Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix client cert revoke error with easyrsa 3.0 #338

Closed
wants to merge 3 commits into from

Conversation

chloesoe
Copy link

@chloesoe chloesoe commented May 9, 2019

In easyrsa 3.0 (used in CentOS) the command has changed. Now there is
only a single binary to run the scripts. Further the generation of CRL
also has changed; now a new crl.pem file is created in keys/crl.pem
which overrides the symlink there. So the revocation check did not work
anymore, because the crl.pem in the base directory was not checked when
a client connected.

Resolves: VSHNOPS-1537

Pull Request (PR) description

This Pull Request (PR) fixes the following issues

@Dan33l
Copy link
Member

Dan33l commented May 9, 2019

Hi @chloesoe can you patch acceptance tests to tackle this issue and ensure that revoke process works ?

manifests/revoke.pp Outdated Show resolved Hide resolved
@Dan33l Dan33l added bug Something isn't working needs-tests labels May 9, 2019
@Dan33l
Copy link
Member

Dan33l commented May 9, 2019

hum ... it looks that we have an other PR about same topic #332

@bastelfreak
Copy link
Member

bastelfreak commented May 11, 2019

@chloesoe can you take a look at the failing travis jobs?


Edit: One travis job run into a timeout, I restarted it.

@chloesoe
Copy link
Author

Hi @chloesoe can you patch acceptance tests to tackle this issue and ensure that revoke process works ?

@Dan33l: As I'm new in Puppet I was not able to write working acceptance tests in a reasonable time. I pushed my work I did so far. Perhaps I will have couple of hours in a month to try to get it running.
With commit b848cb9 I got a step further so a revoke test could possibly work, because so we don't get a deprecation warning and tests start (but failing yet).

@andrekeller andrekeller force-pushed the chloesoe/VSHNOPS-1537 branch from a070186 to ae17255 Compare May 14, 2019 17:05
@andrekeller
Copy link
Contributor

@chloesoe a3c5458 should not be fixed in this PR, the proposed solution has the same issues as #312 (making key files world readable which was not the case before). PR should not address multiple issues.

@chloesoe
Copy link
Author

@andrekeller That sounds right, but acceptance tests for revoke are failing immediately without this change. And this PR only will be approved if there are acceptance tests. So should I create a separate PR for a3c5458, wait for merging, and then pull and rebase this PR so this change is applied?

Copy link
Member

@Dan33l Dan33l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the job already done @chloesoe .

Please have a look to inline comments.

manifests/ca.pp Outdated Show resolved Hide resolved
@@ -56,7 +57,18 @@
remote_host => $facts['networking']['ip'],
tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA',
}
)

openvpn::client { 'vpnclientb' :
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the moment the test is failing because the revoke process is not idempotent. So you did a good test. It cached idempotency issue. Great !

It is not idempotent because during the second run some modifications are done:

 Info: Applying configuration version '1557908446'
  Notice: /Stage[main]/Main/Openvpn::Server[test_openvpn_server]/Openvpn::Ca[test_openvpn_server]/File[/etc/openvpn/test_openvpn_server/easy-rsa/revoked/vpnclientb]/group: group changed 'root' to 'nogroup'
  Notice: /Stage[main]/Main/Openvpn::Server[test_openvpn_server]/Openvpn::Ca[test_openvpn_server]/File[/etc/openvpn/test_openvpn_server/easy-rsa/revoked/vpnclientb]/mode: mode changed '0644' to '0750'

And so the puppet code of revoke needs an update to become idempotent.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permission change comes from here: https://github.com/voxpupuli/puppet-openvpn/blob/master/manifests/ca.pp#L75
I would argue this is wrong in the first place. Why does this need to be executable? I'd propose to fix this to be root / 640.

You would then need to ensure that the revoked file is created with the correct permission, you could amend the touch (https://github.com/voxpupuli/puppet-openvpn/blob/master/manifests/revoke.pp#L29) with a chmod to ensure the proper permissions. (You could also replace this with install install -b -m 640 /dev/null revoked/${name} however I'm not sure how portable the install command is.

@Dan33l Dan33l added the needs-work not ready to merge just yet label May 15, 2019
@andrekeller
Copy link
Contributor

@andrekeller That sounds right, but acceptance tests for revoke are failing immediately without this change. And this PR only will be approved if there are acceptance tests. So should I create a separate PR for a3c5458, wait for merging, and then pull and rebase this PR so this change is applied?

I'm not a maintainer, but I would drop this commit from this PR and wait for #312 to be merged into master. If you feel you can help with #312 even better. But it is definitely not in scope of this PR.

@chloesoe chloesoe force-pushed the chloesoe/VSHNOPS-1537 branch 3 times, most recently from 849441f to 3122dd1 Compare May 27, 2019 11:14
In easyrsa 3.0 (used in CentOS) the command has changed. Now there is
only a single binary to run the scripts. Further the generation of CRL
also has changed; now a new crl.pem file is created in keys/crl.pem
which overrides the symlink there. So the revocation check did not work
anymore, because the crl.pem in the base directory was not checked when
a client connected.

Resolves: VSHNOPS-1537
As requested in the pull request.
Add a new client with an additional revoke test. Unfortunately I was not
able to get the tests working. Command to start the test is:

`PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64vpnserver.ma{hostname=vpnserver}-ubuntu1804-64vpnclienta.a{hostname=vpnclienta} BEAKER_HYPERVISOR=docker LANG=C LC_ALL=C  bundle exec rake beaker`

It looks like, there weren't any revoke tests yet. So as I'm new to
puppet I was not able to create revoking tests from scratch in a
reasonable time.
@chloesoe chloesoe force-pushed the chloesoe/VSHNOPS-1537 branch from 3122dd1 to 1be53fc Compare August 2, 2019 13:57
# `easyrsa gen-crl` does not work, since it will create the crl.pem
# to keys/crl.pem which is a symlinked to crl.pem in the servers etc
# directory
exec { "renew crl.pem for ${name}":

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will renew the CRL on every puppet run if there is a "revoke". Can be fixed like that:

@@ -32,14 +32,16 @@ define openvpn::revoke (
         cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
         creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
         provider => 'shell',
+        notify  => Exec["renew crl.pem for ${name}",],
       }
       # `easyrsa gen-crl` does not work, since it will create the crl.pem
       # to keys/crl.pem which is a symlinked to crl.pem in the servers etc
       # directory
       exec { "renew crl.pem for ${name}":
-        command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf",
-        cwd      => "${openvpn::etc_directory}/openvpn/${server}/easy-rsa",
-        provider => 'shell',
+        command     => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf",
+        cwd         => "${openvpn::etc_directory}/openvpn/${server}/easy-rsa",
+        provider    => 'shell',
+        refreshonly => true,
       }
     }
     '2.0': {

@vox-pupuli-tasks
Copy link

Dear @chloesoe, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @chloesoe, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@Rubueno
Copy link
Contributor

Rubueno commented Dec 15, 2019

@bastelfreak This can be closed.

@vox-pupuli-tasks
Copy link

Dear @chloesoe, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @chloesoe, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working merge-conflicts needs-tests needs-work not ready to merge just yet tests-fail
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants