Thanks for the quick fix! I intentionally messed with the file ownership and can confirm that VyOS 1.5-rolling-202404130016 will correct them to the proper values.

Tested https://github.com/vyos/vyos-1x/pull/2857 and confirmed that it works properly now. Thanks for the quick fix!

Sure. I did some further testing and it looks like this is triggered if the client sends DHCP option 81 (FQDN). To reproduce:

The issue with the missing domain name in /etc/hosts with hostfile-update, as mentioned above, seems to trigger another problem. The hostname requested by the client seems to be added to /etc/hosts verbatim and some clients (eg. some Windows machines and printers) request a fully qualified name with a trailing dot. Since pdns-recursor unconditionally appends a dot, there are now two trailing dots, causing pdns-recursor to crash if it restarts.

I found the issue. This was caused by bumping the debian packaging scripts from debian/2%2.10-10 to debian/2%2.10-12, which includes https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c. This is not compatible with vyos because vyos uses a config path in /run.

Thanks, I ran the ethernet smoke tests, but not the wireless ones. I'll investigate right away.

Closing as resolved because the PRs were merged (thanks for the quick review!)

For eapol specifically, if your use case involves only a single chain (1 root CA + 1 or more intermediate CAs), then my fix from T4245 should do the trick. You can add each root/intermediate CA to the PKI and then set eapol to the leaf intermediate CA. When the wpa_supplicant configuration is generated, vyos will add the intermediate CA and all of its parents to the .crt file.

Submitted PRs:

In case anyone comes across this bug report, I submitted a couple PRs to fix this earlier this year: https://phabricator.vyos.net/T4245

I've submitted a PR to reintroduce the patch: https://github.com/vyos/vyos-build/pull/259

Closing this as resolved since both PRs have been merged.

PR for documentation: https://github.com/vyos/vyos-documentation/pull/719

I've submitted a PR here: https://github.com/vyos/vyos-1x/pull/1227

After further testing, it looks like it's not necessary to have <iface>_ca.pem contain both the server and client chains of trust.

I started working on implementing my "alternative" idea. It's a little bit more complicated than I first thought because we have to consider both the server and client chain of trust.

Alternatively, since the pki code seems to already recognize parents/issuers:

I've submitted a PR to fix this here: https://github.com/vyos/vyos-1x/pull/1220