search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.93k stars 2.32k forks source link

Deployment failed at "Build the CA pair" #729

Closed DSIW closed 6 years ago

DSIW commented 6 years ago

OS / Environment

Local computer: Linux 4.11.5-1-ARCH Python 2.7 DigitalOcean Droplet: 512 MB Memory / 20 GB Disk / FRA1 - Ubuntu 16.04.3 x64

Ansible version

2.2.0.0

Version of components from requirements.txt

Name: setuptools
Version: 36.7.2
---
Name: msrestazure
Version: 0.4.16
---
Name: ansible
Version: 2.2.0.0
---
Name: dopy
Version: 0.3.5
---
Name: boto
Version: 2.48.0
---
Name: boto3
Version: 1.4.7
---
Name: azure
Version: 2.0.0rc5
---
Name: msrest
Version: 0.4.1
---
Name: apache-libcloud
Version: 2.2.1
---
Name: six
Version: 1.11.0
---
Name: pyOpenSSL
Version: 17.3.0
---
Name: Jinja2
Version: 2.8

Summary of the problem

Deploy failed with error message. See log below.

Steps to reproduce the behavior

./algo

The way of deployment (cloud or local)

cloud (DigitalOcean)

Expected behavior

        "\"#----------------------------------------------------------------------#\"",
        "\"#                          Congratulations!                            #\"",
        "\"#                     Your Algo server is running.                     #\"",
        "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
        "\"#              Go to https://whoer.net/ after connecting               #\"",
        "\"#        and ensure that all your traffic passes through the VPN.      #\"",
        "\"#                    Local DNS resolver 172.16.0.1                     #\"",
        "\"#                The p12 and SSH keys password is XXXXXXXX             #\"",
        "\"#----------------------------------------------------------------------#\""

Actual behavior

I get this error message:

/bin/sh: -c: line 0: syntax error near unexpected token `('\n/bin/sh: -c: line 0: `openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:138.68.101.144,IP:138.68.101.144\")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\"f111902fffc89805814cdd75d10850e4\" && touch 138.68.101.144_ca_generated'

Full log

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider
: 1
PLAY [Configure the server] ****************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [Generate the SSH private key] ********************************************
ok: [localhost]

TASK [Generate the SSH public key] *********************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] *************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ******************
FAILED - RETRYING: TASK: cloud-digitalocean : Delete the existing Algo SSH keys (10 retries left).
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *********************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ******************************
changed: [localhost]

TASK [cloud-digitalocean : Add the droplet to an inventory group] **************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] *******************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] ************************************
changed: [localhost]

TASK [cloud-digitalocean : Get droplets] ***************************************
ok: [localhost]

TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] ***
ok: [localhost]

TASK [cloud-digitalocean : Populate the dynamic inventory] *********************
changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'algo', u'backup_ids': [], u'created_at': u'2017-11-18T16:53:06Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'138.68.101.144', u'gateway': u'138.68.96.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2A03:B0C0:0003:00D0:0000:0000:00B3:F001', u'gateway': u'2A03:B0C0:0003:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.3 x64', u'created_at': u'2017-11-18T00:53:45Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 29427538, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.31}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u's-1vcpu-3gb', u'c-2', u'4gb', u'c-4', u'8gb', u'c-8', u'16gb', u'm-16gb', u'c-16', u'm-32gb', u'32gb', u'48gb', u'm-64gb', u'64gb', u'c-32', u'm-128gb', u'm-224gb'], u'slug': u'fra1', u'name': u'Frankfurt 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 71500756, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']})

TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost]

TASK [A short pause, in order to be sure the instance is ready] ****************
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]

TASK [Ensure the local ssh directory is exist] *********************************
ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] ************************
ok: [localhost]

PLAY [Configure the server and install required software] **********************

TASK [Check the system] ********************************************************
changed: [138.68.101.144]

TASK [Ubuntu | Install prerequisites] ******************************************
changed: [138.68.101.144]

TASK [Ubuntu | Configure defaults] *********************************************
changed: [138.68.101.144]

TASK [FreeBSD / HardenedBSD | Install prerequisites] ***************************
skipping: [138.68.101.144]

TASK [FreeBSD / HardenedBSD | Configure defaults] ******************************
skipping: [138.68.101.144]

TASK [set_fact] ****************************************************************
skipping: [138.68.101.144]

TASK [Gather Facts] ************************************************************
ok: [138.68.101.144]

TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [138.68.101.144]

TASK [Enable IPv6] *************************************************************
ok: [138.68.101.144]

TASK [Set facts if the deployment in a cloud] **********************************
ok: [138.68.101.144]

TASK [Generate password for the CA key] ****************************************
changed: [138.68.101.144 -> localhost]

TASK [Generate p12 export password] ********************************************
changed: [138.68.101.144 -> localhost]

TASK [Define password facts] ***************************************************
ok: [138.68.101.144]

