Re: Iked, ca_getreq: no valid local certificate found
Em 05-11-2015 05:28, Toyam Cox escreveu: > Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. > Variable lookup still failed. You need to recreate the certs. Each time you create one, you'll need to edit x509v3 to match the cert being created. At least this did the trick for me. Cheers, Giancarlo Razzolini
Re: Iked, ca_getreq: no valid local certificate found
Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry. http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca .cnf The openssl.cnf version broke and we somehow didn't install ikeca.cnf by default. Reyk > On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote: > > Ho misc@, > > I have been (loosely) following the guide at > http://puffysecurity.com/wiki/openikedoffshore.html and have run into > a roadblock. > > I have packets going between my two hosts on different networks, the > configuration files on both are good, and both have the ca installed. > > However on my remote host, I get (ips and hostnames redacted): > Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT > request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes > Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response > from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 > bytes > Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local > certificate found > > This is coupled with, as I create the ca key... > # ikectl ca vpn1 create > CA passphrase: > Retype CA passphrase: > [stuff-happens-and-inputs] > Getting Private key > Using configuration from /etc/ssl/openssl.cnf > variable lookup failed for ca::default_ca > 24387713617796:error:0E06D06C:configuration file > routines:NCONF_get_string:no > value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:3 23:group=ca > name=default_ca > > I've checked the mail logs for misc@ and found a person in August with > this problem, http://marc.info/?l=openbsd-misc=133675466519976=2 > > Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. > Variable lookup still failed. > > Thank you for any help.
Re: Iked, ca_getreq: no valid local certificate found
This got me past that error pretty handidly.
However, now it is complaining about no index.txt. The path given
doesn't help me know where to put the index.txt
Getting Private key
Using configuration from /etc/ssl/ikeca.cnf
index.txt: No such file or directory
unable to open 'index.txt'
250120122244:error:02001002:system library:fopen:No such file or
directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
'r')
250120122244:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:
On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
> Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
>
> The openssl.cnf version broke and we somehow didn't install ikeca.cnf by
> default.
>
> Reyk
>
>> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
>>
>> Ho misc@,
>>
>> I have been (loosely) following the guide at
>> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
>> a roadblock.
>>
>> I have packets going between my two hosts on different networks, the
>> configuration files on both are good, and both have the ca installed.
>>
>> However on my remote host, I get (ips and hostnames redacted):
>> Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
>> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
>> Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
>> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
>> bytes
>> Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
>> certificate found
>>
>> This is coupled with, as I create the ca key...
>> # ikectl ca vpn1 create
>> CA passphrase:
>> Retype CA passphrase:
>> [stuff-happens-and-inputs]
>> Getting Private key
>> Using configuration from /etc/ssl/openssl.cnf
>> variable lookup failed for ca::default_ca
>> 24387713617796:error:0E06D06C:configuration file
>> routines:NCONF_get_string:no
>> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
>> name=default_ca
>>
>> I've checked the mail logs for misc@ and found a person in August with
>> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
>>
>> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
>> Variable lookup still failed.
>>
>> Thank you for any help.
Re: Iked, ca_getreq: no valid local certificate found
On Fri, Nov 06, 2015 at 12:24:30AM -0500, Toyam Cox wrote:
> I'm running 5.8-release.
ikectl ca in 5.8 is non-functional as LibreSSL removed support for
environment variables in openssl cnf files and this was not
noticed/fixed until after 5.8.
Here is a patch against 5.8 that adds the changes to cope with that.
