search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.91k stars 2.32k forks source link

error during setup in this step: TASK [vpn : Build the client's pair] #1031

Closed hadiyazdi closed 6 years ago

hadiyazdi commented 6 years ago

OS / Environment (where do you run Algo on)

MacOS 10.13.5

Darwin Hadis-MacBook-Pro.local 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64 x86_64

Cloud Provider (where do you deploy Algo to)

DigitalOcean

Summary of the problem

error during initial setup when building the client's pair

TASK [vpn : Build the client's pair] *******************************************
ok: [159.89.34.67 -> localhost] => (item=hadi)
ok: [159.89.34.67 -> localhost] => (item=hassan)
ok: [159.89.34.67 -> localhost] => (item=abdulwahab)
ok: [159.89.34.67 -> localhost] => (item=hawraa)
ok: [159.89.34.67 -> localhost] => (item=mohammed)
ok: [159.89.34.67 -> localhost] => (item=noor)
ok: [159.89.34.67 -> localhost] => (item=mohsen)
failed: [159.89.34.67 -> localhost] (item=zahraa) => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:zahraa\")) -keyout private/zahraa.key -out reqs/zahraa.req -nodes -passin pass:\"c06fc8b36e6ec7c38aae0b83070636a0\" -subj \"/CN=zahraa\" -batch && openssl ca -utf8 -in reqs/zahraa.req -out certs/zahraa.crt -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:zahraa\")) -days 3650 -batch -passin pass:\"c06fc8b36e6ec7c38aae0b83070636a0\" -subj \"/CN=zahraa\" && touch certs/zahraa_crt_generated", "delta": "0:00:00.065387", "end": "2018-07-20 21:35:52.255923", "item": "zahraa", "msg": "non-zero return code", "rc": 1, "start": "2018-07-20 21:35:52.190536", "stderr": "Generating a 384 bit EC private key\nwriting new private key to 'private/zahraa.key'\n-----\nUsing configuration from /dev/fd/63\nunable to load CA private key\n140735534035912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/evp/evp_enc.c:529:\n140735534035912:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:103:\n140735534035912:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:134:\n140735534035912:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_pkey.c:144:", "stderr_lines": ["Generating a 384 bit EC private key", "writing new private key to 'private/zahraa.key'", "-----", "Using configuration from /dev/fd/63", "unable to load CA private key", "140735534035912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/evp/evp_enc.c:529:", "140735534035912:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:103:", "140735534035912:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:134:", "140735534035912:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_pkey.c:144:"], "stdout": "", "stdout_lines": []}

TASK [vpn : debug] *************************************************************
ok: [159.89.34.67] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [vpn : fail] **************************************************************
fatal: [159.89.34.67]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************

PLAY RECAP *********************************************************************
159.89.34.67               : ok=80   changed=19   unreachable=0    failed=2
localhost                  : ok=23   changed=2    unreachable=0    failed=0

Full log

What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Scaleway
    6. OpenStack (DreamCompute optimised)
    7. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider
: 1

Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
[pasted values will not be displayed]
:

Name the vpn server:
[algo.local]: hadivpn

  What region should the server be located in?
    1.  Amsterdam        (Datacenter 2)
    2.  Amsterdam        (Datacenter 3)
    3.  Frankfurt
    4.  London
    5.  New York         (Datacenter 1)
    6.  New York         (Datacenter 2)
    7.  New York         (Datacenter 3)
    8.  San Francisco    (Datacenter 1)
    9.  San Francisco    (Datacenter 2)
    10. Singapore
    11. Toronto
    12. Bangalore

Enter the number of your desired region:
[7]:

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]:

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]:

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]:

Do you want each user to have their own account for SSH tunneling?
[y/N]:

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: y

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: y

PLAY [Configure the server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Local pre-tasks] *********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/local.yml for localhost

TASK [Generate the SSH private key] ********************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] *************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ******************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *********************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ******************************
ok: [localhost]

TASK [cloud-digitalocean : Add the droplet to an inventory group] **************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] *******************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] ************************************
ok: [localhost]

TASK [cloud-digitalocean : Get droplets] ***************************************
ok: [localhost]

TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] ***
ok: [localhost]