TASK [Define the commonName] ***************************************************
ok: [138.68.101.144]

TASK [common : Install software updates] ***************************************
changed: [138.68.101.144]

TASK [common : Check if reboot is required] ************************************
changed: [138.68.101.144]

TASK [common : Reboot] *********************************************************
skipping: [138.68.101.144]

TASK [common : Wait until SSH becomes ready...] ********************************
skipping: [138.68.101.144]

TASK [common : Disable MOTD on login and SSHD] *********************************
changed: [138.68.101.144] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [138.68.101.144] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *******************************
changed: [138.68.101.144]

TASK [common : Loopback included into the network config] **********************
changed: [138.68.101.144]

RUNNING HANDLER [common : restart loopback] ************************************
changed: [138.68.101.144]

TASK [common : Check apparmor support] *****************************************
changed: [138.68.101.144]

TASK [common : set_fact] *******************************************************
ok: [138.68.101.144]

TASK [common : set_fact] *******************************************************
ok: [138.68.101.144]

TASK [common : set_fact] *******************************************************
skipping: [138.68.101.144]

TASK [common : Loopback included into the rc config] ***************************
skipping: [138.68.101.144]

TASK [common : Enable the gateway features] ************************************
skipping: [138.68.101.144] => (item={u'value': u'"YES"', u'param': u'firewall_enable'}) 
skipping: [138.68.101.144] => (item={u'value': u'"open"', u'param': u'firewall_type'}) 
skipping: [138.68.101.144] => (item={u'value': u'"YES"', u'param': u'gateway_enable'}) 
skipping: [138.68.101.144] => (item={u'value': u'"YES"', u'param': u'natd_enable'}) 
skipping: [138.68.101.144] => (item={u'value': u'""', u'param': u'natd_interface'}) 
skipping: [138.68.101.144] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'}) 

TASK [common : FreeBSD | Activate IPFW] ****************************************
skipping: [138.68.101.144]

TASK [common : Install tools] **************************************************
changed: [138.68.101.144] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Sysctl tuning] **************************************************
changed: [138.68.101.144] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [138.68.101.144] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [138.68.101.144] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [security : Install tools] ************************************************
ok: [138.68.101.144] => (item=[u'unattended-upgrades'])

TASK [security : Configure unattended-upgrades] ********************************
changed: [138.68.101.144]

TASK [security : Periodic upgrades configured] *********************************
changed: [138.68.101.144]

TASK [security : Find directories for minimizing access] ***********************
ok: [138.68.101.144] => (item=/usr/local/sbin)
ok: [138.68.101.144] => (item=/usr/local/bin)
ok: [138.68.101.144] => (item=/usr/sbin)
ok: [138.68.101.144] => (item=/usr/bin)
ok: [138.68.101.144] => (item=/sbin)
ok: [138.68.101.144] => (item=/bin)

TASK [security : Minimize access] **********************************************
ok: [138.68.101.144] => (item=(censored due to no_log))
ok: [138.68.101.144] => (item=(censored due to no_log))
ok: [138.68.101.144] => (item=(censored due to no_log))
ok: [138.68.101.144] => (item=(censored due to no_log))
ok: [138.68.101.144] => (item=(censored due to no_log))
ok: [138.68.101.144] => (item=(censored due to no_log))

TASK [security : Change shadow ownership to root and mode to 0600] *************
changed: [138.68.101.144]

TASK [security : change su-binary to only be accessible to user and group root] 
changed: [138.68.101.144]

TASK [security : Restrict core dumps (with PAM)] *******************************
changed: [138.68.101.144]

TASK [security : Restrict core dumps (with sysctl)] ****************************
changed: [138.68.101.144]

TASK [security : Disable Source Routed Packet Acceptance] **********************
changed: [138.68.101.144] => (item=net.ipv4.conf.all.accept_source_route)
changed: [138.68.101.144] => (item=net.ipv4.conf.default.accept_source_route)

TASK [security : Disable ICMP Redirect Acceptance] *****************************
changed: [138.68.101.144] => (item=net.ipv4.conf.all.accept_redirects)
changed: [138.68.101.144] => (item=net.ipv4.conf.default.accept_redirects)

TASK [security : Disable Secure ICMP Redirect Acceptance] **********************
changed: [138.68.101.144] => (item=net.ipv4.conf.all.secure_redirects)
changed: [138.68.101.144] => (item=net.ipv4.conf.default.secure_redirects)

TASK [security : Enable Bad Error Message Protection] **************************
changed: [138.68.101.144]

TASK [security : Enable RFC-recommended Source Route Validation] ***************
changed: [138.68.101.144] => (item=net.ipv4.conf.all.rp_filter)
changed: [138.68.101.144] => (item=net.ipv4.conf.default.rp_filter)

TASK [security : Do not send ICMP redirects (we are not a router)] *************
changed: [138.68.101.144]

