trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

Removing user error: "Revoke non-existing users" #800

Closed zerongtonywang closed 6 years ago

zerongtonywang commented 6 years ago

OS / Environment

Ubuntu 16.04

Ansible version

2.2.0.0

Version of components from requirements.txt

adal==0.5.0 ansible==2.2.0.0 apache-libcloud==2.2.1 asn1crypto==0.24.0 azure==2.0.0rc5 azure-batch==0.30.0rc5 azure-common==1.1.8 azure-graphrbac==0.30.0rc5 azure-mgmt==0.30.0rc5 azure-mgmt-authorization==0.30.0rc5 azure-mgmt-batch==0.30.0rc5 azure-mgmt-cdn==0.30.0rc5 azure-mgmt-cognitiveservices==0.30.0rc5 azure-mgmt-commerce==0.30.0rc5 azure-mgmt-compute==0.30.0rc5 azure-mgmt-keyvault==0.30.0rc5 azure-mgmt-logic==0.30.0rc5 azure-mgmt-network==0.30.0rc5 azure-mgmt-notificationhubs==0.30.0rc5 azure-mgmt-nspkg==2.0.0 azure-mgmt-powerbiembedded==0.30.0rc5 azure-mgmt-redis==0.30.0rc5 azure-mgmt-resource==0.30.0rc5 azure-mgmt-scheduler==0.30.0rc5 azure-mgmt-storage==0.30.0rc5 azure-mgmt-web==0.30.0rc5 azure-nspkg==2.0.0 azure-servicebus==0.20.2 azure-servicemanagement-legacy==0.20.3 azure-storage==0.32.0 bcrypt==3.1.4 boto==2.48.0 boto3==1.5.24 botocore==1.8.38 certifi==2018.1.18 cffi==1.11.4 chardet==3.0.4 cryptography==2.1.4 docutils==0.14 dopy==0.3.5 enum34==1.1.6 futures==3.2.0 idna==2.6 ipaddress==1.0.19 isodate==0.6.0 Jinja2==2.8 jmespath==0.9.3 keyring==11.0.0 MarkupSafe==1.0 msrest==0.4.1 msrestazure==0.4.21 oauthlib==2.0.6 paramiko==2.4.0 pkg-resources==0.0.0 pyasn1==0.4.2 pycparser==2.18 pycrypto==2.6.1 PyJWT==1.5.3 PyNaCl==1.2.1 pyOpenSSL==17.5.0 python-dateutil==2.6.1 PyYAML==3.12 requests==2.18.4 requests-oauthlib==0.8.0 s3transfer==0.1.12 SecretStorage==2.3.1 six==1.11.0 urllib3==1.22

Summary of the problem

./algo update-users or simply rebuilding, while deleting users that were present in the previous build, results in this error:

TASK [vpn : Revoke non-existing users] *****************************************
failed: [localhost -> localhost] (item=dan) => {"changed": true, "cmd": "openssl ca -gencrl -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:dan\")) -passin pass:\"0e822f25711206a8bce60cb680e09248\" -revoke certs/dan.crt -out crl/dan.crt", "delta": "0:00:00.007306", "end": "2018-02-08 17:54:30.095845", "failed": true, "item": "dan", "rc": 1, "start": "2018-02-08 17:54:30.088539", "stderr": "Using configuration from /dev/fd/63\nError opening CA private key ./private/cakey.pem\n139662132991640:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./private/cakey.pem','r')\n139662132991640:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\nunable to load CA private key", "stdout": "", "stdout_lines": [], "warnings": []}
failed: [localhost -> localhost] (item=jack) => {"changed": true, "cmd": "openssl ca -gencrl -config <(cat openssl.cnf <(printf \"[basic_exts]\\nsubjectAltName=DNS:jack\")) -passin pass:\"0e822f25711206a8bce60cb680e09248\" -revoke certs/jack.crt -out crl/jack.crt", "delta": "0:00:00.006648", "end": "2018-02-08 17:54:30.196912", "failed": true, "item": "jack", "rc": 1, "start": "2018-02-08 17:54:30.190264", "stderr": "Using configuration from /dev/fd/63\nError opening CA private key ./private/cakey.pem\n139890687444632:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./private/cakey.pem','r')\n139890687444632:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\nunable to load CA private key", "stdout": "", "stdout_lines": [], "warnings": []}

PLAY RECAP *********************************************************************
localhost                  : ok=80   changed=16   unreachable=0    failed=1   

Steps to reproduce the behavior

run ./algo with the default users dan and jack plus an extra custom user, then remove dan and jack follow by running ./algo update-users as stated in Adding or Removing Users instruction.