TASK [cloud-digitalocean : Populate the dynamic inventory] *********************
ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'hadivpn', u'backup_ids': [], u'created_at': u'2018-07-20T17:10:15Z', u'snapshot_ids': [], u'size_slug': u's-1vcpu-1gb', u'id': 102585509, u'next_backup_window': None, u'vcpus': 1, u'features': [u'ipv6'], u'image': {u'min_disk_size': 20, u'name': u'18.04 x64', u'created_at': u'2018-05-24T00:53:48Z', u'slug': u'ubuntu-18-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'public': True, u'distribution': u'Ubuntu', u'type': u'snapshot', u'id': 34629387, u'size_gigabytes': 0.35}, u'memory': 1024, u'region': {u'available': True, u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage', u'image_transfer'], u'slug': u'nyc3', u'name': u'New York 3', u'sizes': [u'16gb', u'2gb', u'1gb', u'4gb', u'8gb', u'512mb', u's-1vcpu-3gb', u'c-2', u'm-1vcpu-8gb', u's-1vcpu-1gb', u's-1vcpu-2gb', u's-2vcpu-2gb', u's-3vcpu-1gb', u's-2vcpu-4gb', u's-4vcpu-8gb', u's-6vcpu-16gb', u'c-1vcpu-2gb']}, u'disk': 25, u'networks': {u'v4': [{u'ip_address': u'159.89.34.67', u'netmask': u'255.255.240.0', u'type': u'public', u'gateway': u'159.89.32.1'}], u'v6': [{u'ip_address': u'2604:A880:0800:00A1:0000:0000:11C1:0001', u'netmask': 64, u'type': u'public', u'gateway': u'2604:A880:0800:00A1:0000:0000:0000:0001'}]}, u'tags': [u'Environment:Algo'], u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 1024, u'disk': 25, u'slug': u's-1vcpu-1gb'}})

TASK [cloud-digitalocean : Delete the new Algo SSH key] ************************
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).
ok: [localhost]

TASK [Local post-tasks] ********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/post.yml for localhost

TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost]

TASK [A short pause, in order to be sure the instance is ready] ****************
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
Press 'C' to continue the play or 'A' to abort
ok: [localhost]

TASK [include_tasks] ***********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/local_ssh.yml for localhost

TASK [Ensure the local ssh directory is exist] *********************************
ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] ************************
ok: [localhost]

PLAY [Configure the server and install required software] **********************

TASK [Common pre-tasks] ********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/common.yml for 159.89.34.67

TASK [Check the system] ********************************************************
changed: [159.89.34.67]

TASK [Ubuntu pre-tasks] ********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/ubuntu.yml for 159.89.34.67

TASK [Ubuntu | Install prerequisites] ******************************************
changed: [159.89.34.67] => (item=sleep 10)
changed: [159.89.34.67] => (item=apt-get update -qq)
changed: [159.89.34.67] => (item=apt-get install -qq -y python2.7 sudo)

TASK [Ubuntu | Configure defaults] *********************************************
changed: [159.89.34.67]

TASK [FreeBSD pre-tasks] *******************************************************
skipping: [159.89.34.67]

TASK [include_tasks] ***********************************************************
included: /Users/hadiyazdi/algo-master/playbooks/facts/main.yml for 159.89.34.67

TASK [Gather Facts] ************************************************************
ok: [159.89.34.67]

TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [159.89.34.67]

TASK [Check if IPv6 configured] ************************************************
ok: [159.89.34.67]

TASK [Set facts if the deployment in a cloud] **********************************
ok: [159.89.34.67]

TASK [Generate password for the CA key] ****************************************
changed: [159.89.34.67 -> localhost]

TASK [Generate p12 export password] ********************************************
changed: [159.89.34.67 -> localhost]

TASK [Define password facts] ***************************************************
ok: [159.89.34.67]

TASK [Define the commonName] ***************************************************
ok: [159.89.34.67]

TASK [common : Install tools] **************************************************

TASK [common : Sysctl tuning] **************************************************

TASK [common : Install tools] **************************************************

TASK [common : Sysctl tuning] **************************************************

TASK [common : Install tools] **************************************************

TASK [common : Sysctl tuning] **************************************************

TASK [common : include_tasks] **************************************************
included: /Users/hadiyazdi/algo-master/roles/common/tasks/ubuntu.yml for 159.89.34.67

