dguido
commented
7 years ago Did you install a new copy of OpenSSL or libressl or whatever with homebrew? We ask all the questions in the template because they're all important.
Closed sandman1293 closed 7 years ago
dguido
commented
7 years ago Did you install a new copy of OpenSSL or libressl or whatever with homebrew? We ask all the questions in the template because they're all important.
sandman1293
commented
7 years ago I didnt do any of that, I just followed instructions by the letter. Was openssl or libressl part of one of the scripts? On Mon, Jun 19, 2017 at 12:09 AM Dan Guido notifications@github.com wrote:
Did you install a new copy of OpenSSL or libressl or whatever with homebrew? We ask all the questions in the template because they're all important.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/trailofbits/algo/issues/604#issuecomment-309334096, or mute the thread https://github.com/notifications/unsubscribe-auth/AcKXkN5CfpQv3nQ17KTSZaft87PI4LoXks5sFfRigaJpZM4N9t9F .
dguido
commented
7 years ago Oh, don't put a space in the usernames. Looks like that screwed it up.
sandman1293
commented
7 years ago What is the exact syntax? I tried several different ways
Would you be able to copy n paste an example
On Mon, Jun 19, 2017 at 12:44 AM, Dan Guido notifications@github.com wrote:
Oh, don't put a space in the usernames. Looks like that screwed it up.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/trailofbits/algo/issues/604#issuecomment-309337451, or mute the thread https://github.com/notifications/unsubscribe-auth/AcKXkL8hAbbn1w2IicPy9lveF_u7eXk5ks5sFfzCgaJpZM4N9t9F .
sandman1293
commented
7 years ago Tried taking out the space in usernames but I am getting this error still:
failed: [67.205.179.253 -> localhost] (item=Kasra\xE2\x80\x99siPhone) => {"changed": true, "cmd": "openssl ca -gencrl -config openssl.cnf -passin pass:\"e24e36cdc4fcd6af3bee1aa579d20309\" -revoke certs/Kasra\xE2\x80\x99siPhone.crt -out crl/Kasra\xE2\x80\x99siPhone.crt", "delta": "0:00:00.009677", "end": "2017-06-19 11:00:56.220875", "failed": true, "item": "Kasra\xE2\x80\x99siPhone", "rc": 1, "start": "2017-06-19 11:00:56.211198", "stderr": "Using configuration from openssl.cnf\nError opening certs/KasraxE2x80x99siPhone.crt certs/KasraxE2x80x99siPhone.crt\n11724:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/conf/conf_lib.c:329:group=CA_default name=crlnumber\n11724:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/conf/conf_lib.c:329:group=CA_default name=default_crl_hours\n11724:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/bio/bss_file.c:356:fopen('certs/KasraxE2x80x99siPhone.crt','r')\n11724:error:20074002:BIO routines:FILE_CTRL:system lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/bio/bss_file.c:358:\nunable to load certificate", "stdout": "", "stdout_lines": [], "warnings": []}
On Mon, Jun 19, 2017 at 1:02 AM, Kasra Ekbatani kasra.ekbatani@gmail.com wrote:
What is the exact syntax? I tried several different ways
Would you be able to copy n paste an example
On Mon, Jun 19, 2017 at 12:44 AM, Dan Guido notifications@github.com wrote:
Oh, don't put a space in the usernames. Looks like that screwed it up.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/trailofbits/algo/issues/604#issuecomment-309337451, or mute the thread https://github.com/notifications/unsubscribe-auth/AcKXkL8hAbbn1w2IicPy9lveF_u7eXk5ks5sFfzCgaJpZM4N9t9F .
dguido
commented
7 years ago openssl ca -gencrl -config openssl.cnf -passin pass:\"e24e36cdc4fcd6af3bee1aa579d20309\" -revoke certs/Kasra\xE2\x80\x99siPhone.crt -out crl/Kasra\xE2\x80\x99siPhone.crt
Use alphanumerics in the usernames, like how the started when they were just 'dan' and 'jack'
sandman1293
commented
7 years ago Excellent thank you that seemed to resolve the problem!