TASK [security : SSH config] ***************************************************
changed: [138.68.101.144]

TASK [dns_adblocking : The DNS tag is defined] *********************************
ok: [138.68.101.144]

TASK [dns_adblocking : Dnsmasq installed] **************************************
changed: [138.68.101.144]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] *********************
changed: [138.68.101.144]

TASK [dns_adblocking : The dnsmasq directory created] **************************
changed: [138.68.101.144]

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *******
changed: [138.68.101.144]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ***********
changed: [138.68.101.144]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ***
changed: [138.68.101.144]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***
changed: [138.68.101.144]

TASK [dns_adblocking : FreeBSD / HardenedBSD | Enable dnsmasq] *****************
skipping: [138.68.101.144]

TASK [dns_adblocking : Dnsmasq configured] *************************************
changed: [138.68.101.144]

TASK [dns_adblocking : Adblock script created] *********************************
changed: [138.68.101.144]

TASK [dns_adblocking : Adblock script added to cron] ***************************
changed: [138.68.101.144]

TASK [dns_adblocking : Update adblock hosts] ***********************************
changed: [138.68.101.144]

RUNNING HANDLER [common : flush routing cache] *********************************
changed: [138.68.101.144]

RUNNING HANDLER [security : restart ssh] ***************************************
changed: [138.68.101.144]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *****************************
changed: [138.68.101.144]

RUNNING HANDLER [vpn : daemon-reload] ******************************************
changed: [138.68.101.144]

TASK [dns_adblocking : Dnsmasq enabled and started] ****************************
ok: [138.68.101.144]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ****
changed: [138.68.101.144]

TASK [ssh_tunneling : Ensure that the algo group exist] ************************
changed: [138.68.101.144]

TASK [ssh_tunneling : Ensure that the jail directory exist] ********************
changed: [138.68.101.144]

TASK [ssh_tunneling : Ensure that the SSH users exist] *************************
changed: [138.68.101.144] => (item=vl)

TASK [ssh_tunneling : The authorized keys file created] ************************
changed: [138.68.101.144] => (item=vl)

TASK [ssh_tunneling : Generate SSH fingerprints] *******************************
changed: [138.68.101.144]

TASK [ssh_tunneling : Fetch users SSH private keys] ****************************
changed: [138.68.101.144] => (item=vl)

TASK [ssh_tunneling : Change mode for SSH private keys] ************************
changed: [138.68.101.144 -> localhost] => (item=vl)

TASK [ssh_tunneling : Fetch the known_hosts file] ******************************
changed: [138.68.101.144 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] *****************************
changed: [138.68.101.144 -> localhost] => (item=vl)

TASK [ssh_tunneling : SSH | Get active system users] ***************************
skipping: [138.68.101.144]

TASK [ssh_tunneling : SSH | Delete non-existing users] *************************
skipping: [138.68.101.144] => (item=null) 

TASK [vpn : Ensure that the strongswan group exist] ****************************
changed: [138.68.101.144]

TASK [vpn : Ensure that the strongswan user exist] *****************************
changed: [138.68.101.144]

TASK [vpn : set_fact] **********************************************************
ok: [138.68.101.144]

TASK [vpn : Ubuntu | Install strongSwan] ***************************************
changed: [138.68.101.144]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ****************************
changed: [138.68.101.144] => (item=/usr/lib/ipsec/charon)
changed: [138.68.101.144] => (item=/usr/lib/ipsec/lookip)
changed: [138.68.101.144] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ******************************************
ok: [138.68.101.144] => (item=apparmor)
ok: [138.68.101.144] => (item=strongswan)
ok: [138.68.101.144] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *******
changed: [138.68.101.144]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********
changed: [138.68.101.144]

TASK [vpn : Iptables configured] ***********************************************
changed: [138.68.101.144] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***********************************************
changed: [138.68.101.144] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] ********
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] ***************
skipping: [138.68.101.144] => (item=IPSEC) 
skipping: [138.68.101.144] => (item=IPSEC_NAT_T) 
skipping: [138.68.101.144] => (item=crypto) 

TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] ********************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] ********
skipping: [138.68.101.144] => (item=options IPSEC) 
skipping: [138.68.101.144] => (item=options IPSEC_NAT_T) 
skipping: [138.68.101.144] => (item=device  crypto) 

TASK [vpn : HardenedBSD | Determine the sources] *******************************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD | Determine the sources] ***********************************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] **********
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *******************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] **************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Reboot] ************************************
skipping: [138.68.101.144]

TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] *************************
skipping: [138.68.101.144]

TASK [vpn : Install strongSwan] ************************************************
ok: [138.68.101.144]

TASK [vpn : Setup the config files from our templates] *************************
changed: [138.68.101.144] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [138.68.101.144] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [138.68.101.144] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ************************************************
changed: [138.68.101.144]

