bfTkIB6cC4khoWjX4sZ56OJ9Uvre6PSlXDeolNMsxp/X4nh72bWyyKdBPO/GHETB+YSn6IVT2vknkkncuThWPebWt7S2QRzVvwxzvW3iKSy159cGSp9ncVSqvR9IUL1lkpiLM/SqEQXaUvBcaOV+gIILu3NH4RkO6514CWop2ajy71kxD1pQHFHjNyrpky6un5gG1TBTIJ7T0jJzAtq2+iVitJfbmjOK4LN1tVeZfXW7FVQpR+PN0TrJwVhDzeXD8Kxw+Sh5BwzDGYntumjOiU0E7ev/vFwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUZJuQzj3SooJPhFbr5ILEiEkbPfowHwYDVR0jBBgwFoAU06+zTPBRvwPGjCyyzg4LJ40De7swDQYJKoZIhvcNAQELBQADggEBAAWRM7fnBVBGJ6SUqVlihW2vg6oJ7g1IsUblfiF2U/ABQODzfr6xNQqujZWPGGDXnNC/EadYEGMEUsd6Hkl39FJSKqugRJ0t+gnQXDFviWN+ol2kQrxsrEWgMsbTWaUuYlpEbj1ltQrUvKCNv7WcjZ70f8eAUxH5NfljbIe0nkxzjkMdhDaNgRWlKjiYy9BRB4j6tQKnUxwREXMDfj6a0PH44llsVPXTIhHbrSSw+ARYROtE8S7L4sTQhspWV1ytc1Ugg6PEYjUfv/5dt5ekG9oz+Om7YEmTCTjq+UX2QJJNfUk/FiWpY39hG6kUkJahyL2qHn+HTl8ckmP25IZepEU='
set pki certificate cert private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCX+T9gtqWk2NbU6DgvdJdZLkXvf7cI7BdZSv4XnSaxDcUnN0FsrJnpHxt9OQgHpwLiSGhaNfixnno4n1S+t7o9KVcN6iU0yzGn9fieHvZtbLIp0E878YcRMH5hKfohVPa+SeSSdy5OFY95ta3tLZBHNW/DHO9beIpLLXn1wZKn2dxVKq9H0hQvWWSmIsz9KoRBdpS8Fxo5X6Aggu7c0fhGQ7rnXgJainZqPLvWTEPWlAcUeM3KumTLq6fmAbVMFMgntPSMnMC2rb6JWK0l9uaM4rgs3W1V5l9dbsVVClH483ROsnBWEPN5cPwrHD5KHkHDMMZie26aM6JTQTt6/+8XAgMBAAECggEAOJtLgx+lRWjLZJR20R5RfZNh01qz96vQ6p6nVG5hyhNB+2B2ix8jWRUQLS2AEzGfPmAQFoIB9077YXnfnAZdZYivd2xenXKONWzGRUdtLMcO+cowqThGwh1ZBaIYHDBElA58CB5Cbi1Tutb0SOLu2cdKsNdnRJ/6ixQOWH7YvJIzm7xcvWx9bCR54bGkjUgjfd/+mZACStX86BqJOxr7sfzGIQ3HfMhTR965mbVmafKGElhnyd6ilAaHqoCjfh1xFWy4vVhCBExAgtgKwuTVkkVOQoki1H2a6fNdyedaSRnmxHDHj8gG6u2XxSytYfeRu9p4iuToBInLryva7VMUcQKBgQDMKmwge8n0lzBDIws4Cq+AxZg2VqeQjte1hg0rNX9G5zPDtQ7z0lY7cuCve1itvJ9fFYnR/7UFHLb5t+u5meimOWdtCNYd5fyZxTQXw1svNu/dD1l6XIsmxJ53P++qfJyNrkAWLRJi0AIKAIz+RT6JOVNcrgfggkezq+lHg0FCrwKBgQC+jqUBnJtVBPcTamkYZJqnzkKu4PIyoAJrLIekJ3kL0pqijqCj+jthwYIkk2yl2W3rB9UBdAQJhnFtaVhbHtcUjP7NGIZN8q2BsO9tvqWnLI61kr8M6Zmleni9nBJAijDgSfmanklB12nyYOC/8bGMpUwEFM/6g8Bt9OZ7V/FUGQKBgAnMK14vspRbQQSnxN0Onjd2xAQvimEEidN7OFyPd6kmZTSKFsqamGrH64JgT/QebiN4/CEovT4ej6VSLyy79w8rCAySdPwAUmvqq8JMLK8KWt5n4ypdEIxuuRAN8GllC3o9F3Q4+33kb4SdXCbDmemp55c1/sjGV7yGjm5RHSufAoGATbcPRKECGKJ1wc1cHz6odFeCip/jJxJq6hq3FxOiIlg6CKHyke2z2iJ5WUFmxhzu3zPKg1U1cE0MZXrZNhBV12PJZwvheljGumXWwANIu+1IJnU6xaFfsEVKiMnmB7xUQqToz05OwjOAWgF4p8+CgcHIRsHWMG0bRbzjYtpy6cECgYBhDePp/1k2XggZUTXCK/JLk85oLwM8qmWLqMwypvN1A396eq7sjRVAwxaomwdFVvMEYvOAuX+W+oLHp5qAQzuKx4xTQALffHUsxu1QYrZQfJ7lDdZfyimOTkYuf23+O6MnEgG15PoRuMrwmgJOzot+jDVdfEd4AuUDPptt3qblOQ=='
