search

sous-chefs / openvpn

Development repository for the openvpn cookbook
https://supermarket.chef.io/cookbooks/openvpn
Apache License 2.0
98 stars 160 forks source link

Fails to converge due to openssh dh #195

Closed EugenMayer closed 3 years ago

EugenMayer commented 3 years ago

:ghost: Brief Description

When converging (in kitchen) it fails to generate the DH

   * file[/etc/openvpn/keys/dh2048.pem] action create

           ================================================================================
           Error executing action `create` on resource 'file[/etc/openvpn/keys/dh2048.pem]'
           ================================================================================

           OpenSSL::PKey::DHError
           ----------------------
           BN lib

           Cookbook Trace: (most recent call first)
           ----------------------------------------
           /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb:94:in `initialize'
           /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb:94:in `new'
           /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb:94:in `block (2 levels) in from_file'

           Resource Declaration:
           ---------------------
           # In /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb

            93: file node['openvpn']['config']['dh'] do
            94:   content lazy { OpenSSL::PKey::DH.new(key_size).to_s }
            95:   owner   'root'
            96:   group   node['root_group']
            97:   mode    '0600'
            98:   not_if  { ::File.exist?(node['openvpn']['config']['dh']) }
            99: end
           100: 

           Compiled Resource:
           ------------------
           # Declared in /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb:93:in `from_file'

           file("/etc/openvpn/keys/dh2048.pem") do
             action [:create]
             default_guard_interpreter :default
             declared_type :file
             cookbook_name "openvpn"
             recipe_name "server"
             owner "root"
             group "root"
             mode "0600"
             content #<Chef::DelayedEvaluator:0x0000000004ded8d0 /opt/kitchen/cache/cookbooks/openvpn/recipes/server.rb:94>
             not_if { #code block }
           end

:pancakes: Cookbook version

Current 5.3.2

:woman_cook: Chef-Infra Version

chef 17

:tophat: Platform details

Debian bullseye (dokken dokken/debian-11)

Steps To Reproduce

Wrapper cookbook

attributes

default["openvpn"]["gateway"] =  "vpn.example.com"
default["openvpn"]["subnet"] =  "10.8.0.0"
default["openvpn"]["netmask"] =  "255.255.0.0"
default["openvpn"]["key"] =  {
  "country" => "US",
  "province" => "CA",
  "city" => "SanFrancisco",
  "org" => "Fort-Funston",
  "email" => "me@example.com"
}

recipe/default.rb

include_recipe "openvpn::server"
ramereth commented 3 years ago

By doing this:

default["openvpn"]["key"] =  {
  "country" => "US",
  "province" => "CA",
  "city" => "SanFrancisco",
  "org" => "Fort-Funston",
  "email" => "me@example.com"
}

You're removing other attributes that are needed (see here)

Instead you should do something like the following:

default["openvpn"]["key"]["country"] = "US"

For each of the items you want to override.

EugenMayer commented 3 years ago

Oh goodness sorry. Sorry for wasting your time on that. Thank you for helping, worked right away