TASK [vpn : Disable unneeded plugins] ******************************************
changed: [138.68.101.144] => (item=gmp)
changed: [138.68.101.144] => (item=updown)
changed: [138.68.101.144] => (item=connmark)
changed: [138.68.101.144] => (item=test-vectors)
changed: [138.68.101.144] => (item=sshkey)
skipping: [138.68.101.144] => (item=nonce) 
skipping: [138.68.101.144] => (item=x509) 
changed: [138.68.101.144] => (item=agent)
changed: [138.68.101.144] => (item=resolve)
changed: [138.68.101.144] => (item=constraints)
changed: [138.68.101.144] => (item=dnskey)
skipping: [138.68.101.144] => (item=hmac) 
changed: [138.68.101.144] => (item=md5)
skipping: [138.68.101.144] => (item=pkcs12) 
skipping: [138.68.101.144] => (item=sha2) 
skipping: [138.68.101.144] => (item=stroke) 
skipping: [138.68.101.144] => (item=pkcs8) 
changed: [138.68.101.144] => (item=rc2)
changed: [138.68.101.144] => (item=xcbc)
skipping: [138.68.101.144] => (item=openssl) 
changed: [138.68.101.144] => (item=attr)
changed: [138.68.101.144] => (item=md4)
changed: [138.68.101.144] => (item=sha1)
skipping: [138.68.101.144] => (item=revocation) 
skipping: [138.68.101.144] => (item=pgp) 
skipping: [138.68.101.144] => (item=pkcs7) 
skipping: [138.68.101.144] => (item=gcm) 
skipping: [138.68.101.144] => (item=aes) 
changed: [138.68.101.144] => (item=pkcs1)
skipping: [138.68.101.144] => (item=pem) 
skipping: [138.68.101.144] => (item=random) 
skipping: [138.68.101.144] => (item=kernel-netlink) 
skipping: [138.68.101.144] => (item=socket-default) 
skipping: [138.68.101.144] => (item=pubkey) 
changed: [138.68.101.144] => (item=fips-prf)

TASK [vpn : Ensure that required plugins are enabled] **************************
skipping: [138.68.101.144] => (item=gmp) 
skipping: [138.68.101.144] => (item=updown) 
skipping: [138.68.101.144] => (item=connmark) 
skipping: [138.68.101.144] => (item=test-vectors) 
skipping: [138.68.101.144] => (item=sshkey) 
changed: [138.68.101.144] => (item=nonce)
changed: [138.68.101.144] => (item=x509)
skipping: [138.68.101.144] => (item=agent) 
skipping: [138.68.101.144] => (item=resolve) 
skipping: [138.68.101.144] => (item=constraints) 
skipping: [138.68.101.144] => (item=dnskey) 
changed: [138.68.101.144] => (item=hmac)
skipping: [138.68.101.144] => (item=md5) 
changed: [138.68.101.144] => (item=pkcs12)
changed: [138.68.101.144] => (item=sha2)
changed: [138.68.101.144] => (item=stroke)
changed: [138.68.101.144] => (item=pkcs8)
skipping: [138.68.101.144] => (item=rc2) 
skipping: [138.68.101.144] => (item=xcbc) 
changed: [138.68.101.144] => (item=openssl)
skipping: [138.68.101.144] => (item=attr) 
skipping: [138.68.101.144] => (item=md4) 
skipping: [138.68.101.144] => (item=sha1) 
changed: [138.68.101.144] => (item=revocation)
changed: [138.68.101.144] => (item=pgp)
changed: [138.68.101.144] => (item=pkcs7)
changed: [138.68.101.144] => (item=gcm)
changed: [138.68.101.144] => (item=aes)
skipping: [138.68.101.144] => (item=pkcs1) 
changed: [138.68.101.144] => (item=pem)
changed: [138.68.101.144] => (item=random)
changed: [138.68.101.144] => (item=kernel-netlink)
changed: [138.68.101.144] => (item=socket-default)
changed: [138.68.101.144] => (item=pubkey)
skipping: [138.68.101.144] => (item=fips-prf) 

TASK [vpn : Ensure the pki directory does not exist] ***************************
skipping: [138.68.101.144]

TASK [vpn : Ensure the pki directories exist] **********************************
changed: [138.68.101.144 -> localhost] => (item=ecparams)
changed: [138.68.101.144 -> localhost] => (item=certs)
changed: [138.68.101.144 -> localhost] => (item=crl)
changed: [138.68.101.144 -> localhost] => (item=newcerts)
changed: [138.68.101.144 -> localhost] => (item=private)
changed: [138.68.101.144 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] ********************************************
changed: [138.68.101.144 -> localhost] => (item=.rnd)
changed: [138.68.101.144 -> localhost] => (item=private/.rnd)
changed: [138.68.101.144 -> localhost] => (item=index.txt)
changed: [138.68.101.144 -> localhost] => (item=index.txt.attr)
changed: [138.68.101.144 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *******************************
changed: [138.68.101.144 -> localhost]