set pki certificate client1 certificate 'MIIDozCCAougAwIBAgIULGBjNUotapmbElMB51gQDD2u8MMwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTIzMTExMjExMDA0OVoXDTMzMTEwOTExMDA0OVowUDELMAkGA1UEBhMCVUExDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTkOB6VrsNZYA331tHfkLXU88fpN1NoFquxuWrwqbWHdpWUG8FWFA8AenI0znFoeTOuf2HpJfPq2Ws9xo0QE0C1XdjW0jWvPnC/Kj/Bph4diFAWu2OvSotgPegLadFgB1gEPqs7y62UkHn9X0UYxL54Bx81yO9VKtFvbT+2sajn8Bif6Yby7CsVEoFN+i3wM4qNxlT4M9384iQqQOcKckBi5yg+GzMai4+meQz0ioOs/FmcjPL4gMtQPb4iBLEP9a4l/ZGMk0MMhI+kGYkPr+CF0c2TPyQ/4bxIoTWDjReXG37sDZT0y1WvI7DXZ7z/dhaMNzetrKnpUmQ/Q7UTSYwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUBBtdj8Yv2T5szZd0ZgQUscmiD74wHwYDVR0jBBgwFoAU06+zTPBRvwPGjCyyzg4LJ40De7swDQYJKoZIhvcNAQELBQADggEBAEzXxfwQILYGAWDuzTCX1GUI9TGhlP/odNR+ioZJ5qYbik6nARLkPpGQy5CYfpnabH/K3jT3Mg9rC3+mnpQNQ630/cGmjPqiYEOGXDDf9JuEv1WaWIAGXWyEjEjRnbtQOO5S/IXvpwRDol6ivbpcy5wbiddIRDV5/537ScPXkd8EdbfhPTvbVu+sIPlEXLUqvgNQ5J4T6HFMLXSx9/sZTBxDazrTGKok+SG1fOvyRkejfaeOB4WGW9rtiCEnI/99tJXwDd8imqdgggZJxPyNTDw8OtqNkxu33AkStS6KVviY39OUvMgHAAJXtaM8QhUWRRvA/nDeGX4X8qcHGG/G3yg='
set pki certificate client1 private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpOQ4HpWuw1lgDffW0d+QtdTzx+k3U2gWq7G5avCptYd2lZQbwVYUDwB6cjTOcWh5M65/Yekl8+rZaz3GjRATQLVd2NbSNa8+cL8qP8GmHh2IUBa7Y69Ki2A96Atp0WAHWAQ+qzvLrZSQef1fRRjEvngHHzXI71Uq0W9tP7axqOfwGJ/phvLsKxUSgU36LfAzio3GVPgz3fziJCpA5wpyQGLnKD4bMxqLj6Z5DPSKg6z8WZyM8viAy1A9viIEsQ/1riX9kYyTQwyEj6QZiQ+v4IXRzZM/JD/hvEihNYONF5cbfuwNlPTLVa8jsNdnvP92Fow3N62sqelSZD9DtRNJjAgMBAAECggEAHCgOog4Pp5pahaY5MkB6mme17stHlQF7zO9PA1DovE962jC/oVCRc8jNLx49dqf1/7V64MGkJaPvoJeAoHpKVLseoOAZvSgxoJrBGQcXAAJyOsOhTp2abBcIKDR+Vbpo/8soaLLLb4hiJKLqoTsNJw+i2zRfa/420mCwUpHIzNm4wGsc+KFIUXoOHIIRXPmnl9G2DfHS/sD56I3KtIaby0A9a2RX43ClQCJclveCHkstSZZ++Y9Pa5tDg8CxgOZiy5YLOUNismviYDKsU7w8rUSOPYkKLVkgxM3VMRo1953oVul/DG2bzlR3mvmBE7w8uPeAiqLmlPP5VYdLVucNiQKBgQDVoGpr/xs/BXNpmx5WnHkaXEYBSttRRyU1XEBF83zHPImrJmmeKzP/3z3R+dpRJ/0YzSvMcBgM6ZaAGNXddBisCd2pKpRB5M1IamGNbv28Bcv6kucpJn2EPpatdcxrZZGBfqzTw/K8ErSYJWeELtWdgEfhFizrs8qw5lOWb1hg6QKBgQDKyeUC2MJCSS6CcR0Gbn0eIhbrBbU4K+LIb5mI9g7L+Wt5d1d3jLmOcjvGPte9vrgXyHfQK/310zIxxcKuAv3W2Kp3yMEYSddU8u2eSrkJX+G5iw2Xpd0GPRM7ev2hO/kKzDHKBnubR6IlNDpEZZaxMlH4v8lEvY97SIM7A/cpawKBgFGltgcAwZEcrDe4qafAtih1C+yCh8BQyM/UKlyR6yba5GMdk1B4gq9Qy3ftXpuWBQ3tnMfOL+L/hB4BX/v721IlkyqMs41bvXnn7tD3ktLCBGwIqYD4zRA2O7CgTTje4PX1TGjDg4qOO6fK4/2JSOuhk9dbel+7n8Rsw5XDiKvBAoGBALPtoVH+S5aO4kKA5JUBUeh7rMQJQ3q8jbL0OlFoqUZYXwDeX/BGH5oBR4Il3jyQTT1k9NHzRploM6Av7QWCyAFqKw6vRI0tb28DQMxzVmy380sy0vOcCllvtXHQNdxqnxTyirbLO79SNs814QEw9hzxHgRM/uMMIpPriezCHvpTAoGASGpa8ZSDYuBNgKyNXAwhZXvMP1q0XJDyAIu4KZ3E2sVXcI/tRZQq6EqAU9PNTTfc2aV6sBfAvBPEuvU6y4eWcXqdHizGS1IzI2/F6VWGtdNBlAEZU4HC+hBv/L1CZZl2wGEdB5tC1955xZO5UwatMz4/4detfm7K4R33udUXxKQ='

