search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.81k stars 2.32k forks source link

macOS: profile cannot be installed #14483

Closed dmitryd closed 1 year ago

dmitryd commented 2 years ago

Describe the bug

To Reproduce

Steps to reproduce the behavior:

  1. Follow the manual
  2. Go to ./configs/xxx.xxx.xxx.xxx/ipsec/apple/
  3. Double click on a "mobileconfig" file.
  4. macOS says to review the profile in settings
  5. Go to review the profile and prress "Install"
  6. macOS asks for my user name and password (window title: "Profile/MDM wants to make changes")
  7. macOS displays failure window:
algo

It does not ask me for any other passwords (no prompt for p12 password).

I can successfully install profiles from commercial VPN service providers.

Using macOS Monterey 12.4.

Expected behavior

Profile installs

Additional context

Using master @ 8b05cda01d8ef4965d755cdfd2c7d16661d3b26b

I found https://github.com/trailofbits/algo/issues/1086 but it is not the same issue. It seems like Monterey does not like what algo generates.

Logs from macOS:

default 22:34:33.177544+0300    mdmclient   ### XPC request: CallPlugIns:DetermineAdditionalWarnings ### from: <com.apple.preferences.configurationprofiles.remoteservice.xpc (pid: 51444; uid: 501)>
default 22:34:33.184947+0300    mdmclient   ### XPC request: InstallProfile ### from: <com.apple.preferences.configurationprofiles.remoteservice.xpc (pid: 51444; uid: 501)>
default 22:34:33.185270+0300    mdmclient   === CPF_GetInstalledProfiles === (<User: 501>)
default 22:34:33.188201+0300    mdmclient   Number of <User: 501> profiles found: 5 (Filtered: 0)
default 22:34:33.189179+0300    mdmclient   === CPF_InstallProfile === donut.local.A2AEB225-0CED-5266-A1B7-B8891192069E (user: dmitry) (source: '(null):Manual')
default 22:34:33.199558+0300    mdmclient   ### XPC request: CallPlugIns:ValidateProfileForInstall ### from: <self>
default 22:34:45.076950+0300    authd   Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [56900] for authorization created by '/usr/libexec/mdmclient' [56900] (3,0) (engine 237)
default 22:34:45.100425+0300    mdmclient   ### XPC request: CallPlugIns:InstallProfile ### from: <self>
default 22:34:45.222151+0300    mdmclient   Recording an MDS plugin: /System/Library/Security/ldapdl.bundle {87191ca6-0fc9-11d4-849a-000502b52122}
default 22:34:45.226830+0300    mdmclient   Recording an MDS plugin: /System/Library/Frameworks/Security.framework {87191ca0-0fc9-11d4-849a-000502b52122}
default 22:34:45.337974+0300    CertificateService  CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?)
default 22:34:45.342152+0300    CertificateService  ImportKeychainData SecKeychainItemImport returned: -25264
default 22:34:45.342261+0300    CertificateService  ImportKeychainData SecKeychainItemImport certificate verify error
error   22:34:45.344089+0300    mdmclient   [ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=ConfigProfilePluginDomain Code=-323 "The certificate could not be verified (authentication error)." UserInfo={NSLocalizedDescription=The certificate could not be verified (authentication error).} <<<<<
default 22:34:45.358747+0300    authd   Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [56900] for authorization created by '/usr/libexec/mdmclient' [56900] (3,0) (engine 241)
default 22:34:45.365196+0300    mdmclient   ### XPC request: CallPlugIns:RemoveProfilePayloads ### from: <self>
default 22:34:45.519478+0300    CertificateService  CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?)
default 22:34:45.595396+0300    secd    CertificateServi[56901]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name}
devopsotrator commented 2 years ago

Same issue for me, details about my mac. Same error on my iPhone

Screen Shot 2022-06-19 at 4 28 20 PM
jackivanov commented 2 years ago

I cant reproduce with the default options. What options did you select? Please share the deployer log output

9en9i commented 1 year ago

Same issue

9en9i commented 1 year ago

Solved by installing certbot

jasonjgeiger commented 1 year ago

@9en9i do you have details on how you got it working with certbot?

9en9i commented 1 year ago

@jasonjgeiger I made a certificate for the top-level domain and also for the domain that I specified when setting up algo vpn (vpn.my-domain.com) Perhaps the certificate is enough only for the top-level domain. I didn't check and did both just in case.