"No such file" when attempting "2.diyca_calvin_init.sh"

[sproggit]

I fear this is almost certainly something I've done/am doing wrong, but I get a warning when running the "1.diyca_cleanup.sh" file, and a failure when running "2.diyca_calvin_init.sh"...

HW: Raspberry Pi 4 / 4Gb RAM SW: clean (brand new) Raspbian Jessie build with "apt-get update", "apt-get upgrade" and "apt-get dist-upgrade" (latter invoked only after observing held back packages)... Python Version: 2.7.16

Actual observed failure copied from command line, below:- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- root@raspberrypi:/opt/diyca/bin# /opt/diyca/bin/1.diyca_cleanup.sh

<13>Nov 10 17:27:37 1.diyca_cleanup.sh: Begin <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Remove all CRT files <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Remove all CSR files <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Remove all KEY files <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Remove all PYC files <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Remove all DB files <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Re-create app_web/private subdirectory mkdir: cannot create directory ‘app_web/private’: No such file or directory <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Re-create the calvin subdirectory <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Re-create the signer subdirectory <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Re-create the certs subdirectory <13>Nov 10 17:27:37 1.diyca_cleanup.sh: Re-create the log subdirectory <13>Nov 10 17:27:37 1.diyca_cleanup.sh: End root@raspberrypi:/opt/diyca/bin# **/opt/diyca/bin/2.diyca_calvin_init.sh** <13>Nov 10 17:28:15 2.diyca_calvin_init.sh: Begin /opt/diyca/bin/2.diyca_calvin_init.sh: line 14: bin/diyca_common.bash: No such file or directory <13>Nov 10 17:28:15 2.diyca_calvin_init.sh: *** bin/diyca_common.bash is inaccessible root@raspberrypi:/opt/diyca/bin# ls -l total 60 -rwxr-xr-x 1 root root 1113 Nov 10 17:23 1.diyca_cleanup.sh -rwxr-xr-x 1 root root 2497 Nov 10 17:23 2.diyca_calvin_init.sh -rwxr-xr-x 1 root root 1932 Nov 10 17:23 3.diyca_web_init.sh drwxr-xr-x 2 root root 4096 Nov 10 17:27 calvin drwxr-xr-x 2 root root 4096 Nov 10 17:27 certs -rwxr-xr-x 1 root root 1040 Nov 10 17:23 diyca_admin.sh -rw-r--r-- 1 root root 1895 Nov 10 17:23 diyca_calvin_cert.cfg -rw-r--r-- 1 root root 873 Nov 10 17:23 diyca_common.bash -rw-r--r-- 1 root root 529 Nov 10 17:26 diyca_web_cert.cfg drwxr-xr-x 2 root root 4096 Nov 10 17:27 log -rwxr-xr-x 1 root root 731 Nov 10 17:23 rc.diyca.sh -rwxr-xr-x 1 root root 404 Nov 10 17:23 rcerts.sh -rwxr-xr-x 1 root root 245 Nov 10 17:23 rdb.sh -rwxr-xr-x 1 root root 3102 Nov 10 17:23 rpi_sensors.sh drwxr-xr-x 2 root root 4096 Nov 10 17:27 signer root@raspberrypi:/opt/diyca/bin# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Entirely happy to try again, grab additional environment data, etc., should that be required. Not sure if this is relevant, but I am running these scripts as actual root, on account of hitting a weirdness when trying to grant my base user sudo privilege...

[texadactyl]

I do not have a Raspberry Pi 4 although I am using Buster up-to-date. My pi is a 3B.

Here is the last bit of log from my execution just now carefully following docs/preparation_notes.txt :

sudo -i root@rpi3:~# cd /opt root@rpi3:/opt# git clone https://github.com/texadactyl/diyca Cloning into 'diyca'... remote: Enumerating objects: 6, done. remote: Counting objects: 100% (6/6), done. remote: Compressing objects: 100% (6/6), done. remote: Total 445 (delta 2), reused 0 (delta 0), pack-reused 439 Receiving objects: 100% (445/445), 109.95 KiB | 930.00 KiB/s, done. Resolving deltas: 100% (243/243), done. root@rpi3:/opt# cd diyca root@rpi3:/opt/diyca# vi bin/diyca_web_cert.cfg root@rpi3:/opt/diyca# bin/1.diyca_cleanup.sh