You may close this ticket, thank you so much for your help
On Mon, Jun 19, 2017 at 11:31 AM, Dan Guido notifications@github.com wrote:
openssl ca -gencrl -config openssl.cnf -passin pass:"e24e36cdc4fcd6af3bee1aa579d20309" -revoke certs/Kasra\xE2\x80\x99siPhone.crt -out crl/Kasra\xE2\x80\x99siPhone.crt
Use alphanumerics in the usernames, like how the started when they were just 'dan' and 'jack'
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/trailofbits/algo/issues/604#issuecomment-309476524, or mute the thread https://github.com/notifications/unsubscribe-auth/AcKXkE_ecnU5VWvDzhhM6gvDxHlqL_Bbks5sFpRIgaJpZM4N9t9F .
OS / Environment
Ansible version
Version of components from
msrestazure setuptools>=11.3 ansible>=2.1,<2.2.1 dopy==0.3.5 boto>=2.5 boto3 azure==2.0.0rc5 msrest==0.4.1 apache-libcloud six pyopenssl jinja2==2. ### Summary of the problem Keep receiving same error message, followed the trouble shoot guide to run python 2.7 but still did not work. I am not a developer but it seems the problem is that I cannot add any of the users ### Steps to reproduce the behavior ### The way of deployment (cloud or local) ### Expected behavior ### Actual behavior ### Full logrequirements.txtWhat provider would you like to use?
Enter the number of your desired provider : 1
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): [pasted values will not be displayed] :
Name the vpn server:
What region should the server be located in?
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) :
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
Do you want each user to have their own account for SSH tunneling?
Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
Do you want to retain the CA key? (required to add users in the future, but less secure)
PLAY [Configure the server] ****
TASK [setup] *** ok: [localhost]
TASK [Generate the SSH private key] **** ok: [localhost]
TASK [Generate the SSH public key] ***** ok: [localhost]
TASK [Change mode for the SSH private key] ***** ok: [localhost]
TASK [Ensure the dynamic inventory exists] ***** ok: [localhost]
TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] ***** ok: [localhost]
TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ** FAILED - RETRYING: TASK: cloud-digitalocean : Delete the existing Algo SSH keys (10 retries left). ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] ***** changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] ** changed: [localhost]
TASK [cloud-digitalocean : Add the droplet to an inventory group] ** changed: [localhost]
TASK [cloud-digitalocean : set_fact] *** ok: [localhost]
TASK [cloud-digitalocean : Tag the droplet] **** changed: [localhost]
TASK [cloud-digitalocean : Get droplets] *** ok: [localhost]
TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] *** ok: [localhost]
TASK [cloud-digitalocean : Populate the dynamic inventory] ***** ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'Batstrike', u'backup_ids': [], u'created_at': u'2017-06-19T01:31:31Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.255.0', u'ip_address': u'192.34.62.6', u'gateway': u'192.34.62.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2604:A880:0400:00D0:0000:0000:2F5C:C001', u'gateway': u'2604:A880:0400:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-06-14T23:29:57Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 25599663, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.29}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u'4gb', u'8gb', u'16gb'], u'slug': u'nyc1', u'name': u'New York 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 52167860, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']}) ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'Batstrike123', u'backup_ids': [], u'created_at': u'2017-06-19T02:34:40Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.255.0', u'ip_address': u'192.241.134.181', u'gateway': u'192.241.134.