Relayd with TLS and non-TLS backends - bug
Hello Misc, Full config at end of email. I've discussed the below in #openbsd on freenode, and was told to come here. At present, I have a setup where I need multiple unrelated servers under a single IP address. I used relayd to do https interception, read the Host header, and make decisions. The very relevant part of my config is this: forward to port 80 forward with tls to port 443 The order here does not matter (unlike most relayd configs, I know, but I've tested in my configuration and it works). When I have "with tls" on that second line, I see error lines like: relay web, session 3 (1 active), 0, [redacted] -> 10.0.0.102:80, TLS handshake error: handshake failed: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred, GET: Undefined error: 0 and, unhelpfully, relayd responds with no response. There is no return. Or, as curl puts it: curl: (52) Empty reply from server When I remove "with tls" then I successfully reach the http backend, but since the https backend requires ssl, that connection no longer works. So it seems that 'with tls" affects all "forward" clauses, not just the one to which it's attached. I believe this to be a bug. cat >/etc/relayd.conf < { "10.0.0.101" } table { "10.0.0.102" } # obviously obfuscated some values interval 5 timeout 1000 log connection http protocol web { return error match header set "X-Client-IP" value "$REMOTE_ADDR:$REMOTE_PORT" match header set "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" http websockets pass request quick header "Host" value "myhost.example.com" path "/Client/*" forward to pass request quick header "Host" value "otherhost.example.com" forward to block } relay web { listen on 10.0.0.100 port 443 tls protocol web forward to port 80 check http "/webservice.asmx" code 405 forward with tls to port 443 check https "/Client/SupportedBrowsers.html" host "myhost.example.com" code 200 } EOF
Adding An Authentication Provider
I am trying to hook up a different authentication provider to OpenBSD's auth. At present, I can not find out how to "fake" the passwd database for groups. I know that Linux and NetBSD use nss, with tools such as nslookup and functions such as nsdispatch, but I can't find such things for OpenBSD. Am I on a fool's errand? Thank you.
Triggering automatic upgrade (not over network) not working
On my macppc, the presence of /auto_upgrade.conf doesn't actually cause bsd.rd to pretend it's been netbooted. The file is present at the root of my disk, under /dev/wda0. The documentation in autoinstall(8) says that the presence of /auto_{upgrade,install}.conf tells bsd.rd to treat it like an autoinstall. So far my macppc boots bsd.rd, but stays at the prompt without doing a timeout of any kind or trying /auto_upgrade.conf, even if I do select Autoinstall at the prompt. If I am to put /auto_upgrade.conf in the root of the file system in bsd.rd, how could I do so? If not, how could I use the automatic upgrade system without netbooting? Thank you
Re: Iked, ca_getreq: no valid local certificate found
I'm running 5.8-release. On Thu, Nov 5, 2015 at 8:07 PM, Jonathan Gray wrote: > Which release or snapshot are you running? For the version of the file > Reyk pointed you at you'll need a -current snapshot. > > On Thu, Nov 05, 2015 at 12:58:29PM -0500, Toyam Cox wrote: >> This got me past that error pretty handidly. >> >> However, now it is complaining about no index.txt. The path given >> doesn't help me know where to put the index.txt >> >> Getting Private key >> Using configuration from /etc/ssl/ikeca.cnf >> index.txt: No such file or directory >> unable to open 'index.txt' >> 250120122244:error:02001002:system library:fopen:No such file or >> directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt', >> 'r') >> 250120122244:error:20074002:BIO routines:FILE_CTRL:system >> lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257: >> >> On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter wrote: >> > Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry. >> > >> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf >> > >> > The openssl.cnf version broke and we somehow didn't install ikeca.cnf by >> > default. >> > >> > Reyk >> > >> >> On 05.11.2015, at 08:28, Toyam Cox wrote: >> >> >> >> Ho misc@, >> >> >> >> I have been (loosely) following the guide at >> >> http://puffysecurity.com/wiki/openikedoffshore.html and have run into >> >> a roadblock. >> >> >> >> I have packets going between my two hosts on different networks, the >> >> configuration files on both are good, and both have the ca installed. >> >> >> >> However on my remote host, I get (ips and hostnames redacted): >> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT >> >> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes >> >> Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response >> >> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 >> >> bytes >> >> Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local >> >> certificate found >> >> >> >> This is coupled with, as I create the ca key... >> >> # ikectl ca vpn1 create >> >> CA passphrase: >> >> Retype CA passphrase: >> >> [stuff-happens-and-inputs] >> >> Getting Private key >> >> Using configuration from /etc/ssl/openssl.cnf >> >> variable lookup failed for ca::default_ca >> >> 24387713617796:error:0E06D06C:configuration file >> >> routines:NCONF_get_string:no >> >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca >> >> name=default_ca >> >> >> >> I've checked the mail logs for misc@ and found a person in August with >> >> this problem, http://marc.info/?l=openbsd-misc&m=133675466519976&w=2 >> >> >> >> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. >> >> Variable lookup still failed. >> >> >> >> Thank you for any help.
