Bug #12475
closed
OpenVPN Client Export does not show certificate without private key
100%
Description
When using the page https://<server>/vpn_openvpn_export.php to export an openvpn client config package only certificates with private key get shown in the list.
This is correct unless we want to use either the option "Use Microsoft Certificate Storage instead of local files." or "Use PKCS#11 storage device (cryptographic token, HSM, smart card) instead of local files." in which case is very likely that the certificate we have issued doesn't store the private key in the pfsense box. In fact we normally have the end user to create a .csr ( and store the private key in a smartcard) and issue the certificate using it.
I believe the reason for that is in the change has been made while ago to the src/etc/certs.inc file and the cert_build_list function that now doesn't add certificates without private key to the list.
When the "consumer" is "OPENVPN" the cert_build_list should add certificate without private key too or the openvpn_client_export package should use its own function to create the list of certificate compatible based on the option chosen to make the export.
Updated by Jim Pingle over 2 years ago
- Project changed from pfSense to pfSense Packages
- Subject changed from openvpn_client_export doesn't show certificate without private key to OpenVPN Client Export does not show certificate without private key
- Category changed from OpenVPN to OpenVPN Client Export
- Release Notes deleted (
Default) - Affected Version deleted (
2.5.x)
Updated by Viktor Gurov over 2 years ago
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
Updated by Denis Grilli over 2 years ago
Can I ask why this fix is not on the public git repository?
Updated by Jim Pingle over 2 years ago
Denis Grilli wrote in #note-4:
Can I ask why this fix is not on the public git repository?
It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).
Updated by Denis Grilli over 2 years ago
Jim Pingle wrote in #note-5:
Denis Grilli wrote in #note-4:
Can I ask why this fix is not on the public git repository?
It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).
Apologies, I wasn't aware of the actual procedure... Thanks for taking the time to reply me back and for the job you guys doing.
Denis
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to New
- Assignee changed from Viktor Gurov to Jim Pingle
This has caused a problem, it's impossible to export a config now for a non-TLS RA config ("Remote Access (User Auth)"). Attempting to do so results in an error:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
To me, it's a simple fix to not do that check for servers using that mode.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Feedback
Fix pushed, will be available whenever the next build happens.
Updated by Jonathan Herlin about 2 years ago
This change has caused yet another problem with exporting certificates from server_tls_user mode.
Two things I noticed when tracing this down:- We are looking at $settings here which var_dumped to NULL iirc, we should probably look at $srvcfg['authmode'] as $srvcfg is defined inside the if statement on line 201 and used here: https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L258
- When the above is true, the $cert variable is set to a string with the id of the certificate. So we are not expecting it to contain $cert['prv']. https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L263
- Create a CA
- Create a user with a certificate signed by above CA
- Create a OpenVPN server with SSL/TLS + Auth user/pass (mode: server_tls_user)
- Try to export a client configuration for user with certificates
Updated by Marcos M almost 2 years ago
- Status changed from Feedback to New
- Assignee deleted (
Jim Pingle)
I'm reopening this. The comments above about the $settings and $cert variable are correct. A symptom of this is that if the first cert listed in the GUI does not have a valid key, the error will trigger. The validation logic itself seems to be broken however and needs to be reviewed.
Updated by Charles Sprickman over 1 year ago
Marcos M wrote in #note-11:
I'm reopening this. The comments above about the $settings and $cert variable are correct. A symptom of this is that if the first cert listed in the GUI does not have a valid key, the error will trigger. The validation logic itself seems to be broken however and needs to be reviewed.
Anyone have a temporary patch for this while we wait for something official?
I'm on 2.6.0 with the latest openvpn client export pkg and am still getting this error:
The following input errors were detected:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!
Updated by Denis Grilli over 1 year ago
Charles Sprickman wrote in #note-12:
Marcos M wrote in #note-11:
I'm reopening this. The comments above about the $settings and $cert variable are correct. A symptom of this is that if the first cert listed in the GUI does not have a valid key, the error will trigger. The validation logic itself seems to be broken however and needs to be reviewed.
Anyone have a temporary patch for this while we wait for something official?
I'm on 2.6.0 with the latest openvpn client export pkg and am still getting this error:
The following input errors were detected:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!
Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?
Updated by Charles Sprickman over 1 year ago
Denis Grilli wrote in #note-13:
Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?
Private key, certs, etc. all created within the pfsense web UI many years ago. Up until a few pfsense updates ago I was still able to create client bundles - can't pinpoint when it stopped working as it's not something I do very often.