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2604:A880:0400:00D0:0000:0000:2F60:3001', u'gateway': u'2604:A880:0400:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-06-14T23:29:57Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 25599663, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.29}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u'4gb', u'8gb', u'16gb'], u'slug': u'nyc1', u'name': u'New York 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 52171283, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']}) ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'Batstrike69', u'backup_ids': [], u'created_at': u'2017-06-19T03:06:40Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'67.205.139.107', u'gateway': u'67.205.128.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2604:A880:0400:00D0:0000:0000:2F62:0001', u'gateway': u'2604:A880:0400:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-06-14T23:29:57Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 25599663, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.29}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u'4gb', u'8gb', u'16gb'], u'slug': u'nyc1', u'name': u'New York 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 52173259, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']}) changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'Batstrike123456', u'backup_ids': [], u'created_at': u'2017-06-19T03:17:17Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'67.207.90.69', u'gateway': u'67.207.80.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2604:A880:0400:00D0:0000:0000:2F62:A001', u'gateway': u'2604:A880:0400:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-06-14T23:29:57Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 25599663, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.29}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u'4gb', u'8gb', u'16gb'], u'slug': u'nyc1', u'name': u'New York 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 52173910, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']})
TASK [Wait until SSH becomes ready...] ***** ok: [localhost]
TASK [A short pause, in order to be sure the instance is ready] **** Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) ok: [localhost]
TASK [Ensure the local ssh directory is exist] ***** ok: [localhost]
TASK [Copy the algo ssh key to the local ssh directory] **** ok: [localhost]
PLAY [Configure the server and install required software] **
TASK [Check the system] **** changed: [67.207.90.69]
TASK [Ubuntu | Install prerequisites] ** changed: [67.207.90.69]
TASK [Ubuntu | Configure defaults] ***** changed: [67.207.90.69]
TASK [FreeBSD / HardenedBSD | Install prerequisites] *** skipping: [67.207.90.69]
TASK [FreeBSD / HardenedBSD | Configure defaults] ** skipping: [67.207.90.69]
TASK [set_fact] **** skipping: [67.207.90.69]
TASK [Gather Facts] **** ok: [67.207.90.69]
TASK [Ensure the algo ssh key exist on the server] ***** ok: [67.207.90.69]
TASK [Enable IPv6] ***** ok: [67.207.90.69]
TASK [Set facts if the deployment in a cloud] ** ok: [67.207.90.69]
TASK [Generate password for the CA key] **** changed: [67.207.90.69 -> localhost]
TASK [Define password facts] *** ok: [67.207.90.69]
TASK [Define the commonName] *** ok: [67.207.90.69]
TASK [common : Install software updates] *** changed: [67.207.90.69]
TASK [common : Check if reboot is required] **** changed: [67.207.90.69]
TASK [common : Reboot] ***** skipping: [67.207.90.69]
TASK [common : Wait until SSH becomes ready...] **** skipping: [67.207.90.69]
TASK [common : Disable MOTD on login and SSHD] ***** changed: [67.207.90.69] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) changed: [67.207.90.69] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})
TASK [common : Loopback for services configured] *** changed: [67.207.90.69]
TASK [common : Loopback included into the network config] ** changed: [67.207.90.69]
RUNNING HANDLER [common : restart loopback] **** changed: [67.207.90.69]
TASK [common : set_fact] *** ok: [67.207.90.69]