TASK [vpn : Build the CA pair] *************************************************
fatal: [138.68.101.144 -> localhost]: FAILED! => {"changed": true, "cmd": "openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:138.68.101.144,IP:138.68.101.144\")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\"f111902fffc89805814cdd75d10850e4\" && touch 138.68.101.144_ca_generated", "delta": "0:00:00.006442", "end": "2017-11-18 18:02:12.543997", "failed": true, "rc": 1, "start": "2017-11-18 18:02:12.537555", "stderr": "/bin/sh: -c: line 0: syntax error near unexpected token `('\n/bin/sh: -c: line 0: `openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:138.68.101.144,IP:138.68.101.144\")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\"f111902fffc89805814cdd75d10850e4\" && touch 138.68.101.144_ca_generated'", "stdout": "", "stdout_lines": [], "warnings": []}

TASK [vpn : debug] *************************************************************
ok: [138.68.101.144] => {
    "fail_hint": [
        "Sorry, but something went wrong!", 
        "Please check the troubleshooting guide.", 
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [vpn : fail] **************************************************************
fatal: [138.68.101.144]: FAILED! => {"changed": false, "failed": true, "msg": "Failed as requested from task"}

RUNNING HANDLER [security : restart ssh] ***************************************

RUNNING HANDLER [dns_adblocking : restart apparmor] ****************************

RUNNING HANDLER [vpn : restart strongswan] *************************************

RUNNING HANDLER [vpn : daemon-reload] ******************************************

RUNNING HANDLER [vpn : restart iptables] ***************************************

PLAY RECAP *********************************************************************
138.68.101.144             : ok=84   changed=67   unreachable=0    failed=1   
localhost                  : ok=19   changed=5    unreachable=0    failed=0
DSIW commented 6 years ago

I checked out the commit fee009688ecd2f3b02518f828ee472e15e56f26b and it works now.

Working line: https://github.com/trailofbits/algo/blame/fee009688ecd2f3b02518f828ee472e15e56f26b/roles/vpn/tasks/openssl.yml#L41

DSIW commented 6 years ago

Why did you close this issue? I think it should work on the master branch, too?!

dguido commented 6 years ago

Oh, I thought you were saying that it works?

mudeford commented 6 years ago

I have the same problem on repeated tries:

: Name the vpn server:

What region should the server be located in?

  1. Amsterdam (Datacenter 2)
  2. Amsterdam (Datacenter 3)
  3. Frankfurt
  4. London
  5. New York (Datacenter 1)
  6. New York (Datacenter 2)
  7. New York (Datacenter 3)
  8. San Francisco (Datacenter 1)
  9. San Francisco (Datacenter 2)
  10. Singapore
  11. Toronto
  12. Bangalore Enter the number of your desired region:

Do you want to enable VPN On Demand when connected to cellular networks?

Do you want to enable VPN On Demand when connected to Wi-Fi?

Do you want to install a local DNS resolver to block ads while surfing?

Do you want each user to have their own account for SSH tunneling?

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)

Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure)

Do you want to store the CA key? (required for update-users script, but less secure)

PLAY [Configure the server] ****

TASK [setup] *** ok: [localhost]

TASK [Generate the SSH private key] **** ok: [localhost -> localhost]

TASK [Generate the SSH public key] ***** ok: [localhost -> localhost]

TASK [Change mode for the SSH private key] ***** ok: [localhost -> localhost]

TASK [Ensure the dynamic inventory exists] ***** ok: [localhost]

TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] ***** ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ** FAILED - RETRYING: TASK: cloud-digitalocean : Delete the existing Algo SSH keys (10 retries left). ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] ***** changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ** changed: [localhost]

TASK [cloud-digitalocean : Add the droplet to an inventory group] ** changed: [localhost]

TASK [cloud-digitalocean : set_fact] *** ok: [localhost]

TASK [cloud-digitalocean : Tag the groplet] **** changed: [localhost]

TASK [cloud-digitalocean : Get droplets] *** ok: [localhost]

TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] *** ok: [localhost]