Just to be clear:
- Users are local (under System / User Manager / Users)
- Each user entry in the local user list does have a user cert from the openvpn CA attached to the account
- OpenVPN server is running in mode "Remote Access ( SSL/TLS + User Auth )"
- There's a dedicated OpenVPN CA (per setup instructions circa 2013)
- A cert and key exists for each user (under System / Certificate Manager / Certificates) and they seem to all be properly associated with their respective users - pfsense generates these
- Everything works fine with the VPN, it's just the export that's throwing the error
Updated by Charles Sprickman over 1 year ago
Charles Sprickman wrote in #note-14:
Denis Grilli wrote in #note-13:
Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?
Private key, certs, etc. all created within the pfsense web UI many years ago. Up until a few pfsense updates ago I was still able to create client bundles - can't pinpoint when it stopped working as it's not something I do very often.
Just to be clear:
- Users are local (under System / User Manager / Users)
- Each user entry in the local user list does have a user cert from the openvpn CA attached to the account
- OpenVPN server is running in mode "Remote Access ( SSL/TLS + User Auth )"
- There's a dedicated OpenVPN CA (per setup instructions circa 2013)
- A cert and key exists for each user (under System / Certificate Manager / Certificates) and they seem to all be properly associated with their respective users - pfsense generates these
- Everything works fine with the VPN, it's just the export that's throwing the error
I have a small site (3 users) with expired CA and certs, so I opted to nuke everything and start over, including rebooting the firewall for good measure.
I used the OpenVPN Server Wizard and accepted defaults, which includes setting the server up with combined TLS and user db auth "Remote Access ( SSL/TLS + User Auth )".
The wizard created everything from scratch: CA, server cert, firewall rules and the server config itself. I added a user, and within the user manager, also added a cert for that user. Guess what still happens when trying to export a client config?
The following input errors were detected: A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used. Failed to export config files!
Now if I change the server to be either user auth only or ssl/tls auth only, the export does work. So I guess a workaround that requires the fewest edits is:
- Change your server to "Remote Access (SSL/TLS Auth)" and save
- Export your clients
- Open up your client confs and manually add the line "auth-user-pass" to the config
- Change your server back to "Remote Access ( SSL/TLS + User Auth )" and save
It appears if you're comfortable with only user auth or only ssl/tls auth this works, but every "hardening OpenVPN" guide I see suggests that if you can use multi-factor auth, you should.
Anyhow, clearly seems to be a bug. I'm like 99% sure I can repro this on a fresh install.
Also if one is not using the export package, what is the recommended way to export everything needed for a client?
I also see this ticket exists, but I'm not clear on what exactly it is or how it relates to this bug, but I've seen it referenced regarding this export issue: https://redmine.pfsense.org/issues/13576
Updated by Jim Pingle over 1 year ago
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
Should be fixed now, though I couldn't reproduce it here. Probably requires landing on just the wrong combination of cert IDs between the existing user list, cert list, and so on.
Dev snapshots:
https://github.com/pfsense/FreeBSD-ports/commit/72f0574b9c991b1de2bf0592e3431b5f310ab759
Release:
https://github.com/pfsense/FreeBSD-ports/commit/4e7019d66e8a9aa2d9ec04e5fb494a3364b30cb4
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to In Progress
Looks like it's still broken in some way, a few people report seeing the input validation error on the forum now who didn't before the code change.
Updated by Jim Pingle over 1 year ago
- Status changed from In Progress to Feedback
This should address the remaining issue: https://github.com/pfsense/FreeBSD-ports/commit/34355ebf71b78a6bfca47577fb979d0463684b8a
There was a separate version bump commit so it would pick back cleaner to other branches.
Updated by Marcos M over 1 year ago
- Status changed from Feedback to Confirmed
With the new version, the following error message is given when exporting a profile with an RA User server:
The following input errors were detected:
Unable to locate the requested certificate.
Failed to export config files!
The following patch fixes it, though other conditions may need to be added:
diff --git a/files/usr/local/www/vpn_openvpn_export.php b/files/usr/local/www/vpn_openvpn_export.php
index 027fb30a8a0d..ad345d250c95 100644
--- a/files/usr/local/www/vpn_openvpn_export.php
+++ b/files/usr/local/www/vpn_openvpn_export.php
@@ -266,7 +266,7 @@ if (!empty($act)) {
} else {
$cert = $config['cert'][$crtid];
}
- if (empty($cert)) {
+ if (($srvcfg['mode'] != "server_user") && empty($cert)) {
$input_errors[] = "Unable to locate the requested certificate.";
} elseif (($srvcfg['mode'] != "server_user") && !$usepkcs11 && !$usetoken && empty($cert['prv'])) {
$input_errors[] = "A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.";
Updated by Jim Pingle over 1 year ago
- Status changed from Confirmed to Feedback
Should be fixed in pkg v1.7_2 and v1.6_7
Updated by Marcos M over 1 year ago
- Status changed from Feedback to Resolved
Tested and it's working - thanks! Marking resolved.