TASK [common : set_fact] *** skipping: [67.207.90.69]
TASK [common : Loopback included into the rc config] *** skipping: [67.207.90.69]
TASK [common : Enable the gateway features] **** skipping: [67.207.90.69] => (item={u'value': u'"YES"', u'param': u'firewall_enable'}) skipping: [67.207.90.69] => (item={u'value': u'"open"', u'param': u'firewall_type'}) skipping: [67.207.90.69] => (item={u'value': u'"YES"', u'param': u'gateway_enable'}) skipping: [67.207.90.69] => (item={u'value': u'"YES"', u'param': u'natd_enable'}) skipping: [67.207.90.69] => (item={u'value': u'""', u'param': u'natd_interface'}) skipping: [67.207.90.69] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'})
TASK [common : Install tools] ** changed: [67.207.90.69] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])
TASK [common : Sysctl tuning] ** changed: [67.207.90.69] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) changed: [67.207.90.69] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) changed: [67.207.90.69] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})
TASK [vpn : Ensure that the strongswan group exist] **** changed: [67.207.90.69]
TASK [vpn : Ensure that the strongswan user exist] ***** changed: [67.207.90.69]
TASK [vpn : set_fact] ** ok: [67.207.90.69]
TASK [vpn : Configure apt to use the Xenial release by default] **** changed: [67.207.90.69]
TASK [vpn : Configure packages preferences] **** changed: [67.207.90.69]
TASK [vpn : Configure the Ubuntu Zesty repository] ***** changed: [67.207.90.69]
TASK [vpn : Ubuntu | Install strongSwan] *** changed: [67.207.90.69]
TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] **** skipping: [67.207.90.69] => (item=/usr/lib/ipsec/charon) skipping: [67.207.90.69] => (item=/usr/lib/ipsec/lookip) skipping: [67.207.90.69] => (item=/usr/lib/ipsec/stroke)
TASK [vpn : Ubuntu | Enable services] ** ok: [67.207.90.69] => (item=apparmor) ok: [67.207.90.69] => (item=strongswan) ok: [67.207.90.69] => (item=netfilter-persistent)
TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *** changed: [67.207.90.69]
TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** changed: [67.207.90.69]
TASK [vpn : Iptables configured] *** changed: [67.207.90.69] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})
TASK [vpn : Iptables configured] *** changed: [67.207.90.69] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})
TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] **** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] *** skipping: [67.207.90.69] => (item=IPSEC) skipping: [67.207.90.69] => (item=IPSEC_NAT_T) skipping: [67.207.90.69] => (item=crypto)
TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] **** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] **** skipping: [67.207.90.69] => (item=options IPSEC) skipping: [67.207.90.69] => (item=options IPSEC_NAT_T) skipping: [67.207.90.69] => (item=device crypto)
TASK [vpn : HardenedBSD | Determine the sources] *** skipping: [67.207.90.69]
TASK [vpn : FreeBSD | Determine the sources] *** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] ** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Reboot] **** skipping: [67.207.90.69]
TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] ***** skipping: [67.207.90.69]
TASK [vpn : Install strongSwan] **** ok: [67.207.90.69]
TASK [vpn : Get StrongSwan versions] *** changed: [67.207.90.69]
TASK [vpn : Setup the config files from our templates] ***** changed: [67.207.90.69] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [67.207.90.69] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [67.207.90.69] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [vpn : Get loaded plugins] **** changed: [67.207.90.69]
