search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.95k stars 2.32k forks source link

Error on install: Cryptography backend can only use "auto" for cipher option. #14193

Open freeman42x opened 3 years ago

freeman42x commented 3 years ago

Error on install: Cryptography backend can only use "auto" for cipher option. under the Task: ASK [ssh_tunneling : Build ssh private keys]

To reproduce install Algo VPN on Ubuntu 21.04 Desktop inside a VM.

TASK [ssh_tunneling : Build ssh private keys] ***************************************************************************************************************************************************************
failed: [localhost -> localhost] (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': 'configs/128.35.231.29/ssh-tunnel//iphone.pem', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': 'iphone', 'ansible_loop_var': 'item'}) => {"ansible_loop_var": "item", "changed": false, "item": {"ansible_loop_var": "item", "changed": false, "failed": false, "invocation": {"module_args": {"checksum_algorithm": "sha1", "follow": false, "get_attributes": true, "get_checksum": true, "get_md5": false, "get_mime": true, "path": "configs/128.35.231.29/ssh-tunnel//iphone.pem"}}, "item": "iphone", "stat": {"exists": false}}, "msg": "Cryptography backend can only use \"auto\" for cipher option."}
failed: [localhost -> localhost] (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': 'configs/128.35.231.29/ssh-tunnel//android.pem', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': 'android', 'ansible_loop_var': 'item'}) => {"ansible_loop_var": "item", "changed": false, "item": {"ansible_loop_var": "item", "changed": false, "failed": false, "invocation": {"module_args": {"checksum_algorithm": "sha1", "follow": false, "get_attributes": true, "get_checksum": true, "get_md5": false, "get_mime": true, "path": "configs/128.35.231.29/ssh-tunnel//android.pem"}}, "item": "android", "stat": {"exists": false}}, "msg": "Cryptography backend can only use \"auto\" for cipher option."}
failed: [localhost -> localhost] (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': 'configs/128.35.231.29/ssh-tunnel//msi.pem', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': 'msi', 'ansible_loop_var': 'item'}) => {"ansible_loop_var": "item", "changed": false, "item": {"ansible_loop_var": "item", "changed": false, "failed": false, "invocation": {"module_args": {"checksum_algorithm": "sha1", "follow": false, "get_attributes": true, "get_checksum": true, "get_md5": false, "get_mime": true, "path": "configs/128.35.231.29/ssh-tunnel//msi.pem"}}, "item": "msi", "stat": {"exists": false}}, "msg": "Cryptography backend can only use \"auto\" for cipher option."}
included: /home/neo/Software/algo/playbooks/rescue.yml for localhost

TASK [debug] ************************************************************************************************************************************************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] ********************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP **************************************************************************************************************************************************************************************************
localhost                  : ok=120  changed=13   unreachable=0    failed=1    skipped=46   rescued=1    ignored=0
freeman42x commented 3 years ago

I read that someone run into the same issue and got it fixed by installing Algo VPN on Ubuntu Server and then using Tasksel to install GUI.

But the scripts should run on the default Ubuntu Desktop also without any issues.

davidemyers commented 3 years ago

I'm no Python expert so I may be wrong, but I think this issue has something to do with the Ansible openssl_privatekey function deciding whether to use the pyOpenSSL or cryptography libraries. Algo is expecting pyOpenSSL to be used but on your system cryptography is being used for some reason.

One workaround is to not use Algo's SSH tunneling feature.

Another workaround is to edit roles/ssh_tunneling/tasks/main.yml and see if changing cipher: aes256 to cipher: auto works.

I'm assuming you're not trying to turn an Ubuntu 21.04 Desktop instance into your AlgoVPN server. That's unlikely to work as Ubuntu Desktop and Server manage their networks differently and Algo has been only tested to work with Ubuntu Server 18.04 and 20.04 (but will probably work with 21.04).

freeman42x commented 3 years ago

I see, I was actually trying to get it to work with Ubuntu Desktop. But I deleted that VM so I can no longer test your suggestions.

In the end, I tried to set it up on the 20.04 server and after fixing some issues it finally installed. But connecting to it I get no internet access, so I will probably create a ticket about this soon.

freeman42x commented 3 years ago

Probable solution here to the internet issue: https://github.com/trailofbits/algo/issues/14196#issuecomment-832181919