Re: Iked, ca_getreq: no valid local certificate found
This got me past that error pretty handidly. However, now it is complaining about no index.txt. The path given doesn't help me know where to put the index.txt Getting Private key Using configuration from /etc/ssl/ikeca.cnf index.txt: No such file or directory unable to open 'index.txt' 250120122244:error:02001002:system library:fopen:No such file or directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt', 'r') 250120122244:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257: On Thu, Nov 5, 2015 at 7:48 AM, Reyk Floeter wrote: > Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry. > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca.cnf > > The openssl.cnf version broke and we somehow didn't install ikeca.cnf by > default. > > Reyk > >> On 05.11.2015, at 08:28, Toyam Cox wrote: >> >> Ho misc@, >> >> I have been (loosely) following the guide at >> http://puffysecurity.com/wiki/openikedoffshore.html and have run into >> a roadblock. >> >> I have packets going between my two hosts on different networks, the >> configuration files on both are good, and both have the ca installed. >> >> However on my remote host, I get (ips and hostnames redacted): >> Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT >> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes >> Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response >> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 >> bytes >> Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local >> certificate found >> >> This is coupled with, as I create the ca key... >> # ikectl ca vpn1 create >> CA passphrase: >> Retype CA passphrase: >> [stuff-happens-and-inputs] >> Getting Private key >> Using configuration from /etc/ssl/openssl.cnf >> variable lookup failed for ca::default_ca >> 24387713617796:error:0E06D06C:configuration file >> routines:NCONF_get_string:no >> value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca >> name=default_ca >> >> I've checked the mail logs for misc@ and found a person in August with >> this problem, http://marc.info/?l=openbsd-misc&m=133675466519976&w=2 >> >> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. >> Variable lookup still failed. >> >> Thank you for any help.
Iked, ca_getreq: no valid local certificate found
Ho misc@, I have been (loosely) following the guide at http://puffysecurity.com/wiki/openikedoffshore.html and have run into a roadblock. I have packets going between my two hosts on different networks, the configuration files on both are good, and both have the ca installed. However on my remote host, I get (ips and hostnames redacted): Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 bytes Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local certificate found This is coupled with, as I create the ca key... # ikectl ca vpn1 create CA passphrase: Retype CA passphrase: [stuff-happens-and-inputs] Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 24387713617796:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca I've checked the mail logs for misc@ and found a person in August with this problem, http://marc.info/?l=openbsd-misc&m=133675466519976&w=2 Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. Variable lookup still failed. Thank you for any help.
misc@openbsd.org
The default setting for "do-not-query-localhost" is "yes". You may want to add "do-not-query-localhost: no" to your config in the "server" section. On Wed, Nov 4, 2015 at 11:25 AM, Gregory Edigarov wrote: > Hello, > > Trying to make unbound and nsd co-exist on one server, the goal is to have > unbound listen for all requests redirecting requests for local zones to nsd: > nsd.conf > > server: > server-count: 1 > database: "/var/lib/nsd3/nsd.db" > username: nsd > ip-address: 127.0.0.1@9053 > logfile: "/var/log/nsd.log" > pidfile: "/var/run/nsd.pid" > xfrdfile: "/var/lib/nsd3/xfrd.state" > > zone: > name: somezone.org > zonefile: /etc/nsd/zones/somezone.org > > dig -p9053 somezone.org soa @127.0.0.1 works as expected. > > now unbound's turn: > > server: > auto-trust-anchor-file: "/var/lib/unbound/root.key" > interface: 0.0.0.0 > logfile: /var/log/unbound.log > > stub-zone: > name: somezone.org. # also tried without point with the same > result... > stub-addr: 127.0.0.1@9053 > > dig somezone.org soa @127.0.0.1 yields SERVFAIL. > also tried with forward-zone: - with the same result. > > is that at all possible? Where am I wrong?