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- Makefile18 Jan 2014 05:54:51 - 1.3
+++ Makefile19 Aug 2015 12:25:59 - 1.4
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.3 2014/01/18 05:54:51 martynas Exp $
+# $OpenBSD: Makefile,v 1.4 2015/08/19 12:25:59 reyk Exp $
.PATH: ${.CURDIR}/../../sbin/iked
PROG= ikectl
-SRCS= log.c ikeca.c ikectl.c parser.c
+SRCS= log.c ikeca.c ikectl.c parser.c util.c
MAN= ikectl.8
Index: ikeca.c
===
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.30
retrieving revision 1.33
diff -u -p -r1.30 -r1.33
--- ikeca.c 16 Jan 2015 06:40:17 - 1.30
+++ ikeca.c 19 Aug 2015 12:25:59 - 1.33
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.30 2015/01/16 06:40:17 deraadt Exp $ */
+/* $OpenBSD: ikeca.c,v 1.33 2015/08/19 12:25:59 reyk Exp $ */
/*
* Copyright (c) 2010 Jonathan Gray
@@ -82,13 +82,39 @@ struct {
{ "/private", 0700 }
};
-int ca_sign(struct ca *, char *, int, char *);
+/* explicitly list allowed variables */
+const char *ca_env[][2] = {
+ { "$ENV::CADB", NULL },
+ { "$ENV::CERTFQDN", NULL },
+ { "$ENV::CERTIP", NULL },
+ { "$ENV::CERTPATHLEN", NULL },
+ { "$ENV::CERTUSAGE", NULL },
+ { "$ENV::CERT_C", NULL },
+ { "$ENV::CERT_CN", NULL },
+ { "$ENV::CERT_EMAIL", NULL },
+ { "$ENV::CERT_L", NULL },
+ { "$ENV::CERT_O", NULL },
+ { "$ENV::CERT_OU", NULL },
+ { "$ENV::CERT_ST", NULL },
+ { "$ENV::EXTCERTUSAGE", NULL },
+ { "$ENV::NSCERTTYPE", NULL },
+ { NULL }
+};
+
+int ca_sign(struct ca *, char *, int);
int ca_request(struct ca *, char *);
int ca_newpass(char *, char *);
char * ca_readpass(char *, size_t *);
int fcopy(char *, char *, mode_t);
+int fcopy_env(const char *, const char *, mode_t);
int rm_dir(char *);
int ca_hier(char *);
+voidca_setenv(const char *, const char *);
+voidca_clrenv(void);
+voidca_setcnf(struct ca *, const char *);
+
+/* util.c */
+int expand_string(char *, size_t, const char *, const char *);
int
ca_delete(struct ca *ca)
@@ -173,10 +199,13 @@ ca_request(struct ca *ca, char *keyname)
charcmd[PATH_MAX * 2];
charpath[PATH_MAX];
+ ca_setenv("$ENV::CERT_CN", keyname);
+ ca_setcnf(ca, keyname);
+
snprintf(path, sizeof(path), "%s/private/%s.csr", ca->sslpath, keyname);
- snprintf(cmd, sizeof(cmd), "env CERT_CN=%s %s req %s-new"
+ snprintf(cmd, sizeof(cmd), "%s req %s-new"
" -key %s/private/%s.key -out %s -config %s",
- keyname, PATH_OPENSSL, ca->batch, ca->sslpath, keyname,
+ PATH_OPENSSL, ca->batch, ca->sslpath, keyname,
path, ca->sslcnf);
system(cmd);
@@ -186,40 +215,40 @@ ca_request(struct ca *ca, char *keyname)
}
int
-ca_sign(struct ca *ca, char *keyname, int type, char *envargs)
+ca_sign(struct ca *ca, char *keyname, int type)
{
charcmd[PATH_MAX * 2];
charhostname[HOST_NAME_MAX+1];
charname[128];
+ const char *extensions = NULL;
strlcpy(name, keyname, sizeof(name));
- if (envargs == NULL)
- envargs = "";
-
if (type == HOST_IPADDR) {
- snprintf(cmd, sizeof(cmd), "env CERTIP=%s%s %s x509 -req"
- " -days 365 -in %s/private/%s.csr"
- " -CA %s/ca.crt -CAkey %s/private/ca.key -CAcreateserial"
- " -extfile %s -extensions x509v3_IPAddr -out %s/%s.crt"
- " -passin file:%s", name, envargs, PATH_OPENSSL,
- ca->sslpath, keyname, ca->sslpath, ca->sslpath,
- ca->extcnf, ca->sslpath, keyname, ca->passfile);
+ ca_setenv("$ENV::CERTIP", name);
+ extensions = "x509v3_IPAddr";
} else if (type == HOST_FQDN) {
if (!strcmp(keyname, "local")) {
if (gethostname(hostname, sizeof(hostname)))
err(1, "gethostname");
strlcpy(name, hostname, sizeof(name));
}
- snprintf(cmd, sizeof(cmd), "env CERTFQDN=%s%s %s x509 -req"
-
Re: Iked, ca_getreq: no valid local certificate found
Which release or snapshot are you running? For the version of the file
Reyk pointed you at you'll need a -current snapshot.
On Thu, Nov 05, 2015 at 12:58:29PM -0500, Toyam Cox wrote:
> This got me past that error pretty handidly.