TASK [common : Install software updates] ***************************************
ok: [159.89.34.67]

TASK [common : Upgrade the ca certificates] ************************************
ok: [159.89.34.67]

TASK [common : Check if reboot is required] ************************************
changed: [159.89.34.67]

TASK [common : Reboot] *********************************************************
skipping: [159.89.34.67]

TASK [common : Wait until SSH becomes ready...] ********************************
skipping: [159.89.34.67]

TASK [common : Include unatteded upgrades configuration] ***********************
included: /Users/hadiyazdi/algo-master/roles/common/tasks/unattended-upgrades.yml for 159.89.34.67

TASK [common : Install unattended-upgrades] ************************************
ok: [159.89.34.67]

TASK [common : Configure unattended-upgrades] **********************************
ok: [159.89.34.67]

TASK [common : Periodic upgrades configured] ***********************************
ok: [159.89.34.67]

TASK [common : Disable MOTD on login and SSHD] *********************************
ok: [159.89.34.67] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
ok: [159.89.34.67] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *******************************
ok: [159.89.34.67]

TASK [common : systemd services enabled and started] ***************************
ok: [159.89.34.67] => (item=systemd-networkd)
ok: [159.89.34.67] => (item=systemd-resolved)

TASK [common : Check apparmor support] *****************************************
changed: [159.89.34.67]

TASK [common : set_fact] *******************************************************
ok: [159.89.34.67]

TASK [common : set_fact] *******************************************************
ok: [159.89.34.67]

TASK [common : include_tasks] **************************************************
skipping: [159.89.34.67]

TASK [common : Install tools] **************************************************
ok: [159.89.34.67] => (item=git)
ok: [159.89.34.67] => (item=screen)
ok: [159.89.34.67] => (item=apparmor-utils)
ok: [159.89.34.67] => (item=uuid-runtime)
ok: [159.89.34.67] => (item=coreutils)
ok: [159.89.34.67] => (item=iptables-persistent)
ok: [159.89.34.67] => (item=cgroup-tools)
ok: [159.89.34.67] => (item=openssl,linux-headers-4.15.0-29-generic)

TASK [common : Sysctl tuning] **************************************************
ok: [159.89.34.67] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
ok: [159.89.34.67] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
ok: [159.89.34.67] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [wireguard : WireGuard repository configured] *****************************
ok: [159.89.34.67]

TASK [wireguard : WireGuard installed] *****************************************
ok: [159.89.34.67]

TASK [wireguard : Ensure the required directories exist] ***********************
ok: [159.89.34.67 -> localhost] => (item=private)
ok: [159.89.34.67 -> localhost] => (item=public)

TASK [wireguard : Delete the lock files] ***************************************
skipping: [159.89.34.67] => (item=hadi)
skipping: [159.89.34.67] => (item=hassan)
skipping: [159.89.34.67] => (item=abdulwahab)
skipping: [159.89.34.67] => (item=hawraa)
skipping: [159.89.34.67] => (item=mohammed)
skipping: [159.89.34.67] => (item=noor)
skipping: [159.89.34.67] => (item=mohsen)
skipping: [159.89.34.67] => (item=zahraa)
skipping: [159.89.34.67] => (item=159.89.34.67)

TASK [wireguard : Generate private keys] ***************************************
ok: [159.89.34.67] => (item=hadi)
ok: [159.89.34.67] => (item=hassan)
ok: [159.89.34.67] => (item=abdulwahab)
ok: [159.89.34.67] => (item=hawraa)
ok: [159.89.34.67] => (item=mohammed)
ok: [159.89.34.67] => (item=noor)
ok: [159.89.34.67] => (item=mohsen)
changed: [159.89.34.67] => (item=zahraa)
ok: [159.89.34.67] => (item=159.89.34.67)
 [WARNING]: As of Ansible 2.4, the parameter 'executable' is no longer
supported with the 'command' module. Not using 'bash'.

