OVS 2.13.1-1: ovs-pki req+sign option is not generating the certificate NAME-cert.pem file.

[rameshganapathi]

From the below logs it will be clear that the "test-cert.pem" file is not generated and file with name "test-cert.pem.tmp18614" is generated with zero byte.

root@home:/etc/openvswitch# /usr/bin/ovs-pki --version
ovs-pki (Open vSwitch) 2.13.1

root@home:/etc/openvswitch# ls -alrth total 52K drwxr-sr-x 101 root root 4.0K Oct 13 18:22 .. -rw-r--r-- 1 root root 15K Oct 13 20:41 conf.db -rw------- 1 root root 0 Oct 13 20:41 .conf.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .ovs.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .vtep.db.~lock~ -rw-r--r-- 1 root root 15K Oct 13 20:42 ovs.db -rw-r--r-- 1 root root 8.8K Oct 13 20:43 vtep.db drwxr-xr-x 2 root root 4.0K Oct 16 04:20 .

root@home:/etc/openvswitch# /usr/bin/ovs-pki req+sign test --force

root@home:/etc/openvswitch# ls -alrth total 60K drwxr-sr-x 101 root root 4.0K Oct 13 18:22 .. -rw-r--r-- 1 root root 15K Oct 13 20:41 conf.db -rw------- 1 root root 0 Oct 13 20:41 .conf.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .ovs.db.~lock~ -rw------- 1 root root 0 Oct 13 20:41 .vtep.db.~lock~ -rw-r--r-- 1 root root 15K Oct 13 20:42 ovs.db -rw-r--r-- 1 root root 8.8K Oct 13 20:43 vtep.db -rw------- 1 root root 1.7K Oct 16 04:21 test-privkey.pem -rw-r--r-- 1 root root 3.8K Oct 16 04:21 test-req.pem -rw-r--r-- 1 root root 0 Oct 16 04:21 test-cert.pem.tmp18614 drwxr-xr-x 2 root root 4.0K Oct 16 04:21 . root@home:/etc/openvswitch#

[markdgray]

I am unable to reproduce this. Can you try posting some logs? @rameshganapathi

ovs-pki req+sign test --force -l /tmp/ovs-pki.log

[rameshganapathi]

Hi Mark,

Thank you for your reply.

Here is the ovs-pki logs :

root@home:/etc/openvswitch# ovs-pki req+sign test --force -l /tmp/ovs-pki.log root@home:/etc/openvswitch# cat /tmp/ovs-pki.log Generating RSA private key, 2048 bit long modulus ............................................................+++++ .....................................................+++++ e is 65537 (0x010001) Using configuration from ca.cnf Error Loading extension section usr_cert root@home:/etc/openvswitch#

Thank you, Warm Regards, Ramesh.G

On Wed, Oct 21, 2020 at 7:28 PM Mark D. Gray notifications@github.com wrote:

I am unable to reproduce this. Can you try posting some logs? @rameshganapathi https://github.com/rameshganapathi

ovs-pki req+sign test --force -l /tmp/ovs-pki.log

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713598055, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VLTD6BFPQ72ZZAJWTSL3SJ7ANCNFSM4SSPLENA .

[markdgray]

Have you modified ovs-pki or ovs-pki.in?

What version of openssl are you using ( openssl version)?

[rameshganapathi]

No Mark, I am using the pristine version of OVS 2.13.1

root@home:~# ovs-pki --version ovs-pki (Open vSwitch) 2.13.1

root@home:~# openssl version OpenSSL 1.1.0l 10 Sep 2019

Thank you, Warm Regards, Ramesh.G On Wed, Oct 21, 2020 at 8:44 PM Mark D. Gray notifications@github.com wrote:

Have you modified ovs-pki or ovs-pki.in?

What version of openssl are you using ( openssl version)?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713650079, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7SEWMP3JYU2OST7FTTSL33ERANCNFSM4SSPLENA .

[markdgray]

That version is a little older than mine but not much

$ openssl version
OpenSSL 1.1.1g FIPS  21 Apr 2020

Can you cat /var/lib/openvswitch/pki/switchca/ca.cnf

[rameshganapathi]

Hi Mark,

Here is the ca.cnf file content.

*root@home:~# cat /var/lib/openvswitch/pki/switchca/ca.cnf[ req ]prompt = nodistinguished_name = req_distinguished_name[ req_distinguished_name ]C = USST = CAL = Palo AltoO = Open vSwitchOU = switchcaCN = OVS switchca CA Certificate (2020 Oct 13 17:12:47)[ ca ]default_ca = the_ca[ the_ca ]dir = . # top dirdatabase = $dir/index.txt

index file.new_certs_dir = $dir/newcerts # new certs

dircertificate = $dir/cacert.pem # The CA certserial = $dir/serial # serial no fileprivate_key = $dir/private/cakey.pem# CA private keyRANDFILE = $dir/private/.rand

random number filedefault_days = 3650 # how long to

certify fordefault_crl_days= 30 # how long before next CRLdefault_md = sha512 # message digest to usepolicy = policy # default policyemail_in_dn = no