TASK [vpn : Disable unneeded plugins] ** skipping: [67.207.90.69] => (item=pgp) changed: [67.207.90.69] => (item=rc2) changed: [67.207.90.69] => (item=md5) changed: [67.207.90.69] => (item=ccm) changed: [67.207.90.69] => (item=md4) changed: [67.207.90.69] => (item=resolve) skipping: [67.207.90.69] => (item=pem) changed: [67.207.90.69] => (item=connmark) changed: [67.207.90.69] => (item=pkcs1) changed: [67.207.90.69] => (item=agent) skipping: [67.207.90.69] => (item=kernel-netlink) changed: [67.207.90.69] => (item=constraints) changed: [67.207.90.69] => (item=sha1) changed: [67.207.90.69] => (item=attr) changed: [67.207.90.69] => (item=sshkey) changed: [67.207.90.69] => (item=xauth-generic) changed: [67.207.90.69] => (item=eap-mschapv2) skipping: [67.207.90.69] => (item=random) skipping: [67.207.90.69] => (item=socket-default) changed: [67.207.90.69] => (item=dnskey) skipping: [67.207.90.69] => (item=stroke) changed: [67.207.90.69] => (item=updown) changed: [67.207.90.69] => (item=xcbc) skipping: [67.207.90.69] => (item=sha2) skipping: [67.207.90.69] => (item=hmac) changed: [67.207.90.69] => (item=fips-prf) skipping: [67.207.90.69] => (item=aes) skipping: [67.207.90.69] => (item=gcm) skipping: [67.207.90.69] => (item=revocation) changed: [67.207.90.69] => (item=aesni) changed: [67.207.90.69] => (item=test-vectors) skipping: [67.207.90.69] => (item=pkcs12) skipping: [67.207.90.69] => (item=nonce) changed: [67.207.90.69] => (item=gmp) skipping: [67.207.90.69] => (item=pkcs8) skipping: [67.207.90.69] => (item=pubkey) skipping: [67.207.90.69] => (item=x509) skipping: [67.207.90.69] => (item=pkcs7) skipping: [67.207.90.69] => (item=openssl)
TASK [vpn : Ensure that required plugins are enabled] ** changed: [67.207.90.69] => (item=pgp) skipping: [67.207.90.69] => (item=rc2) skipping: [67.207.90.69] => (item=md5) skipping: [67.207.90.69] => (item=ccm) skipping: [67.207.90.69] => (item=md4) skipping: [67.207.90.69] => (item=resolve) changed: [67.207.90.69] => (item=pem) skipping: [67.207.90.69] => (item=connmark) skipping: [67.207.90.69] => (item=pkcs1) skipping: [67.207.90.69] => (item=agent) changed: [67.207.90.69] => (item=kernel-netlink) skipping: [67.207.90.69] => (item=constraints) skipping: [67.207.90.69] => (item=sha1) skipping: [67.207.90.69] => (item=attr) skipping: [67.207.90.69] => (item=sshkey) skipping: [67.207.90.69] => (item=xauth-generic) skipping: [67.207.90.69] => (item=eap-mschapv2) changed: [67.207.90.69] => (item=random) changed: [67.207.90.69] => (item=socket-default) skipping: [67.207.90.69] => (item=dnskey) changed: [67.207.90.69] => (item=stroke) skipping: [67.207.90.69] => (item=updown) skipping: [67.207.90.69] => (item=xcbc) changed: [67.207.90.69] => (item=sha2) changed: [67.207.90.69] => (item=hmac) skipping: [67.207.90.69] => (item=fips-prf) changed: [67.207.90.69] => (item=aes) changed: [67.207.90.69] => (item=gcm) changed: [67.207.90.69] => (item=revocation) skipping: [67.207.90.69] => (item=aesni) skipping: [67.207.90.69] => (item=test-vectors) changed: [67.207.90.69] => (item=pkcs12) changed: [67.207.90.69] => (item=nonce) skipping: [67.207.90.69] => (item=gmp) changed: [67.207.90.69] => (item=pkcs8) changed: [67.207.90.69] => (item=pubkey) changed: [67.207.90.69] => (item=x509) changed: [67.207.90.69] => (item=pkcs7) changed: [67.207.90.69] => (item=openssl)
TASK [vpn : Ensure the pki directory does not exist] *** skipping: [67.207.90.69]
TASK [vpn : Ensure the pki directories exist] ** changed: [67.207.90.69 -> localhost] => (item=ecparams) changed: [67.207.90.69 -> localhost] => (item=certs) changed: [67.207.90.69 -> localhost] => (item=crl) changed: [67.207.90.69 -> localhost] => (item=newcerts) changed: [67.207.90.69 -> localhost] => (item=private) changed: [67.207.90.69 -> localhost] => (item=reqs)
TASK [vpn : Ensure the files exist] **** changed: [67.207.90.69 -> localhost] => (item=.rnd) changed: [67.207.90.69 -> localhost] => (item=private/.rnd) changed: [67.207.90.69 -> localhost] => (item=index.txt) changed: [67.207.90.69 -> localhost] => (item=index.txt.attr) changed: [67.207.90.69 -> localhost] => (item=serial)
TASK [vpn : Generate the openssl server configs] *** changed: [67.207.90.69 -> localhost]
TASK [vpn : Build the CA pair] ***** changed: [67.207.90.69 -> localhost]