TASK [wireguard : Save private keys] *******************************************
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)
changed: [159.89.34.67] => (item=None)
skipping: [159.89.34.67] => (item=None)

TASK [wireguard : Touch the lock file] *****************************************
changed: [159.89.34.67] => (item=hadi)
changed: [159.89.34.67] => (item=hassan)
changed: [159.89.34.67] => (item=abdulwahab)
changed: [159.89.34.67] => (item=hawraa)
changed: [159.89.34.67] => (item=mohammed)
changed: [159.89.34.67] => (item=noor)
changed: [159.89.34.67] => (item=mohsen)
changed: [159.89.34.67] => (item=zahraa)
changed: [159.89.34.67] => (item=159.89.34.67)

TASK [wireguard : Generate public keys] ****************************************
ok: [159.89.34.67] => (item=hadi)
ok: [159.89.34.67] => (item=hassan)
ok: [159.89.34.67] => (item=abdulwahab)
ok: [159.89.34.67] => (item=hawraa)
ok: [159.89.34.67] => (item=mohammed)
ok: [159.89.34.67] => (item=noor)
ok: [159.89.34.67] => (item=mohsen)
ok: [159.89.34.67] => (item=zahraa)
ok: [159.89.34.67] => (item=159.89.34.67)

TASK [wireguard : Save public keys] ********************************************
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)
changed: [159.89.34.67] => (item=None)
ok: [159.89.34.67] => (item=None)

TASK [wireguard : WireGuard configured] ****************************************
changed: [159.89.34.67]

TASK [wireguard : WireGuard reload-module-on-update] ***************************
changed: [159.89.34.67]

TASK [wireguard : WireGuard users config generated] ****************************
ok: [159.89.34.67 -> localhost] => (item=(0, u'hadi'))
ok: [159.89.34.67 -> localhost] => (item=(1, u'hassan'))
ok: [159.89.34.67 -> localhost] => (item=(2, u'abdulwahab'))
ok: [159.89.34.67 -> localhost] => (item=(3, u'hawraa'))
ok: [159.89.34.67 -> localhost] => (item=(4, u'mohammed'))
ok: [159.89.34.67 -> localhost] => (item=(5, u'noor'))
ok: [159.89.34.67 -> localhost] => (item=(6, u'mohsen'))
changed: [159.89.34.67 -> localhost] => (item=(7, u'zahraa'))

TASK [wireguard : WireGuard enabled and started] *******************************
ok: [159.89.34.67]

RUNNING HANDLER [wireguard : restart wireguard] ********************************
changed: [159.89.34.67]

TASK [dns_encryption : Include tasks for Ubuntu] *******************************
included: /Users/hadiyazdi/algo-master/roles/dns_encryption/tasks/ubuntu.yml for 159.89.34.67

TASK [dns_encryption : Add the repository] *************************************
ok: [159.89.34.67]

TASK [dns_encryption : Install dnscrypt-proxy] *********************************
ok: [159.89.34.67]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *******
ok: [159.89.34.67]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ****
ok: [159.89.34.67]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***
ok: [159.89.34.67]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ****************
ok: [159.89.34.67]

TASK [dns_encryption : Include tasks for FreeBSD] ******************************
skipping: [159.89.34.67]

TASK [dns_encryption : dnscrypt-proxy configured] ******************************
ok: [159.89.34.67]

TASK [dns_encryption : dnscrypt-proxy enabled and started] *********************
changed: [159.89.34.67]

TASK [vpn : Ensure that the strongswan group exist] ****************************
ok: [159.89.34.67]

TASK [vpn : Ensure that the strongswan user exist] *****************************
ok: [159.89.34.67]

TASK [vpn : include_tasks] *****************************************************
included: /Users/hadiyazdi/algo-master/roles/vpn/tasks/ubuntu.yml for 159.89.34.67

TASK [vpn : set_fact] **********************************************************
ok: [159.89.34.67]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************
ok: [159.89.34.67]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
changed: [159.89.34.67] => (item=/usr/lib/ipsec/charon)
changed: [159.89.34.67] => (item=/usr/lib/ipsec/lookip)
changed: [159.89.34.67] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ******************************************
ok: [159.89.34.67] => (item=apparmor)
ok: [159.89.34.67] => (item=strongswan)
ok: [159.89.34.67] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
ok: [159.89.34.67]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
ok: [159.89.34.67]

TASK [vpn : include_tasks] *****************************************************
included: /Users/hadiyazdi/algo-master/roles/vpn/tasks/iptables.yml for 159.89.34.67