TASK [cloud-digitalocean : Populate the dynamic inventory] ***** ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'london', u'backup_ids': [], u'created_at': u'2017-03-31T18:23:45Z', u'snapshot_ids': [23847936, 29529520], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'139.59.162.253', u'gateway': u'139.59.160.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2A03:B0C0:0001:00A1:0000:0000:162F:D001', u'gateway': u'2a03:b0c0:0001:00a1:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-03-27T12:46:50Z', u'slug': None, u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 23754420, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': False, u'size_gigabytes': 0.33}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u's-1vcpu-3gb', u'c-2', u'4gb', u'c-4', u'8gb', u'c-8', u'16gb', u'm-16gb', u'c-16', u'm-32gb', u'32gb', u'48gb', u'c-32', u'm-64gb', u'64gb', u'm-128gb', u'm-224gb'], u'slug': u'lon1', u'name': u'London 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 44328999, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']}) ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'eastcoast', u'backup_ids': [], u'created_at': u'2017-04-03T15:00:37Z', u'snapshot_ids': [24140233], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.240.0', u'ip_address': u'138.197.109.166', u'gateway': u'138.197.96.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2604:A880:0800:00A1:0000:0000:0BCD:2001', u'gateway': u'2604:A880:0800:00A1:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.2 x64', u'created_at': u'2017-03-27T12:46:50Z', u'slug': None, u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 23754420, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': False, u'size_gigabytes': 0.33}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u's-1vcpu-3gb', u'c-2', u'4gb', u'c-4', u'8gb', u'c-8', u'16gb', u'm-16gb', u'c-16', u'm-32gb', u'32gb', u'48gb', u'c-32', u'm-64gb', u'64gb', u'm-128gb', u'm-224gb'], u'slug': u'nyc3', u'name': u'New York 3', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 44624326, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']}) changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'uknew', u'backup_ids': [], u'created_at': u'2017-11-22T01:18:48Z', u'snapshot_ids': [], u'size_slug': u'512mb', u'networks': {u'v4': [{u'type': u'public', u'netmask': u'255.255.192.0', u'ip_address': u'46.101.0.67', u'gateway': u'46.101.0.1'}], u'v6': [{u'type': u'public', u'netmask': 64, u'ip_address': u'2A03:B0C0:0001:00D0:0000:0000:0033:E001', u'gateway': u'2A03:B0C0:0001:00D0:0000:0000:0000:0001'}]}, u'next_backup_window': None, u'vcpus': 1, u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 512, u'disk': 20, u'slug': u'512mb'}, u'image': {u'min_disk_size': 20, u'name': u'16.04.3 x64', u'created_at': u'2017-11-22T00:43:22Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'id': 29529053, u'distribution': u'Ubuntu', u'type': u'snapshot', u'public': True, u'size_gigabytes': 0.31}, u'memory': 512, u'region': {u'available': True, u'sizes': [u'512mb', u'1gb', u'2gb', u's-1vcpu-3gb', u'c-2', u'4gb', u'c-4', u'8gb', u'c-8', u'16gb', u'm-16gb', u'c-16', u'm-32gb', u'32gb', u'48gb', u'c-32', u'm-64gb', u'64gb', u'm-128gb', u'm-224gb'], u'slug': u'lon1', u'name': u'London 1', u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage']}, u'disk': 20, u'id': 71951659, u'tags': [u'Environment:Algo'], u'features': [u'ipv6']})

TASK [Wait until SSH becomes ready...] ***** ok: [localhost -> localhost]

TASK [A short pause, in order to be sure the instance is ready] **** Pausing for 10 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) ok: [localhost]

TASK [Ensure the local ssh directory is exist] ***** ok: [localhost -> localhost]

TASK [Copy the algo ssh key to the local ssh directory] **** ok: [localhost -> localhost]

TASK [Configure the local ssh config] ** changed: [localhost -> localhost]

PLAY [Configure the server and install required software] **

TASK [Check the system] **** changed: [46.101.0.67]

TASK [Ubuntu | Install prerequisites] ** changed: [46.101.0.67]

TASK [Ubuntu | Configure defaults] ***** changed: [46.101.0.67]

TASK [FreeBSD / HardenedBSD | Install prerequisites] *** skipping: [46.101.0.67]

TASK [FreeBSD / HardenedBSD | Configure defaults] ** skipping: [46.101.0.67]

TASK [set_fact] **** skipping: [46.101.0.67]

TASK [Ensure the algo ssh key exist on the server] ***** ok: [46.101.0.67]

TASK [set_fact] **** ok: [46.101.0.67]

TASK [common : Gather Facts] *** ok: [46.101.0.67]

TASK [common : Install software updates] *** changed: [46.101.0.67]

TASK [common : Check if reboot is required] **** changed: [46.101.0.67]

TASK [common : Reboot] ***** skipping: [46.101.0.67]

TASK [common : Wait until SSH becomes ready...] **** skipping: [46.101.0.67]

TASK [common : Disable MOTD on login and SSHD] ***** changed: [46.101.0.67] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) changed: [46.101.0.67] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] *** changed: [46.101.0.67]

TASK [common : Loopback included into the network config] ** changed: [46.101.0.67]

RUNNING HANDLER [common : restart loopback] **** changed: [46.101.0.67]

TASK [common : set_fact] *** ok: [46.101.0.67]

TASK [common : set_fact] *** skipping: [46.101.0.67]

TASK [common : Loopback included into the rc config] *** skipping: [46.101.0.67]

