Hi guys.
I am trying to test with IPSec Roadwarrior and I have seen the limitation with Presared Key since it only allows one connection. So, I said to myself, let’s try certificates. Now comes the problem.
When I try to generate a “Generate root/host certificate” it gives me the following error:
It happens to someone else?.
Greetings.
I just tried it on my vm testbed with CU174 and it worked fine without any problems.
Looking up the error code on the internet a common theme seems to be that you are trying to use a Name that is already being used in a certificate somewhere in your IPFire system.
That is not allowed as the name=unique_subject means that the name has to be unique and cannot already be used.
There might be more details in the logs
grep charon /var/log/messages will extract the logs related to IPSec.
Alternatively run
tail-f /var/log/messaged | grep charon
This will show the log file as it is created so you can press the Generate Root/Host Certificates and look at the terminal window and see what messages come up when the openssl error occurs. The log might give more details about which part of the x509 generation is failing.
EDIT:
Found that the Subject is made up of the Organisation, Organisation Unit, Common Name etc in a string.
This Subject has to be unique. That means that you have used the same Organisation Name, Organisation Unit, Common Name, Country etc in another certificate somewhere.
Could you check this on the CU175 testing version?
BR
Hi,
My version is IPFire 2.27 (aarch64) - Actualización del núcleo 175 Development Build: master/c6c78f8e
I have tried to generate the error output from the log as @cfusco has commented but nothing appears at all.
I have tried to put other data to generate the certificate and the same thing comes out.
Greetings.
I tried it with Core Update 175 Development Build master/9797af30 and had the same error message.
There is an openssl issue with OpenVPN when accessing .p12 files and I had seen that IPSec also used openssl commands on .p12 files.
I added in the legacy option to all the openssl commands working on pkcs (.p12) files but found that this did not fix the problem.
I then added the legacy option to every openssl command in the IPSec vpnmain.cgi code. This resulted in the Root/Host certificate being successfully created.
There looks to be a difference between openssl-1.1.1x and openssl-3.x in terms of other openssl commands beyond the ones dealing with .p12 files.
The fix mentioned here will be supplied as a patch submission together with the one I have been working on for the OpenVPN openssl command issues.
Thanks for catching this.
Can you do another test?
Before generating the certificate(s), enter unique_subject = yes into the file /var/ipfire/certs/index.txt.attr
echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr
edit
Below is the result of my test
Fresh install 174 then upgrade to 175 testing
After entering the command
echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr
and then clicking “Generate root/host certificates”
edit:
Notice:
Once the certificates have been generated, the unique_subject = yes entry in the index.txt.attr file will be deleted.
Hi @tphz
I have tried that and confirm it works. What I am not sure about is why it works.
I looked unique_subject up and it seemed to say that the default was yes anyway. Also could not find anything related to openssl-3 causing this to be needed.
How did you identify that this would help?
I now have this option and the one of adding the legacy option into every openssl command and I don’t know how to make the decision.
Anything to help in making this decision would be appreciated.
Will also ask on the Dev mailing list.
I was looking for something related to unique_subject
I just noticed that myself, although I thought it was coming from the reboot after I restarted my vm this morning.
That is not a viable solution then as that would mean users have to do that everytime they remove their x509 and want to re-create it.
That solves my question about a decision then, I will use the -legacy option in all the openssl commands in vpnmain.cgi
I have raised a bug for this issue and am putting together a patch to fix it.
https://bugzilla.ipfire.org/show_bug.cgi?id=13138
Unfortunately I missed yesterday that using the -legacy option in every openssl command resulted in the Root certificate being shown but not the Host certificate. So more work needed before a patch can be submitted.
Figured out what needed to be done and patch submitted.
Thanks to everyone for the inputs on this.