TASK [vpn : Iptables configured] ***********************************************
ok: [159.89.34.67] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************
ok: [159.89.34.67] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : include_tasks] *****************************************************
skipping: [159.89.34.67]

TASK [vpn : Install strongSwan] ************************************************
ok: [159.89.34.67]

TASK [vpn : include_tasks] *****************************************************
included: /Users/hadiyazdi/algo-master/roles/vpn/tasks/ipsec_configuration.yml for 159.89.34.67

TASK [vpn : Setup the config files from our templates] *************************
ok: [159.89.34.67] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
ok: [159.89.34.67] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
ok: [159.89.34.67] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ************************************************
changed: [159.89.34.67]

TASK [vpn : Disable unneeded plugins] ******************************************
ok: [159.89.34.67] => (item=eap-mschapv2)
skipping: [159.89.34.67] => (item=hmac)
skipping: [159.89.34.67] => (item=gcm)
ok: [159.89.34.67] => (item=dnskey)
ok: [159.89.34.67] => (item=resolve)
ok: [159.89.34.67] => (item=constraints)
skipping: [159.89.34.67] => (item=nonce)
ok: [159.89.34.67] => (item=aesni)
skipping: [159.89.34.67] => (item=pubkey)
ok: [159.89.34.67] => (item=md4)
ok: [159.89.34.67] => (item=fips-prf)
skipping: [159.89.34.67] => (item=pkcs12)
skipping: [159.89.34.67] => (item=stroke)
skipping: [159.89.34.67] => (item=pem)
skipping: [159.89.34.67] => (item=sha2)
ok: [159.89.34.67] => (item=xcbc)
ok: [159.89.34.67] => (item=updown)
ok: [159.89.34.67] => (item=sshkey)
ok: [159.89.34.67] => (item=mgf1)
skipping: [159.89.34.67] => (item=pkcs7)
ok: [159.89.34.67] => (item=sha1)
ok: [159.89.34.67] => (item=md5)
skipping: [159.89.34.67] => (item=revocation)
ok: [159.89.34.67] => (item=pkcs1)
ok: [159.89.34.67] => (item=xauth-generic)
skipping: [159.89.34.67] => (item=socket-default)
ok: [159.89.34.67] => (item=agent)
ok: [159.89.34.67] => (item=attr)
skipping: [159.89.34.67] => (item=openssl)
ok: [159.89.34.67] => (item=bypass-lan)
skipping: [159.89.34.67] => (item=aes)
skipping: [159.89.34.67] => (item=pkcs8)
ok: [159.89.34.67] => (item=gmp)
ok: [159.89.34.67] => (item=connmark)
ok: [159.89.34.67] => (item=rc2)
skipping: [159.89.34.67] => (item=random)
ok: [159.89.34.67] => (item=counters)
skipping: [159.89.34.67] => (item=kernel-netlink)
skipping: [159.89.34.67] => (item=x509)
skipping: [159.89.34.67] => (item=pgp)

TASK [vpn : Ensure that required plugins are enabled] **************************
skipping: [159.89.34.67] => (item=eap-mschapv2)
ok: [159.89.34.67] => (item=hmac)
ok: [159.89.34.67] => (item=gcm)
skipping: [159.89.34.67] => (item=dnskey)
skipping: [159.89.34.67] => (item=resolve)
skipping: [159.89.34.67] => (item=constraints)
ok: [159.89.34.67] => (item=nonce)
skipping: [159.89.34.67] => (item=aesni)
ok: [159.89.34.67] => (item=pubkey)
skipping: [159.89.34.67] => (item=md4)
skipping: [159.89.34.67] => (item=fips-prf)
ok: [159.89.34.67] => (item=pkcs12)
ok: [159.89.34.67] => (item=stroke)
ok: [159.89.34.67] => (item=pem)
ok: [159.89.34.67] => (item=sha2)
skipping: [159.89.34.67] => (item=xcbc)
skipping: [159.89.34.67] => (item=updown)
skipping: [159.89.34.67] => (item=sshkey)
skipping: [159.89.34.67] => (item=mgf1)
ok: [159.89.34.67] => (item=pkcs7)
skipping: [159.89.34.67] => (item=sha1)
skipping: [159.89.34.67] => (item=md5)
ok: [159.89.34.67] => (item=revocation)
skipping: [159.89.34.67] => (item=pkcs1)
skipping: [159.89.34.67] => (item=xauth-generic)
ok: [159.89.34.67] => (item=socket-default)
skipping: [159.89.34.67] => (item=agent)
skipping: [159.89.34.67] => (item=attr)
ok: [159.89.34.67] => (item=openssl)
skipping: [159.89.34.67] => (item=bypass-lan)
ok: [159.89.34.67] => (item=aes)
ok: [159.89.34.67] => (item=pkcs8)
skipping: [159.89.34.67] => (item=gmp)
skipping: [159.89.34.67] => (item=connmark)
skipping: [159.89.34.67] => (item=rc2)
ok: [159.89.34.67] => (item=random)
skipping: [159.89.34.67] => (item=counters)
ok: [159.89.34.67] => (item=kernel-netlink)
ok: [159.89.34.67] => (item=x509)
ok: [159.89.34.67] => (item=pgp)