TASK [common : Enable the gateway features] **** skipping: [46.101.0.67] => (item={u'value': u'"YES"', u'param': u'firewall_enable'}) skipping: [46.101.0.67] => (item={u'value': u'"open"', u'param': u'firewall_type'}) skipping: [46.101.0.67] => (item={u'value': u'"YES"', u'param': u'gateway_enable'}) skipping: [46.101.0.67] => (item={u'value': u'"YES"', u'param': u'natd_enable'}) skipping: [46.101.0.67] => (item={u'value': u'""', u'param': u'natd_interface'}) skipping: [46.101.0.67] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'})

TASK [common : Install tools] ** changed: [46.101.0.67] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'sendmail', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Enable packet forwarding for IPv4] ** changed: [46.101.0.67] => (item=net.ipv4.ip_forward) changed: [46.101.0.67] => (item=net.ipv4.conf.all.forwarding) changed: [46.101.0.67] => (item=net.ipv6.conf.all.forwarding)

TASK [vpn : Gather Facts] ** ok: [46.101.0.67]

TASK [vpn : Enable IPv6] *** ok: [46.101.0.67]

TASK [vpn : Generate password for the CA key] ** changed: [46.101.0.67]

TASK [vpn : set_fact] ** ok: [46.101.0.67]

TASK [vpn : Change the algorithm to RSA] *** skipping: [46.101.0.67]

TASK [vpn : Ensure that the strongswan group exist] **** changed: [46.101.0.67]

TASK [vpn : Ensure that the strongswan user exist] ***** changed: [46.101.0.67]

TASK [vpn : set_fact] ** ok: [46.101.0.67]

TASK [vpn : Ubuntu | Install StrongSwan] *** changed: [46.101.0.67]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] **** skipping: [46.101.0.67] => (item=/usr/lib/ipsec/charon) skipping: [46.101.0.67] => (item=/usr/lib/ipsec/lookip) skipping: [46.101.0.67] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ** ok: [46.101.0.67] => (item=apparmor) ok: [46.101.0.67] => (item=strongswan) ok: [46.101.0.67] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *** changed: [46.101.0.67]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** changed: [46.101.0.67]

TASK [vpn : Iptables configured] *** changed: [46.101.0.67] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] *** changed: [46.101.0.67] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] **** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] *** skipping: [46.101.0.67] => (item=IPSEC) skipping: [46.101.0.67] => (item=IPSEC_NAT_T) skipping: [46.101.0.67] => (item=crypto)

TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] **** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] **** skipping: [46.101.0.67] => (item=options IPSEC) skipping: [46.101.0.67] => (item=options IPSEC_NAT_T) skipping: [46.101.0.67] => (item=device crypto)

TASK [vpn : HardenedBSD | Determine the sources] *** skipping: [46.101.0.67]

TASK [vpn : FreeBSD | Determine the sources] *** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] ** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Reboot] **** skipping: [46.101.0.67]

TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] ***** skipping: [46.101.0.67]

TASK [vpn : Install StrongSwan] **** ok: [46.101.0.67]

TASK [vpn : Setup the config files from our templates] ***** changed: [46.101.0.67] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [46.101.0.67] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [46.101.0.67] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] **** changed: [46.101.0.67]

TASK [vpn : Disable unneeded plugins] ** changed: [46.101.0.67] => (item=xcbc) skipping: [46.101.0.67] => (item=kernel-netlink) changed: [46.101.0.67] => (item=updown) skipping: [46.101.0.67] => (item=sha2) changed: [46.101.0.67] => (item=gmp) skipping: [46.101.0.67] => (item=x509) changed: [46.101.0.67] => (item=md4) changed: [46.101.0.67] => (item=agent) changed: [46.101.0.67] => (item=connmark) skipping: [46.101.0.67] => (item=random) skipping: [46.101.0.67] => (item=pgp) skipping: [46.101.0.67] => (item=pkcs7) changed: [46.101.0.67] => (item=fips-prf) changed: [46.101.0.67] => (item=sshkey) changed: [46.101.0.67] => (item=sha1) skipping: [46.101.0.67] => (item=nonce) changed: [46.101.0.67] => (item=md5) skipping: [46.101.0.67] => (item=aes) changed: [46.101.0.67] => (item=resolve) changed: [46.101.0.67] => (item=constraints) skipping: [46.101.0.67] => (item=socket-default) skipping: [46.101.0.67] => (item=stroke) skipping: [46.101.0.67] => (item=pkcs8) skipping: [46.101.0.67] => (item=pubkey) changed: [46.101.0.67] => (item=pkcs1) skipping: [46.101.0.67] => (item=pem) skipping: [46.101.0.67] => (item=revocation) skipping: [46.101.0.67] => (item=gcm) changed: [46.101.0.67] => (item=dnskey) skipping: [46.101.0.67] => (item=hmac) changed: [46.101.0.67] => (item=attr) changed: [46.101.0.67] => (item=test-vectors) changed: [46.101.0.67] => (item=rc2) skipping: [46.101.0.67] => (item=openssl) skipping: [46.101.0.67] => (item=pkcs12)

