pfSense » pfSense Packages

fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/137

Can I ask why this fix is not on the public git repository?

Denis Grilli wrote in #note-4:

Can I ask why this fix is not on the public git repository?

It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).

Jim Pingle wrote in #note-5:

Denis Grilli wrote in #note-4:

Can I ask why this fix is not on the public git repository?

It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).

Apologies, I wasn't aware of the actual procedure... Thanks for taking the time to reply me back and for the job you guys doing.

Denis

This change has caused yet another problem with exporting certificates from server_tls_user mode.

• We are looking at $settings here which var_dumped to NULL iirc, we should probably look at $srvcfg['authmode'] as $srvcfg is defined inside the if statement on line 201 and used here: https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L258

• When the above is true, the $cert variable is set to a string with the id of the certificate. So we are not expecting it to contain $cert['prv']. https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L263

• Create a CA
• Create a user with a certificate signed by above CA
• Create a OpenVPN server with SSL/TLS + Auth user/pass (mode: server_tls_user)
• Try to export a client configuration for user with certificates

Marcos M wrote in #note-11:

I'm reopening this. The comments above about the $settings and $cert variable are correct. A symptom of this is that if the first cert listed in the GUI does not have a valid key, the error will trigger. The validation logic itself seems to be broken however and needs to be reviewed.

Anyone have a temporary patch for this while we wait for something official?

I'm on 2.6.0 with the latest openvpn client export pkg and am still getting this error:

The following input errors were detected:
     A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
     Failed to export config files!

Charles Sprickman wrote in #note-12:

Marcos M wrote in #note-11:

I'm reopening this. The comments above about the $settings and $cert variable are correct. A symptom of this is that if the first cert listed in the GUI does not have a valid key, the error will trigger. The validation logic itself seems to be broken however and needs to be reviewed.

Anyone have a temporary patch for this while we wait for something official?

I'm on 2.6.0 with the latest openvpn client export pkg and am still getting this error:

The following input errors were detected:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!

Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?

Denis Grilli wrote in #note-13:

Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?

Private key, certs, etc. all created within the pfsense web UI many years ago. Up until a few pfsense updates ago I was still able to create client bundles - can't pinpoint when it stopped working as it's not something I do very often.

Just to be clear:

• Users are local (under System / User Manager / Users)
• Each user entry in the local user list does have a user cert from the openvpn CA attached to the account
• OpenVPN server is running in mode "Remote Access ( SSL/TLS + User Auth )"
• There's a dedicated OpenVPN CA (per setup instructions circa 2013)
• A cert and key exists for each user (under System / Certificate Manager / Certificates) and they seem to all be properly associated with their respective users - pfsense generates these
• Everything works fine with the VPN, it's just the export that's throwing the error

Charles Sprickman wrote in #note-14:

Denis Grilli wrote in #note-13:

Could you tell in more detail what is your use scenario? From the error you are getting neither the PKCS#11 or the Microsoft Certificate Storage option have been selected when exporting the config. How did you create the private key and where is stored?

Private key, certs, etc. all created within the pfsense web UI many years ago. Up until a few pfsense updates ago I was still able to create client bundles - can't pinpoint when it stopped working as it's not something I do very often.

Just to be clear:

• Users are local (under System / User Manager / Users)
• Each user entry in the local user list does have a user cert from the openvpn CA attached to the account
• OpenVPN server is running in mode "Remote Access ( SSL/TLS + User Auth )"
• There's a dedicated OpenVPN CA (per setup instructions circa 2013)
• A cert and key exists for each user (under System / Certificate Manager / Certificates) and they seem to all be properly associated with their respective users - pfsense generates these
• Everything works fine with the VPN, it's just the export that's throwing the error

I have a small site (3 users) with expired CA and certs, so I opted to nuke everything and start over, including rebooting the firewall for good measure.

I used the OpenVPN Server Wizard and accepted defaults, which includes setting the server up with combined TLS and user db auth "Remote Access ( SSL/TLS + User Auth )".

The wizard created everything from scratch: CA, server cert, firewall rules and the server config itself. I added a user, and within the user manager, also added a cert for that user. Guess what still happens when trying to export a client config?

The following input errors were detected:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!

Now if I change the server to be either user auth only or ssl/tls auth only, the export does work. So I guess a workaround that requires the fewest edits is:

• Change your server to "Remote Access (SSL/TLS Auth)" and save
• Export your clients
• Open up your client confs and manually add the line "auth-user-pass" to the config
• Change your server back to "Remote Access ( SSL/TLS + User Auth )" and save

It appears if you're comfortable with only user auth or only ssl/tls auth this works, but every "hardening OpenVPN" guide I see suggests that if you can use multi-factor auth, you should.

Anyhow, clearly seems to be a bug. I'm like 99% sure I can repro this on a fresh install.

Also if one is not using the export package, what is the recommended way to export everything needed for a client?

I also see this ticket exists, but I'm not clear on what exactly it is or how it relates to this bug, but I've seen it referenced regarding this export issue: https://redmine.pfsense.org/issues/13576