Bug#878439: marked as done (network-manager-openvpn-gnome: Unable to edit or add VPN connections)

Sat, 14 Oct 2017 05:45:33 -0700 

Your message dated Sat, 14 Oct 2017 14:42:07 +0200
with message-id <[email protected]>
and subject line Re: network-manager-openvpn-gnome: Unable to edit or add VPN 
connections
has caused the Debian Bug report #878439,
regarding network-manager-openvpn-gnome: Unable to edit or add VPN connections
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
878439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878439
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: network-manager-openvpn-gnome
Version: 1.2.8-2
Severity: important

Dear Maintainer,

After the upgrade from jessie to stretch, I have been unable to connect
to my VPN.

The GUI was not able to provide a proper description of the reason.
However, the system log revealed that the "tls-remote" option was not
recognized, which is useful information. According to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848024
the solution is to fix the local configuration to use "verify-x509-name"
instead.

If I read the documentation correctly, it should be possible to do this
using the nm-connection-editor, by choosing a non-legacy item for the
"Server Certificate Check" option. In practice this does not work,
because it is not possible to save modifications to existing
connections -- the "save" button always remains greyed out. Also
creating new OpenVPN connections and saving them is not possible. The
only action that works is deleting connections.

Hence this bugreport.

When trying to edit the connection in the GUI, the log says:
"Cannot save connection due to error: Invalid setting VPN: cert-pass"



It was possible to edit the connection configuration by hand, as I
found out, by editing the corresponding configuration file in
/etc/NetworkManager/system-connections/. After editing, it is necessary
to reload the connection configuration from disk by running:
sudo nmcli conn reload

Editing the configuration file has challenges: The mentioned option
"cert-pass" did not actually exist in any configuration file. Other
existing options like "cert-pass-flags" seem to be undocumented. In any
case this is not a regular openvpn configuration file, but has a
different set of options.

After much trial and error, connecting to the VPN still does not work.
The log shows som TLS errors:

OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate 
verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

How do the different variants of verify-x509-name settings need to
be configured in the NetworkManager connection configuration file, when
the GUI cannot be used?


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=da_DK.utf8, LC_CTYPE=da_DK.utf8 (charmap=UTF-8), 
LANGUAGE=da_DK.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager-openvpn-gnome depends on:
ii  libatk1.0-0              2.22.0-1
ii  libc6                    2.24-11+deb9u1
ii  libcairo-gobject2        1.14.8-1
ii  libcairo2                1.14.8-1
ii  libdbus-1-3              1.10.22-0+deb9u1
ii  libdbus-glib-1-2         0.108-2
ii  libgdk-pixbuf2.0-0       2.36.5-2+deb9u1
ii  libglib2.0-0             2.50.3-2
ii  libgtk-3-0               3.22.11-1
ii  libnm-glib-vpn1          1.6.2-3
ii  libnm-glib4              1.6.2-3
ii  libnm-gtk0               1.4.4-1
ii  libnm-util2              1.6.2-3
ii  libnm0                   1.6.2-3
ii  libnma0                  1.4.4-1
ii  libpango-1.0-0           1.40.5-1
ii  libpangocairo-1.0-0      1.40.5-1
ii  libsecret-1-0            0.18.5-3.1
ii  network-manager-openvpn  1.2.8-2

network-manager-openvpn-gnome recommends no packages.

network-manager-openvpn-gnome suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
> After the upgrade from jessie to stretch, I have been unable to connect
> to my VPN.

This works now. The missing part was to enter the password to the
private key into the corresponding input field. Once that is done, it is
possible to save the modified settings. I just had not expected this to
be necessary.

> When trying to edit the connection in the GUI, the log says:
> "Cannot save connection due to error: Invalid setting VPN: cert-pass"

Ah. This actually translates to "Please provide a password for the
private key, otherwise this connection cannot be saved." Why can't it
simply say that?

> How do the different variants of verify-x509-name settings need to
> be configured in the NetworkManager connection configuration file, when
> the GUI cannot be used?

Here is an example that corresponds to my case.
OpenVPN configuration file:

        verify-x509-name vpn.server.info name

NetworkManager connection configuration file:

        verify-x509-name=name:vpn.server.info

Thanks.

--- End Message ---

Reply via email to