TASK [vpn : Copy the CA certificate] *** changed: [67.207.90.69 -> localhost]
TASK [vpn : Generate the serial number] **** changed: [67.207.90.69 -> localhost]
TASK [vpn : Build the server pair] ***** changed: [67.207.90.69 -> localhost]
TASK [vpn : Build the client's pair] *** changed: [67.207.90.69 -> localhost] => (item=dan) changed: [67.207.90.69 -> localhost] => (item=jack) failed: [67.207.90.69 -> localhost] (item=Malware Demo) => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/Malware Demo.key -out reqs/Malware Demo.req -nodes -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Malware Demo\" -batch && openssl ca -utf8 -in reqs/Malware Demo.req -out certs/Malware Demo.crt -config openssl.cnf -days 3650 -batch -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Malware Demo\" && touch certs/Malware Demo_crt_generated", "delta": "0:00:00.008417", "end": "2017-06-18 23:22:28.655122", "failed": true, "item": "Malware Demo", "rc": 1, "start": "2017-06-18 23:22:28.646705", "stderr": "unknown option Demo.key\nreq [options]outfile\nwhere options are\n -inform arg input format - DER or PEM\n -outform arg output format - DER or PEM\n -in arg input file\n -out arg output file\n -text text form of request\n -pubkey output public key\n -noout do not output REQ\n -verify verify signature on REQ\n -modulus RSA modulus\n -nodes don't encrypt the output key\n -engine e use engine e, possibly a hardware device\n -subject output the request's subject\n -passin private key password source\n -key file use the private key contained in file\n -keyform arg key file format\n -keyout arg file to send the key to\n -rand file:file:...\n load the file (or the files in the directory) into\n the random number generator\n -newkey rsa:bits generate a new RSA key of 'bits' in size\n -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n -config file request template file.\n -subj arg set or modify request subject\n -multivalue-rdn enable support for multivalued RDNs\n -new new request.\n -batch do not ask anything during request generation\n -x509 output a x509 structure instead of a cert. req.\n -days number of days a certificate generated by -x509 is valid for.\n -set_serial serial number to use for a certificate generated by -x509.\n -newhdr output \"NEW\" in the header lines\n -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n have been reported as requiring\n -extensions .. specify certificate extension section (override value in config file)\n -reqexts .. specify request extension section (override value in config file)\n -utf8 input characters are UTF8 (default ASCII)\n -nameopt arg - various certificate name options\n -reqopt arg - various request text options", "stdout": "", "stdout_lines": [], "warnings": []}
failed: [67.207.90.69 -> localhost] (item=Kasra’s iPhone) => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/Kasra’s iPhone.key -out reqs/Kasra’s iPhone.req -nodes -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Kasra’s iPhone\" -batch && openssl ca -utf8 -in reqs/Kasra’s iPhone.req -out certs/Kasra’s iPhone.crt -config openssl.cnf -days 3650 -batch -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Kasra’s iPhone\" && touch certs/Kasra’s iPhone_crt_generated", "delta": "0:00:00.008302", "end": "2017-06-18 23:22:28.815652", "failed": true, "item": "Kasra’s iPhone", "rc": 1, "start": "2017-06-18 23:22:28.807350", "stderr": "unknown option iPhone.key\nreq [options] outfile\nwhere options are\n -inform arg input format - DER or PEM\n -outform arg output format - DER or PEM\n -in arg input file\n -out arg output file\n -text text form of request\n -pubkey output public key\n -noout do not output REQ\n -verify verify signature on REQ\n -modulus RSA modulus\n -nodes don't encrypt the output key\n -engine e use engine e, possibly a hardware device\n -subject output the request's subject\n -passin private key password source\n -key file use the private key contained in file\n -keyform arg key file format\n -keyout arg file to send the key to\n -rand file:file:...