TASK [vpn : Ensure that required plugins are enabled] ** skipping: [46.101.0.67] => (item=xcbc) changed: [46.101.0.67] => (item=kernel-netlink) skipping: [46.101.0.67] => (item=updown) changed: [46.101.0.67] => (item=sha2) skipping: [46.101.0.67] => (item=gmp) changed: [46.101.0.67] => (item=x509) skipping: [46.101.0.67] => (item=md4) skipping: [46.101.0.67] => (item=agent) skipping: [46.101.0.67] => (item=connmark) changed: [46.101.0.67] => (item=random) changed: [46.101.0.67] => (item=pgp) changed: [46.101.0.67] => (item=pkcs7) skipping: [46.101.0.67] => (item=fips-prf) skipping: [46.101.0.67] => (item=sshkey) skipping: [46.101.0.67] => (item=sha1) changed: [46.101.0.67] => (item=nonce) skipping: [46.101.0.67] => (item=md5) changed: [46.101.0.67] => (item=aes) skipping: [46.101.0.67] => (item=resolve) skipping: [46.101.0.67] => (item=constraints) changed: [46.101.0.67] => (item=socket-default) changed: [46.101.0.67] => (item=stroke) changed: [46.101.0.67] => (item=pkcs8) changed: [46.101.0.67] => (item=pubkey) skipping: [46.101.0.67] => (item=pkcs1) changed: [46.101.0.67] => (item=pem) changed: [46.101.0.67] => (item=revocation) changed: [46.101.0.67] => (item=gcm) skipping: [46.101.0.67] => (item=dnskey) changed: [46.101.0.67] => (item=hmac) skipping: [46.101.0.67] => (item=attr) skipping: [46.101.0.67] => (item=test-vectors) skipping: [46.101.0.67] => (item=rc2) changed: [46.101.0.67] => (item=openssl) changed: [46.101.0.67] => (item=pkcs12)

TASK [vpn : Ensure the pki directory is not exist] ***** skipping: [46.101.0.67]

TASK [vpn : Ensure the pki directories are exist] ** changed: [46.101.0.67 -> localhost] => (item=ecparams) changed: [46.101.0.67 -> localhost] => (item=certs) changed: [46.101.0.67 -> localhost] => (item=crl) changed: [46.101.0.67 -> localhost] => (item=newcerts) changed: [46.101.0.67 -> localhost] => (item=private) changed: [46.101.0.67 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files are exist] **** changed: [46.101.0.67 -> localhost] => (item=.rnd) changed: [46.101.0.67 -> localhost] => (item=private/.rnd) changed: [46.101.0.67 -> localhost] => (item=index.txt) changed: [46.101.0.67 -> localhost] => (item=index.txt.attr) changed: [46.101.0.67 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *** changed: [46.101.0.67 -> localhost]

TASK [vpn : Build the CA pair] ***** fatal: [46.101.0.67 -> localhost]: FAILED! => {"changed": true, "cmd": "openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&\n openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\"4a9d5ba6d021\" &&\n touch 46.101.0.67_ca_generated", "delta": "0:00:00.012697", "end": "2017-11-21 20:31:15.955196", "failed": true, "rc": 1, "start": "2017-11-21 20:31:15.942499", "stderr": "error on line 113 of openssl.cnf\n140736235479944:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 113", "stdout": "", "stdout_lines": [], "warnings": []}

RUNNING HANDLER [vpn : restart strongswan] *****

RUNNING HANDLER [vpn : daemon-reload] **

RUNNING HANDLER [vpn : restart iptables] ***

PLAY RECAP ***** 46.101.0.67 : ok=36 changed=26 unreachable=0 failed=1
localhost : ok=20 changed=6 unreachable=0 failed=0

MaybeGoogle commented 6 years ago

Same problem here. GCE, setting up from OSX High Sierra.

No point in posting the logs; others have them. seems like it happens regardless of the settings...

dguido commented 6 years ago

Did you happen to install a different version of openssl, libressl, or boringssl via homebrew?

DrewDennison commented 6 years ago

I'm also seeing this issue trying to add a user. I do have the latest version of openssl install via brew

dguido commented 6 years ago

This works from the last two major versions of macOS and Ubuntu. This appears to be an Arch specific issue so I'm closing this ticket. Please let me know if you get to the bottom of it! We only officially support the last 2 major versions of macOS, Ubuntu, and, on a best effort basis, Windows Services for Linux (WSL).

mudeford commented 6 years ago

My submissions are from the latest version of macOS, with no outstanding updates.

Incorrectly closed.

Sent from my iPad

On Dec 28, 2017, at 18:42, Dan Guido notifications@github.com wrote:

Closed #729.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.