Don't add the email into cert DNname_opt = ca_default

 # Subject name display optioncert_opt       = ca_default            #

Certificate display optioncopy_extensions = none # Don't copy extensions from requestunique_subject = no # Allow certs with duplicate subjects# For the CA policy[ policy ]countryName = optionalstateOrProvinceName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional*

Thank you, Warm Regards, Ramesh.G

On Thu, Oct 22, 2020 at 12:08 AM Mark D. Gray notifications@github.com wrote:

That version is a little older than mine but not much

$ openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020

Can you cat /var/lib/openvswitch/pki/switchca/ca.cnf

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713789093, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7U7QQRSNJTIEF24RZ3SL4TEDANCNFSM4SSPLENA .

[markdgray]

That's weird. It looks misformatted here? Is it the same in your terminal?

ovs-pki is just a wrapper around openssl. It generates the ca.cnf file and then uses openssl to generate the certs/keys/etc. Perhaps it is failing because, for some reason it is misformatted and also truncated?

For reference, it should be formatted something like this: https://github.com/openvswitch/ovs/blob/04d140664a272fdbdd5352162ea9719b9c77cafe/utilities/ovs-pki.in#L256

Can delete the CA and start again? ovs-pki init --force

What version of bash are you using? sh --version

[rameshganapathi]

Hi Mark,

This is how it looks in my terminal.

root@home:~# cat /var/lib/openvswitch/pki/switchca/ca.cnf [ req ] prompt = no distinguished_name = req_distinguished_name

[ req_distinguished_name ] C = US ST = CA L = Palo Alto O = Open vSwitch OU = switchca CN = OVS switchca CA Certificate (2020 Oct 13 17:12:47)

[ ca ] default_ca = the_ca

[ the_ca ] dir = . # top dir database = $dir/index.txt # index file. new_certs_dir = $dir/newcerts # new certs dir certificate = $dir/cacert.pem # The CA cert serial = $dir/serial # serial no file private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha512 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option cert_opt = ca_default # Certificate display option copy_extensions = none # Don't copy extensions from request unique_subject = no # Allow certs with duplicate subjects

For the CA policy

[ policy ] countryName = optional stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

Thank you, Warm Regards, Ramesh.G

On Thu, Oct 22, 2020 at 2:16 AM Mark D. Gray notifications@github.com wrote:

That's weird. It looks misformatted here? Is it the same in your terminal?

ovs-pki is just a wrapper around openssl. It generates the ca.cnf file and then uses openssl to generate the certs/keys/etc. Perhaps it is failing because, for some reason it is misformatted?

For reference, it should be formatted something like this: https://github.com/openvswitch/ovs/blob/04d140664a272fdbdd5352162ea9719b9c77cafe/utilities/ovs-pki.in#L256

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713867514, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7SR6ZNY6BVW34XYN5DSL5CBNANCNFSM4SSPLENA .

[markdgray]

What distro/package did you get this from?

[markdgray]

Also, is this a CA that you "init"ed sometime ago and you have updated the openvswitch package in the interim?

[rameshganapathi]

I have cloned this from https://github.com/openvswitch/ovs/tree/v2.13.1.

No, I have not modified anything and also I have compiled the pristine OVS code and am trying to generate the certificate (No interim update done).

Thank you, Warm Regards, Ramesh.G

On Thu, Oct 22, 2020 at 2:44 AM Mark D. Gray notifications@github.com wrote:

Also, is this a CA that you "init"ed sometime ago and you have updated the openvswitch package in the interim?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-713881181, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7UCYZKHZ4DJR7SGW33SL5FJPANCNFSM4SSPLENA .

[markdgray]

Hi Ramesh, ovs-pki should generate the /var/lib/openvswitch/pki/switchca/ca.cnf file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert] and [usr_cert]. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf file was generated by an older version of ovs.

If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:

ovs-pki init --force

You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf file has been created directly. If it has, you can re-run the cert request and sign command:

ovs-pki req+sign test --force -l

Also, make sure you are using the ovs-pki command that you cloned from that repo: which ovs-pki

[rameshganapathi]

Hi Mark,

Thank you so much for your help in this.

I tried reinitializing the CA using "ovs-pki init --force" but the existing ca.cnf is neither refreshed nor new ca.cnf file is generated.

I tried removing the ca.cnf file from "switchca" folder under "/var/lib/openvswitch/pki/" folder and tried "ovs-pki init --force" which did not work, Hence I tried removing "switchca" folder under " /var/lib/openvswitch/pki/" and tried "ovs-pki init --force" which generates new "swithca" folder and ca.cnf file.

This new ca.cnf file contains the "[ ca_cert ]" and "[ usr_cert ]".