\n load the file (or the files in the directory) into\n the random number generator\n -newkey rsa:bits generate a new RSA key of 'bits' in size\n -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n -config file request template file.\n -subj arg set or modify request subject\n -multivalue-rdn enable support for multivalued RDNs\n -new new request.\n -batch do not ask anything during request generation\n -x509 output a x509 structure instead of a cert. req.\n -days number of days a certificate generated by -x509 is valid for.\n -set_serial serial number to use for a certificate generated by -x509.\n -newhdr output \"NEW\" in the header lines\n -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n have been reported as requiring\n -extensions .. specify certificate extension section (override value in config file)\n -reqexts .. specify request extension section (override value in config file)\n -utf8 input characters are UTF8 (default ASCII)\n -nameopt arg - various certificate name options\n -reqopt arg - various request text options", "stdout": "", "stdout_lines": [], "warnings": []}
failed: [67.207.90.69 -> localhost] (item=Kevin Ekbatani) => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/Kevin Ekbatani.key -out reqs/Kevin Ekbatani.req -nodes -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Kevin Ekbatani\" -batch && openssl ca -utf8 -in reqs/Kevin Ekbatani.req -out certs/Kevin Ekbatani.crt -config openssl.cnf -days 3650 -batch -passin pass:\"0459707397ad65e01e779d56061091ed\" -subj \"/CN=Kevin Ekbatani\" && touch certs/Kevin Ekbatani_crt_generated", "delta": "0:00:00.009721", "end": "2017-06-18 23:22:28.979178", "failed": true, "item": "Kevin Ekbatani", "rc": 1, "start": "2017-06-18 23:22:28.969457", "stderr": "unknown option Ekbatani.key\nreq [options] outfile\nwhere options are\n -inform arg input format - DER or PEM\n -outform arg output format - DER or PEM\n -in arg input file\n -out arg output file\n -text text form of request\n -pubkey output public key\n -noout do not output REQ\n -verify verify signature on REQ\n -modulus RSA modulus\n -nodes don't encrypt the output key\n -engine e use engine e, possibly a hardware device\n -subject output the request's subject\n -passin private key password source\n -key file use the private key contained in file\n -keyform arg key file format\n -keyout arg file to send the key to\n -rand file:file:...\n load the file (or the files in the directory) into\n the random number generator\n -newkey rsa:bits generate a new RSA key of 'bits' in size\n -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n -config file request template file.\n -subj arg set or modify request subject\n -multivalue-rdn enable support for multivalued RDNs\n -new new request.\n -batch do not ask anything during request generation\n -x509 output a x509 structure instead of a cert. req.\n -days number of days a certificate generated by -x509 is valid for.\n -set_serial serial number to use for a certificate generated by -x509.\n -newhdr output \"NEW\" in the header lines\n -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n have been reported as requiring\n -extensions .. specify certificate extension section (override value in config file)\n -reqexts .. specify request extension section (override value in config file)\n -utf8 input characters are UTF8 (default ASCII)\n -nameopt arg - various certificate name options\n -reqopt arg - various request text options", "stdout": "", "stdout_lines": [], "warnings": []}
TASK [vpn : debug] ***** ok: [67.207.90.69] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }
TASK [vpn : fail] ** fatal: [67.207.90.69]: FAILED! => {"changed": false, "failed": true, "msg": "Failed as requested from task"}
RUNNING HANDLER [vpn : restart strongswan] *****
RUNNING HANDLER [vpn : daemon-reload] **
RUNNING HANDLER [vpn : restart iptables] ***
PLAY RECAP ***** 67.207.90.69 : ok=45 changed=34 unreachable=0 failed=1
localhost : ok=19 changed=5 unreachable=0 failed=0