<13>Nov 10 12:07:16 1.diyca_cleanup.sh: Begin <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Remove all CRT files <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Remove all CSR files <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Remove all KEY files <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Remove all PYC files <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Remove all DB files <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Re-create app_web/private subdirectory <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Re-create the calvin subdirectory <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Re-create the signer subdirectory <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Re-create the certs subdirectory <13>Nov 10 12:07:16 1.diyca_cleanup.sh: Re-create the log subdirectory <13>Nov 10 12:07:16 1.diyca_cleanup.sh: End root@rpi3:/opt/diyca# bin/2.diyca_calvin_init.sh <13>Nov 10 12:07:28 2.diyca_calvin_init.sh: Begin <13>Nov 10 12:07:28 2.diyca_calvin_init.sh: Make calvin, a self-signed CA, ready for business <13>Nov 10 12:07:28 2.diyca_calvin_init.sh: Initialize subdirectories <13>Nov 10 12:07:28 2.diyca_calvin_init.sh: 1001 <13>Nov 10 12:07:28 2.diyca_calvin_init.sh: Generate the public-private key pair and my CSR Generating a RSA private key .................................................................................................................................................................................++++ ......++++ writing new private key to '/opt/diyca/calvin/private/diyca_calvin.key' ----- <13>Nov 10 12:07:53 2.diyca_calvin_init.sh: Generate a CSR and a self-signed CRT for calvin Using configuration from /opt/diyca/bin/diyca_calvin_cert.cfg Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :ASN.1 12:'DIYCA Org' organizationalUnitName:ASN.1 12:'DIYCA Staff' commonName :ASN.1 12:'Calvin' Certificate is to be certified until Nov 7 18:07:53 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated <13>Nov 10 12:07:53 2.diyca_calvin_init.sh: End ================================================= I realize that the beginning of that document regarding the Raspbian set up is out of date as I originally posted this project 3 years ago. To address that, I will create a new bug report along with the must-convert-to-Python-3 bug report as TBD by end of this year. But, in summary, and I know that its frustrating for you, I cannot reproduce what happened to you. Suggestions: (1) Start over and follow the docs/preparation_notes.txt steps to the letter, skipping the out of date Raspbian set up. (2) Re-test. (3) Please let me know what happens.

[texadactyl]

Hang on. The issue is the current directory when you issue commands.

You were in /opt/diyca/bin. You must be in the parent i.e. /opt/diyca.

There is a precise directory tree definition.

[sproggit]

Doh... Schoolboy error... I am sorry for wasting your time. I had just started to reformat my microSD, so I will perform a from-scratch clean start and try again. Thank you for a prompt and helpful response!

[texadactyl]

Not wasting my time. Thanks for testing on RPi4.

[texadactyl]

Before testing from a separate machine:

1. Make sure that the CA's cert has been imported into your browser.
2. https://IPADDRESS:8080

[sproggit]

OK, significant progress, but not quite there yet... First, I saw the "2.diyca_calvin_init.sh" file execute correctly.

I checked in /opt/diyca/certs and I find a "diyca_calvin.crt" file, 6582 byes, owned by root, exactly where I would expect it to be. I checked the file and the contents look perfect.

I then came to run "3.diyca_web_init.sh"... This initially began and looked excellent, but has hit a problem of some kind. This is what I see:-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- root@raspberrypi:/opt/diyca# /opt/diyca/bin/3.diyca_web_init.sh 3.diyca_web_init.sh{app_web}: Generate Public/Private Key /opt/diyca/app_web/private/diyca_web.key Generating RSA private key, 2048 bit long modulus (2 primes) .+++++ ..............................................................................................................................................+++++ e is 65537 (0x010001) 3.diyca_web_init.sh{app_web}: Generate Certificate Signing Request /opt/diyca/signer/temp_web.csr Error Loading request extension section ext 3069427728:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../crypto/x509v3/v3_alt.c:460:value=192.168.1.34:8080 3069427728:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=IP:192.168.1.34:8080

<13>Nov 10 20:33:03 3.diyca_web_init.sh: *** failed: openssl req -new -config /opt/diyca/bin/diyca_calvin_cert.cfg -key /opt/diyca/app_web/private/diyca_web.key -out /opt/diyca/signer/temp_web.csr root@raspberrypi:/opt/diyca# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- In my diyca_web.cfg file, I have PORT unchanged and thus set to 8080. The static IP address of my Pi4 is 192.168.1.34 The only aspect of this which is possibly wrong may concern the exact content of my diyca_web_cert.cfg file, which is set as follows:- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- root@raspberrypi:/opt/diyca# cat bin/diyca_web_cert.cfg [req] prompt = no distinguished_name = dn req_extensions = ext [dn] CN = DIYCA web server C = US ST = Texas L = Dallas OU = DIYCA web server staff O = DIYCA web server organization emailAddress = diyca.web.server@somewhere.net [ext] subjectAltName = IP:192.168.1.34:8080 ######### ^^^^^^^^^^^^^ ######### Must match browser-specified URL *exactly* ######### E.g. https/192.168.1.102:32767 ######### assuming that the port number used by the DIYCA web server = 32767 ######### (PORT assigned in app_web/diyca_web.cfg) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- In the help text of this file, it says "E.g. https/192.168.1.102:32767" However, it isn't clear from the note if I am supposed to add "https/" to my file so that it would read, "https/192.168.1.34:8080"... It actually looks like a badly-formed example URL (i.e. https/ and not https://). I was sorely tempted to try and correct that file and simply re-run the "3." script, but on balance it seems more sensible to pause and check, in the hope that *not* blundering randomly through the setup process might save the need for another clean start-over. Sorry to have to ask for further assistance...