Is this an issue that " ovs-pki init --force" is not reinitializing the switchca and controllerca?

root@home:/# ovs-pki init --force Creating controllerca... root@home:/#

Thank you, Warm Regards, Ramesh.G

On Fri, Oct 23, 2020 at 2:14 PM Mark D. Gray notifications@github.com wrote:

Hi Ramesh, ovs-pki should generate the /var/lib/openvswitch/pki/switchca/ca.cnf file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert] and [usr_cert]. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf file was generated by an older version of ovs.

If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:

ovs-pki init --force

You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf file has been created directly. If it has, you can re-run the cert request and sign command:

ovs-pki req+sign test --force -l

Also, make sure you are using the ovs-pki command that you cloned from that repo: which ovs-pki

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-715195919, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VZIHLQYWB6FRAJR4TSME67HANCNFSM4SSPLENA .

[rameshganapathi]

Hi Mark, Team,

Any inputs on the "ovs-pki init --force" issue not regenerating the ca.cnf for the switchca?

Kindly help in this regard,

Thank you, Warm Regards, Ramesh.G

On Mon, Nov 2, 2020 at 12:41 AM NR 85 rameshganapathi@gmail.com wrote:

Hi Mark,

Thank you so much for your help in this.

I tried reinitializing the CA using "ovs-pki init --force" but the existing ca.cnf is neither refreshed nor new ca.cnf file is generated.

I tried removing the ca.cnf file from "switchca" folder under "/var/lib/openvswitch/pki/" folder and tried "ovs-pki init --force" which did not work, Hence I tried removing "switchca" folder under " /var/lib/openvswitch/pki/" and tried "ovs-pki init --force" which generates new "swithca" folder and ca.cnf file.

This new ca.cnf file contains the "[ ca_cert ]" and "[ usr_cert ]".

Is this an issue that " ovs-pki init --force" is not reinitializing the switchca and controllerca?

root@home:/# ovs-pki init --force Creating controllerca... root@home:/#

Thank you, Warm Regards, Ramesh.G

On Fri, Oct 23, 2020 at 2:14 PM Mark D. Gray notifications@github.com wrote:

Hi Ramesh, ovs-pki should generate the /var/lib/openvswitch/pki/switchca/ca.cnf file. You can see here https://github.com/openvswitch/ovs/blob/714caaf5710c4ef261b64960134d9e953d5f1a75/utilities/ovs-pki.in#L299 that it should add sections [ca_cert] and [usr_cert]. These sections are a recent addition to OVS, so I suspect your /var/lib/openvswitch/pki/switchca/ca.cnf file was generated by an older version of ovs.

If this is not a production system and you do not need to maintain this old CA, I would suggest reinitializing the CA using the command:

ovs-pki init --force

You can then check that the /var/lib/openvswitch/pki/switchca/ca.cnf file has been created directly. If it has, you can re-run the cert request and sign command:

ovs-pki req+sign test --force -l

Also, make sure you are using the ovs-pki command that you cloned from that repo: which ovs-pki

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-715195919, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7VZIHLQYWB6FRAJR4TSME67HANCNFSM4SSPLENA .

[markdgray]

I ran a test. If I run ovs-pki init and then modify the "ca.cnf" file, any subsequent invocations of ovs-pki will not modify ca.cnf (because it exists). Personally, I dont think this makes sense if the "--force" flag is specified. If the folder exists, I suspect the correct behaviour would be to delete all the old folders and start from scratch.

As a workaround, I presume you can just manually delete the folder and run the command? Does that resolve your issue?

[rameshganapathi]

Hi Mark,

Thank you so much for all your help and support.

Yes, manually deleting the folder and running the command "ovs-pki init" works fine.

Programmatically if we want to generate the new ca.cnf file then "ovs-pki init --force" is the option which is not working as we know now hence I tried to remove the "pki" folder and generate the ca.cnf file in the code to workaround the "ovs-pki init --force" issue for now.

I believe we need to fix the --force issue in future releases. Do we need to have a separate bug for this? Kindly confirm.

Thank you, Warm Regards, Ramesh.G

On Fri, Nov 6, 2020 at 2:39 PM Mark Gray notifications@github.com wrote:

I ran a test. If I run ovs-pki init and then modify the "ca.cnf" file, any subsequent invocations of ovs-pki will not modify ca.cnf (because it exists). Personally, I dont think this makes sense if the "--force" flag is specified. If the folder exists, I suspect the correct behaviour would be to delete all the old folders and start from scratch.

As a workaround, I presume you can just manually delete the folder and run the command? Does that resolve your issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovs-issues/issues/196#issuecomment-722966420, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVGK7TXUXBT77CLSJIC6YTSOO4LFANCNFSM4SSPLENA .

[markdgray]

No, we can use this bug as reference. I think we need to add an rm -rf command somewhere around here: https://github.com/openvswitch/ovs/blob/c4bc03d872db5fe6f804fc9ddbbec29e28335cb5/utilities/ovs-pki.in#L216. Feel free to submit a fix and I can review. If not, I will try to submit something soon.