I’m on a freshly installed IPFire instance updated from core 182 to 183
IPFire version
IPFire 2.29 (aarch64) - core183
Pakfire version
2.29-aarch64
Kernel version
Linux guard.aheinzel.local 6.6.15-ipfire #1 SMP PREEMPT_DYNAMIC Fri Feb 9 18:47:53 GMT 2024 aarch64 GNU/Linux
openssl version: OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
When attempting to setup openvpn the server certificate can’t be generated (services → openvpn → generate root/host certificates → generate root/host certificates). DH and the CA are created successfully, it is only the server certificate that fails. In the upper left corner of the generate root/host certificates page an error message that openssl exited with 256 is shown. In the log file the following error message is found:
A challenge password :An optional company name :Error adding request extensions from section server
20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
20108990FFFF0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
20108990FFFF0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
20108990FFFF0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
The error appears to be due to the presence of AKID in the server extensions section (see recent discussion in openssl on github)
As a crude workaround I have for now removed the AKID extension by duplicating the config while generating the certificate request and this allowed for successful generation of the server certificate via the IPFire web GUI.
According to that openssl issue link you provided the CSR should not have the SKID and AKID present but due to a previous bug they were ignored. Now with the bug fixed in openssl the presence of the AKID causes the failure.
Thanks very much for finding this and reporting it.
Could you please raise a bug for this and I will have a look at how to deal with it.
Your IPFire community login email address and password will act as your login credentials for the IPFire Bugzilla.
When there is an OpenSSL version change I always test out the OpenVPN RW and N2N processes with existing connections and with creating new ones.
From now on I will also test out the generation of a new X509 set.
Sorry for the confusion - I have another message from you in my inbox that for some reason is not visible here in the community forum. In consequence this message may appear a bit out of context…
Yes you are right I just removed all authorityKeyIdentifier entries from the temporary config as I then only use the temporary config while generating the certificate request but not for the subsequent issuing of the certificate itself (here the original config is used again). I need to double check but I think it would even be possible to drop the extensions argument from openssl req invocation?
I wrote a reply which, after thinking about it, had several errors in it on my part so in the end I deleted my post but you had already received the notification.
The section you modified in the ovpnmain.cgi uses the [ server ] section of the ovpn.cnf for the extensions input into the csr generation.
Changing that section to remove the AKID and SKID allowed the host certificate to be created.
However the [ server ] section is also used in the next openssl command in ovpnmain.cgi for the signing of the CSR by the CA. That works if the AKID/SKID are present or not, in terms of creating the root/host certificate.
What I don’t know yet is if the signing of the CSR by the CA does not have the AKID/SKID specified does this cause some other problem later on when creating the client connection certificates or doing a revocation action.
I will try out both approaches in my testing to be certain
That is great. Thanks very much. I can then enter all my investigation info and the patches I submit and the other devs can also then review and modify anything I do in case it has errors in it.
If you find anything further yourself in your investigation feel free to add the info into the bug report.
Not a firm one. I would expect Core Update 184 to get its full release pretty soon, maybe by end of this week.
Then CU185 would probably go to Testing release by maybe end of next week. How long it will be in Testing phase depends if any issues are found and how long it takes to fix them.
The above is my best guess but it could also take longer.
The alternative that you have is to take a backup of your current system and download it to a separate machine. Then do a Fresh Install of Core Update 182 and restore the backup.
Then you could create the new root/host certificates. Then do the Core Update to 183. The bug in Core Update 183 is to create the root/host certificates from fresh. Any existing ones that are brought in from Core Update 182 or earlier will work fine.