Opened 9 years ago
Last modified 4 years ago
#641 assigned Bug / Defect
OpenVPN 2.3.9 no longer prompts for certificate private key password
Reported by: | sgt_b2002 | Owned by: | David Sommerseth |
---|---|---|---|
Priority: | major | Milestone: | release 2.3.15 |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.8 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | David Sommerseth |
Description
After upgrading to OpenVPN 2.3.8 from 2.3.5 attempts to start an OpenVPN connection via systemd do not include a prompt for certificate private key password. Instead, only the username and password prompts appear. Executing OpenVPN outside of systemd via command line works correctly and prompts for username, password, and certificate private key password are provided.
There are no errors that I can see.
Removing --daemon from the unit file results in the prompt for the private key password appearing, but this is not ideal.
Adding --askpass to the unit file does not appear to have any effect.
Upgraded to 2.3.9 and the issue persists.
Additional info:
OpenVPN 2.3.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015
Possible Related Tickets:
https://community.openvpn.net/openvpn/ticket/618
https://community.openvpn.net/openvpn/ticket/630
Arch Linux Ticket:
https://bugs.archlinux.org/task/47481
Steps to reproduce:
Launch openvpn via systemd with a private key requiring a password.
Change History (7)
comment:1 Changed 9 years ago by
Cc: | David Sommerseth added |
---|
comment:2 Changed 9 years ago by
Sorry about the logs. I had them prepared but forgot to attach.
However, adding --askpass to /lib/systemd/system/openvpn@.service resolved the issue for me.
The following unit file along with 2.3.9 prompts for the certificate private key password, username, and password in that order. VPN comes up as expected after this.
[Unit] Description=OpenVPN connection to %i [Service] Type=forking ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --askpass --daemon openvpn@%i --writepid /run/openvpn@%i.pid PIDFile=/run/openvpn@%i.pid [Install] WantedBy=multi-user.target
Adding askpass to the openvpn config resolves this issue as well.
comment:3 Changed 9 years ago by
Thanks for confirming that it indeed works with --askpass.
I do wonder why it does not work without - when asking on the console, this is understood ("because there is no more console after --daemon") but if systemd is around, it should still work... could you post a log of that?
thanks
comment:5 Changed 8 years ago by
Milestone: | → release 2.3.15 |
---|---|
Owner: | set to David Sommerseth |
Status: | new → assigned |
Throwing over @dazo - I think it's worth trying to reproduce (on a system with systemd which I do not have :-) ), and either close it, or try to fix it... 2.4 and 2.3 might behave differently here, or might not.
comment:7 Changed 4 years ago by
So is this still a thing? @tincantech, have you been able to test with systemd and with/without askpass
?
Log?
(Without --askpass, it will not ask due to the crypto/daemon change in 2.3.6, but --askpass should do exactly this: ask for the password before daemonizing. It was broken in 2.3.8, but 2.3.9 should be fine)