TASK [vpn : include_tasks] *****************************************************
included: /Users/hadiyazdi/algo-master/roles/vpn/tasks/openssl.yml for 159.89.34.67

TASK [vpn : Set subjectAltName as a fact] **************************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Ensure the pki directory does not exist] ***************************
skipping: [159.89.34.67]

TASK [vpn : Ensure the pki directories exist] **********************************
ok: [159.89.34.67 -> localhost] => (item=ecparams)
ok: [159.89.34.67 -> localhost] => (item=certs)
ok: [159.89.34.67 -> localhost] => (item=crl)
ok: [159.89.34.67 -> localhost] => (item=newcerts)
ok: [159.89.34.67 -> localhost] => (item=private)
ok: [159.89.34.67 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] ********************************************
changed: [159.89.34.67 -> localhost] => (item=.rnd)
changed: [159.89.34.67 -> localhost] => (item=private/.rnd)
changed: [159.89.34.67 -> localhost] => (item=index.txt)
changed: [159.89.34.67 -> localhost] => (item=index.txt.attr)
changed: [159.89.34.67 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *******************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Build the CA pair] *************************************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Generate the serial number] ****************************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Build the server pair] *********************************************
ok: [159.89.34.67 -> localhost]

TASK [vpn : Build the client's pair] *******************************************
ok: [159.89.34.67 -> localhost] => (item=hadi)
ok: [159.89.34.67 -> localhost] => (item=hassan)
ok: [159.89.34.67 -> localhost] => (item=abdulwahab)
ok: [159.89.34.67 -> localhost] => (item=hawraa)
ok: [159.89.34.67 -> localhost] => (item=mohammed)
ok: [159.89.34.67 -> localhost] => (item=noor)
ok: [159.89.34.67 -> localhost] => (item=mohsen)
failed: [159.89.34.67 -> localhost] (item=zahraa) => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:zahraa\")) -keyout private/zahraa.key -out reqs/zahraa.req -nodes -passin pass:\"c06fc8b36e6ec7c38aae0b83070636a0\" -subj \"/CN=zahraa\" -batch && openssl ca -utf8 -in reqs/zahraa.req -out certs/zahraa.crt -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:zahraa\")) -days 3650 -batch -passin pass:\"c06fc8b36e6ec7c38aae0b83070636a0\" -subj \"/CN=zahraa\" && touch certs/zahraa_crt_generated", "delta": "0:00:00.065387", "end": "2018-07-20 21:35:52.255923", "item": "zahraa", "msg": "non-zero return code", "rc": 1, "start": "2018-07-20 21:35:52.190536", "stderr": "Generating a 384 bit EC private key\nwriting new private key to 'private/zahraa.key'\n-----\nUsing configuration from /dev/fd/63\nunable to load CA private key\n140735534035912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/evp/evp_enc.c:529:\n140735534035912:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:103:\n140735534035912:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:134:\n140735534035912:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_pkey.c:144:", "stderr_lines": ["Generating a 384 bit EC private key", "writing new private key to 'private/zahraa.key'", "-----", "Using configuration from /dev/fd/63", "unable to load CA private key", "140735534035912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/evp/evp_enc.c:529:", "140735534035912:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:103:", "140735534035912:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pkcs12/p12_decr.c:134:", "140735534035912:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_pkey.c:144:"], "stdout": "", "stdout_lines": []}

