Opened 9 years ago

Last modified 4 years ago

#641 assigned Bug / Defect

OpenVPN 2.3.9 no longer prompts for certificate private key password

Reported by: sgt_b2002 Owned by: David Sommerseth
Priority: major Milestone: release 2.3.15
Component: Generic / unclassified Version: OpenVPN 2.3.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: David Sommerseth

Description

After upgrading to OpenVPN 2.3.8 from 2.3.5 attempts to start an OpenVPN connection via systemd do not include a prompt for certificate private key password. Instead, only the username and password prompts appear. Executing OpenVPN outside of systemd via command line works correctly and prompts for username, password, and certificate private key password are provided.

There are no errors that I can see.

Removing --daemon from the unit file results in the prompt for the private key password appearing, but this is not ideal.
Adding --askpass to the unit file does not appear to have any effect.

Upgraded to 2.3.9 and the issue persists.

Additional info:
OpenVPN 2.3.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015

Possible Related Tickets:
https://community.openvpn.net/openvpn/ticket/618
https://community.openvpn.net/openvpn/ticket/630

Arch Linux Ticket:
https://bugs.archlinux.org/task/47481

Steps to reproduce:
Launch openvpn via systemd with a private key requiring a password.

Change History (7)

comment:1 Changed 9 years ago by Gert Döring

Cc: David Sommerseth added

Log?

(Without --askpass, it will not ask due to the crypto/daemon change in 2.3.6, but --askpass should do exactly this: ask for the password before daemonizing. It was broken in 2.3.8, but 2.3.9 should be fine)

comment:2 Changed 9 years ago by sgt_b2002

Sorry about the logs. I had them prepared but forgot to attach.
However, adding --askpass to /lib/systemd/system/openvpn@.service resolved the issue for me.

The following unit file along with 2.3.9 prompts for the certificate private key password, username, and password in that order. VPN comes up as expected after this.

[Unit]
Description=OpenVPN connection to %i

[Service]
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --askpass --daemon openvpn@%i --writepid /run/openvpn@%i.pid
PIDFile=/run/openvpn@%i.pid

[Install]
WantedBy=multi-user.target

Adding askpass to the openvpn config resolves this issue as well.

Last edited 9 years ago by sgt_b2002 (previous) (diff)

comment:3 Changed 9 years ago by Gert Döring

Thanks for confirming that it indeed works with --askpass.

I do wonder why it does not work without - when asking on the console, this is understood ("because there is no more console after --daemon") but if systemd is around, it should still work... could you post a log of that?

thanks

comment:4 Changed 9 years ago by Gert Döring

logs?

comment:5 Changed 8 years ago by Gert Döring

Milestone: release 2.3.15
Owner: set to David Sommerseth
Status: newassigned

Throwing over @dazo - I think it's worth trying to reproduce (on a system with systemd which I do not have :-) ), and either close it, or try to fix it... 2.4 and 2.3 might behave differently here, or might not.

comment:6 Changed 5 years ago by tct

cc -- Sounds like I can help.

comment:7 Changed 4 years ago by Gert Döring

So is this still a thing? @tincantech, have you been able to test with systemd and with/without askpass?

Note: See TracTickets for help on using tickets.