xorr0
commented
7 years ago We're running into a similar issue with Ubuntu (Server) 16.04.1 LTS when attempting to add new users
- Quick side-note, it would be helpful to note somewhere that easy-rsa package is required, as I did not see this anywhere, and found it was needed upon trying to add a user.
- On-to the issue at hand, when we added 2x new users to config.cfg, so the (top of the) file looks like so:
root@sobchak:/home/cactus/algo# cat config.cfg ---
Add as many users as you want for your VPN server here
users:
- dan
- jack
- XORr0
- cactus
- when running (from the algo folder): `./algo update-users` - this is the error we get:
failed: [localhost] (item=XORr0) => {"changed": true, "cmd": "./easyrsa gen-req XORr0 nopass -- -passin pass:\"PASSW0RD\" -subj \"/CN=XORr0\" && ./easyrsa --subject-alt-name='DNS:XORr0' sign-req client XORr0 nopass -- -passin pass:\"PASSW0RD\" && touch '/opt/easy-rsa-ipsec/easyrsa3/pki/XORr0_initialized'", "delta": "0:00:00.333258", "end": "2016-12-30 03:46:06.333458", "failed": true, "item": "XORr0", "rc": 1, "start": "2016-12-30 03:46:06.000200", "stderr": "Generating a 2048 bit RSA private key\n................................................................................................................................................................................+++\n.............................+++\nwriting new private key to '/opt/easy-rsa-ipsec/easyrsa3//pki/private/XORr0.key.uAKJ2r7AFx'\n-----\nUsing configuration from /opt/easy-rsa-ipsec/easyrsa3//openssl-1.0.cnf\nunable to load CA private key\n140369712649880:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:\n140369712649880:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:\n140369712649880:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:\n140369712649880:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:\n\nEasy-RSA error:\n\nsigning failed (openssl output above may have more detail)", "stdout": "", "stdout_lines": [], "warnings": []}
- I found that by manually running the above commands listed in the error at
/opt/easy-rsa-ipsec/easyrsa3, we were getting this output:
root@sobchak:/opt/easy-rsa-ipsec/easyrsa3# ./easyrsa gen-req XORr0 nopass -- -passin pass:\"PASSW0RD\" -subj \"/CN=XORr0\"
Generating a 2048 bit RSA private key
.........+++
............+++
writing new private key to '/opt/easy-rsa-ipsec/easyrsa3//pki/private/XORr0.key.sL9HuqqI3S'
-----
Subject does not start with '/'.
problems making Certificate Request
Easy-RSA error:
Failed to generate request- Running the command like so, fixes this 1st portion of the over-all issue for us:
./easyrsa gen-req XORr0 nopass -- -passin pass:\"PASSW0RD\" -subj '/CN=XORr0'
root@sobchak:/opt/easy-rsa-ipsec/easyrsa3# ./easyrsa gen-req XORr0 nopass -- -passin pass:\"PASSW0RD\" -subj '/CN=XORr0'
Generating a 2048 bit RSA private key
................................................................................................................+++
..................+++
writing new private key to '/opt/easy-rsa-ipsec/easyrsa3//pki/private/XORr0.key.OToj4L4HwO'
------ The second command is the part we've been unsuccessful at figuring out so far:
root@sobchak:/opt/easy-rsa-ipsec/easyrsa3# ./easyrsa --subject-alt-name='DNS:XORr0' sign-req client XORr0 nopass -- -passin pass:\"PASSW0RD\"
Using configuration from /opt/easy-rsa-ipsec/easyrsa3//openssl-1.0.cnf
unable to load CA private key
139859816199832:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
139859816199832:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
139859816199832:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
139859816199832:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
Easy-RSA error:
signing failed (openssl output above may have more detail)Thanks much for the software! Any help is greatly appreciated.
dguido
StevenGPalacio
OS / Environment
Ubuntu 16.04.1 LTS
Ansible version
ansible 2.2.0.0
Version of components from
requirements.txtName: boto Version: 2.45.0 Name: dopy Version: 0.3.5 Name: azure Version: 2.0.0rc5 Name: apache-libcloud Version: 1.4.0 Name: six Version: 1.10.0 Name: pyOpenSSL Version: 16.2.0
Summary of the problem
My original set up ran great. I ran it on an Ubuntu droplet on Digital Ocean and it created a second droplet for Algo to run on. I changed the config file to create just one user account. Connecting to that second droplet from my Android phone using strongSwan works as expected.
When I log back to the original droplet where I ran the install scripts to update the users, after adding them to the config file, I get an error when it fails to connect to the Algo droplet, even when I enter that second IP in both the IP questions the update-user script asks and entering the CA password that was originally generated during the original installation.
Connecting from droplet one to the Algo droplet using ssh -i configs/algo.pem root@xxx.xxx.xxx.xxx worked
Steps to reproduce the behavior
./algo update-users
The way of deployment (cloud or local)
Cloud
Expected behavior
New users added to config file
Actual behavior
TASK [Gather Facts] **** fatal: [xxx.xxx.xxx.xxx]: UNREACHABLE! => {“changed”: false, “msg”: “Failed to connect to the host via ssh: Warning: Permanently added ‘xxx.xxx.xxx.xxx’ (ECDSA) to the list of known hosts.\r\nPermission denied (publickey).\r\n”, “unreachable”: true}
Full log