TASK [vpn : debug] *************************************************************
ok: [159.89.34.67] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [vpn : fail] **************************************************************
fatal: [159.89.34.67]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************

PLAY RECAP *********************************************************************
159.89.34.67               : ok=80   changed=19   unreachable=0    failed=2
localhost                  : ok=23   changed=2    unreachable=0    failed=0

config.cfg

---

# Add as many users as you want for your VPN server here.
# Credentials will be generated for each one.
users:
  - hadi
  - hassan
  - abdulwahab
  - hawraa
  - mohammed
  - noor
  - mohsen
  - zahraa

# NOTE: If your usernames have leading 0's, like "000dan", you have to escape them

### Advanced users only below this line ###

# If True re-init all existing certificates. (True or False)
easyrsa_reinit_existent: False

vpn_network: 10.19.48.0/24
vpn_network_ipv6: 'fd9d:bc11:4020::/48'
wireguard_enabled: true
wireguard_port: 51820

# MSS is the TCP Max Segment Size
# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation
# This appears to be necessary on (at least) Google Cloud,
# however, some routers also require a change to this parameter
# See also:
# - https://github.com/trailofbits/algo/issues/216
# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu
# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
#max_mss: 1316

server_name: "{{ ansible_ssh_host }}"
IP_subject_alt_name: "{{ ansible_ssh_host }}"

# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2

adblock_lists:
 - "http://winhelp2002.mvps.org/hosts.txt"
 - "https://adaway.org/hosts.txt"
 - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
 - "https://hosts-file.net/ad_servers.txt"

# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified
dns_encryption: true

# Possible values: google, cloudflare
dns_encryption_provider: cloudflare

# DNS servers which will be used if dns_encryption disabled
dns_servers:
  ipv4:
    - 1.1.1.1
    - 1.0.0.1
  ipv6:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001

# IP address for the local dns resolver
local_service_ip: 172.16.0.1

pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"

# Block traffic between connected clients
BetweenClients_DROP: Y

congrats:
  common: |
    "#                          Congratulations!                            #"
    "#                     Your Algo server is running.                     #"
    "#    Config files and certificates are in the ./configs/ directory.    #"
    "#              Go to https://whoer.net/ after connecting               #"
    "#        and ensure that all your traffic passes through the VPN.      #"
    "#               Local DNS resolver {{ local_service_ip }}              #"
  p12_pass: |
    "#                The p12 and SSH keys password for new users is {{ easyrsa_p12_export_password }}             #"
  ca_key_pass: |
    "#                  The CA key password is {{ easyrsa_CA_password }}                 #"
  ssh_access: |
    "#      Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }}        #"

SSH_keys:
  comment: algo@ssh
  private: configs/algo.pem
  public: configs/algo.pem.pub

cloud_providers:
  azure:
    size: Basic_A0
    image:
      offer: UbuntuServer
      publisher: Canonical
      sku: '18.04-LTS'
      version: latest
  digitalocean:
    size: s-1vcpu-1gb
    image: "ubuntu-18-04-x64"
  ec2:
    size: t2.micro
    image:
      name: "ubuntu-bionic-18.04"
      owner: "099720109477"
  gce:
    size: f1-micro
    image: ubuntu-1804
  lightsail:
    size: nano_1_0
    image: ubuntu_16_04
  scaleway:
    size: START1-S
    image: Ubuntu Bionic Beaver
    arch: x86_64
  openstack:
    flavor_ram: ">=512"
    image:  Ubuntu-18.04
  local:

fail_hint:
  - Sorry, but something went wrong!
  - Please check the troubleshooting guide.
  - https://trailofbits.github.io/algo/troubleshooting.html
Viktova commented 6 years ago

Please post the contents of config.cfg

dguido commented 6 years ago

Can you try building without the adblocker turned on? Or try the ansible2.5 branch, it contains a lot of changes to the adblocking handler.

jackivanov commented 6 years ago

According to the logs provided you ran it previously on the same server but with different settings, code or whatever. Try to delete everything and build it from scratch or enable easyrsa_reinit_existent in the config