set interfaces dummy dum0 address '203.0.113.1/32'
set interfaces openvpn vtun10 encryption cipher aes256
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol udp
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server mfa totp
set interfaces openvpn vtun10 server name-server '172.16.254.30'
set interfaces openvpn vtun10 server subnet 10.10.0.0/24
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'cert'
set interfaces openvpn vtun10 tls dh-params 'dh'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set interfaces openvpn vtun10 use-lzo-compression
commit

commit

vyos@r4# commit
[ interfaces openvpn vtun10 ]
VyOS had an issue completing a command.

Report time:      2023-11-12 13:25:22
Image version:    VyOS 1.5-rolling-202311070942
Release train:    current

Built by:         [email protected]
Built on:         Tue 07 Nov 2023 11:11 UTC
Build UUID:       b032e848-00e5-419b-8f7d-75f1abbf3f45
Build commit ID:  aeda9f37f569e4

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    166cfd25-7d3a-4eca-9ef6-0b655c9acf0f

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 726, in <module>
    verify(c)
  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 513, in verify
    verify_pki(openvpn)
  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 205, in verify_pki
    pki_dh = pki['dh'][tls['dh_params']]
             ~~~^^^^^^
KeyError: 'dh'



[[interfaces openvpn vtun10]] failed
Commit failed
[edit]
vyos@r4#

Details

Difficulty level: Unknown (require assessment)
Version: VyOS 1.5-rolling-202311070942
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Nov 12 2023, 11:26 AM

pasik added a subscriber: pasik.Nov 12 2023, 11:26 AM

Viacheslav updated the task description. (Show Details)Nov 12 2023, 11:26 AM

Viacheslav changed the task status from Open to Confirmed.Jan 20 2024, 2:03 AM

Viacheslav triaged this task as Normal priority.

Viacheslav changed the task status from Confirmed to In progress.Mon, Apr 15, 8:47 AM

Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/3308

Viacheslav closed this task as Resolved.Mon, Apr 15, 3:34 PM

Viacheslav added a project: VyOS 1.4 Sagitta (1.4.0-epa3).

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.

OpenVPN server dh-params that are not in PKI errorClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

OpenVPN server dh-params that are not in PKI error
Closed, ResolvedPublicBUG
Actions