[texadactyl]

subjectAltName = IP:192.168.1.34:8080 is incorrect. subjectAltName = IP:192.168.1.34 is correct.

On the Internet, the subjectAltName is a URL which DNS maps to an IP address. The port number is irrelevant.

The actual web server start up needs the port number assignment but this has nothing to do with the certificate.

[texadactyl]

And, your browser must specify the DNS name (or IP address) + the port number that the web server is listening to at that location (host): https://192.168.1.34:8080

[sproggit]

Thank you - I am just in the process of editing diyca_web_cert.cfg right now.

However, I think the reason for my misunderstanding came from the actual comments of the above file, which includes the following block:- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [ext] subjectAltName = IP:192.168.1.34 ######### ^^^^^^^^^^^^^ ######### Must match browser-specified URL exactly ######### E.g. https/192.168.1.102:32767 ######### assuming that the port number used by the DIYCA web server = 32767 ######### (PORT assigned in app_web/diyca_web.cfg) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I think that my mistake was to read the bit that gave the example IP address of "192.168.1.102:32767" and assume that when I wrote in my IP address, I had to add the ":8080" as a suffix, because the comments go on to say, "assuming that the port number used by the DIYCA web server = 32767 (PORT assigned in app_web/diyca_web.cfg)"

[sproggit]

OK, that did the trick. I corrected the file and re-ran the "3" script which completed with:- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Using configuration from /opt/diyca/bin/diyca_calvin_cert.cfg Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'DIYCA web server' countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Texas' localityName :ASN.1 12:'Dallas' organizationalUnitName:ASN.1 12:'DIYCA web server staff' organizationName :ASN.1 12:'DIYCA web server organization' emailAddress :IA5STRING:'diyca.web.server@somewhere.net' Certificate is to be certified until Nov 7 21:06:11 2029 GMT (3650 days)

Write out database with 1 new entries Data Base Updated 3.diyca_web_init.sh: End root@raspberrypi:/opt/diyca# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[texadactyl]

I updated bin/diyca_web_cert.cfg to make a clearer distinction between IP address specification and what an operator specifies in the browser location window.

[texadactyl]

Did you import the the CA's cert (calvin) into your browser?

[texadactyl]

For the Internet, browsers come preloaded with many CA certs. However, in this instance, this must be done because calvin is the CA for users on your LAN.

[sproggit]

Haven't got to that step yet... I've just completed the reboot of the Pi/4 and checked to see if I have anything listening on port 8080 and I don't think I do.

If I run, "netstat -a | grep 8080" I get nothing... if I omit the grep filter I can see active services.

I have checked rc.local and the edit looks good.

I have tried to manually execute the commands that rc.local is edited to automate and the command prompt returns without anything apparently happening...

[texadactyl]

Note the rsync step to pull calvin's cert to your client computer. Just edit it as required.

[texadactyl]

"without anything apparently happening" The web server is forked into background quietly

[sproggit]

And we're in

[texadactyl]

Ok, you have a browser screen working?

[sproggit]

I do indeed. I am at the main login page; I have the Pteradactyl Logo top left and I am up and running, with user-induced hiccups, on a Pi4... Thank you so very much for your patience with dealing with this idiot...

[texadactyl]

Don't be so hard on yourself.

Do you code in Python? If so, you can pay penance by reading the code and desk check me.

[texadactyl]

Next release, converting to Python 3 because Python 2 is deprecated. Closing this issue now.

[sproggit]

I don't code in Python... yet. I'm not currently developing in any language... but I've started to look at Python because I am tempted to have a go at writing a thick client app to run on my Mint desktop.

I've written in Business Basic (Onyx Mercator platform; ancient), COBOL 74/85, some PHP from 5 onwards; VBA and a little VB5. Python looks quite nice, so I will give it a go and I will gladly support your project when my skills are sharp enough.

[texadactyl]

Just some warnings about Python:

1. When indenting, use tabs or spaces but do not mix.
2. Global variables are dangerous.
3. Use the Spyder IDE. Lots of good helpers.