>
> However, now it is complaining about no index.txt. The path given
> doesn't help me know where to put the index.txt
>
> Getting Private key
> Using configuration from /etc/ssl/ikeca.cnf
> index.txt: No such file or directory
> unable to open 'index.txt'
> 250120122244:error:02001002:system library:fopen:No such file or
> directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
> 'r')
> 250120122244:error:20074002:BIO routines:FILE_CTRL:system
> lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:
>
> On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
> > Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
> >
> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
> >
> > The openssl.cnf version broke and we somehow didn't install ikeca.cnf by
> > default.
> >
> > Reyk
> >
> >> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
> >>
> >> Ho misc@,
> >>
> >> I have been (loosely) following the guide at
> >> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
> >> a roadblock.
> >>
> >> I have packets going between my two hosts on different networks, the
> >> configuration files on both are good, and both have the ca installed.
> >>
> >> However on my remote host, I get (ips and hostnames redacted):
> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
> >> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
> >> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
> >> bytes
> >> Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
> >> certificate found
> >>
> >> This is coupled with, as I create the ca key...
> >> # ikectl ca vpn1 create
> >> CA passphrase:
> >> Retype CA passphrase:
> >> [stuff-happens-and-inputs]
> >> Getting Private key
> >> Using configuration from /etc/ssl/openssl.cnf
> >> variable lookup failed for ca::default_ca
> >> 24387713617796:error:0E06D06C:configuration file
> >> routines:NCONF_get_string:no
> >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
> >> name=default_ca
> >>
> >> I've checked the mail logs for misc@ and found a person in August with
> >> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
> >>
> >> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
> >> Variable lookup still failed.
> >>
> >> Thank you for any help.
Re: Iked, ca_getreq: no valid local certificate found
I'm running 5.8-release.
On Thu, Nov 5, 2015 at 8:07 PM, Jonathan Gray <j...@jsg.id.au> wrote:
> Which release or snapshot are you running? For the version of the file
> Reyk pointed you at you'll need a -current snapshot.
>
> On Thu, Nov 05, 2015 at 12:58:29PM -0500, Toyam Cox wrote:
>> This got me past that error pretty handidly.
>>
>> However, now it is complaining about no index.txt. The path given
>> doesn't help me know where to put the index.txt
>>
>> Getting Private key
>> Using configuration from /etc/ssl/ikeca.cnf
>> index.txt: No such file or directory
>> unable to open 'index.txt'
>> 250120122244:error:02001002:system library:fopen:No such file or
>> directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt',
>> 'r')
>> 250120122244:error:20074002:BIO routines:FILE_CTRL:system
>> lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:
>>
>> On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter <r...@openbsd.org> wrote:
>> > Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.
>> >
>> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf
>> >
>> > The openssl.cnf version broke and we somehow didn't install ikeca.cnf by
>> > default.
>> >
>> > Reyk
>> >
>> >> On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote:
>> >>
>> >> Ho misc@,
>> >>
>> >> I have been (loosely) following the guide at
>> >> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
>> >> a roadblock.
>> >>
>> >> I have packets going between my two hosts on different networks, the
>> >> configuration files on both are good, and both have the ca installed.
>> >>
>> >> However on my remote host, I get (ips and hostnames redacted):
>> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
>> >> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
>> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
>> >> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
>> >> bytes
>> >> Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
>> >> certificate found
>> >>
>> >> This is coupled with, as I create the ca key...
>> >> # ikectl ca vpn1 create
>> >> CA passphrase:
>> >> Retype CA passphrase:
>> >> [stuff-happens-and-inputs]
>> >> Getting Private key
>> >> Using configuration from /etc/ssl/openssl.cnf
>> >> variable lookup failed for ca::default_ca
>> >> 24387713617796:error:0E06D06C:configuration file
>> >> routines:NCONF_get_string:no
>> >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
>> >> name=default_ca
>> >>
>> >> I've checked the mail logs for misc@ and found a person in August with
>> >> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
>> >>
>> >> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
>> >> Variable lookup still failed.
>> >>
>> >> Thank you for any help.
Iked, ca_getreq: no valid local certificate found
Ho misc@, I have been (loosely) following the guide at http://puffysecurity.com/wiki/openikedoffshore.html and have run into a roadblock. I have packets going between my two hosts on different networks, the configuration files on both are good, and both have the ca installed. However on my remote host, I get (ips and hostnames redacted): Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 bytes Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local certificate found This is coupled with, as I create the ca key... # ikectl ca vpn1 create CA passphrase: Retype CA passphrase: [stuff-happens-and-inputs] Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 24387713617796:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca I've checked the mail logs for misc@ and found a person in August with this problem, http://marc.info/?l=openbsd-misc=133675466519976=2 Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. Variable lookup still failed. Thank you for any help.