The way of deployment (cloud or local)

local

Expected behavior

expected the Algo VPN server to contain only the users listed in the config.cfg file.

Actual behavior

error described above

Full log

PLAY [Configure the server] ****

TASK [setup] *** ok: [localhost]

TASK [Generate the SSH private key] **** ok: [localhost]

TASK [Generate the SSH public key] ***** ok: [localhost]

TASK [Change mode for the SSH private key] ***** ok: [localhost]

TASK [Ensure the dynamic inventory exists] ***** ok: [localhost]

TASK [Ensure the local ssh directory is exist] ***** ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] **** changed: [localhost]

TASK [local : Add the instance to an inventory group] ** skipping: [localhost]

TASK [local : Add the instance to an inventory group] ** changed: [localhost]

TASK [local : set_fact] **** ok: [localhost]

TASK [local : Ensure the group local exists in the dynamic inventory file] ***** ok: [localhost]

TASK [local : Populate the dynamic inventory] ** ok: [localhost]

PLAY [Configure the server and install required software] **

TASK [Check the system] **** changed: [localhost]

TASK [Ubuntu | Install prerequisites] ** changed: [localhost]

TASK [FreeBSD / HardenedBSD | Install prerequisites] *** skipping: [localhost]

TASK [FreeBSD / HardenedBSD | Configure defaults] ** skipping: [localhost]

TASK [set_fact] **** skipping: [localhost]

TASK [Gather Facts] **** ok: [localhost]

TASK [Enable IPv6] ***** skipping: [localhost]

TASK [Generate password for the CA key] **** changed: [localhost -> localhost]

TASK [Generate p12 export password] **** changed: [localhost -> localhost]

TASK [Define password facts] *** ok: [localhost]

TASK [Define the commonName] *** ok: [localhost]

TASK [common : Loopback for services configured] *** ok: [localhost]

TASK [common : Loopback included into the network config] ** ok: [localhost]

TASK [common : Check apparmor support] ***** changed: [localhost]

TASK [common : set_fact] *** ok: [localhost]

TASK [common : set_fact] *** ok: [localhost]

TASK [common : set_fact] *** skipping: [localhost]

TASK [common : Loopback included into the rc config] *** skipping: [localhost]

TASK [common : Enable the gateway features] **** skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'gateway_enable'}) skipping: [localhost] => (item={u'value': u'"open"', u'param': u'firewall_type'}) skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'firewall_enable'}) skipping: [localhost] => (item={u'value': u'"YES"', u'param': u'natd_enable'}) skipping: [localhost] => (item={u'value': u'""', u'param': u'natd_interface'}) skipping: [localhost] => (item={u'value': u'"-dynamic -m"', u'param': u'natd_flags'})

TASK [common : FreeBSD | Activate IPFW] **** skipping: [localhost]

TASK [common : Install tools] ** ok: [localhost] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Sysctl tuning] ** ok: [localhost] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) ok: [localhost] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) ok: [localhost] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [security : Install tools] **** ok: [localhost] => (item=[u'unattended-upgrades'])

TASK [security : Configure unattended-upgrades] **** ok: [localhost]

TASK [security : Periodic upgrades configured] ***** ok: [localhost]

TASK [security : Find directories for minimizing access] *** ok: [localhost] => (item=/usr/local/sbin) ok: [localhost] => (item=/usr/local/bin) ok: [localhost] => (item=/usr/sbin) ok: [localhost] => (item=/usr/bin) ok: [localhost] => (item=/sbin) ok: [localhost] => (item=/bin)

TASK [security : Minimize access] ** ok: [localhost] => (item=(censored due to no_log)) ok: [localhost] => (item=(censored due to no_log)) ok: [localhost] => (item=(censored due to no_log)) ok: [localhost] => (item=(censored due to no_log)) ok: [localhost] => (item=(censored due to no_log)) ok: [localhost] => (item=(censored due to no_log))

TASK [security : Change shadow ownership to root and mode to 0600] ***** ok: [localhost]

TASK [security : change su-binary to only be accessible to user and group root] ok: [localhost]

TASK [security : Restrict core dumps (with PAM)] *** ok: [localhost]

TASK [security : Restrict core dumps (with sysctl)] **** ok: [localhost]

TASK [security : Disable Source Routed Packet Acceptance] ** ok: [localhost] => (item=net.ipv4.conf.all.accept_source_route) ok: [localhost] => (item=net.ipv4.conf.default.accept_source_route)

TASK [security : Disable ICMP Redirect Acceptance] ***** ok: [localhost] => (item=net.ipv4.conf.all.accept_redirects) ok: [localhost] => (item=net.ipv4.conf.default.accept_redirects)

TASK [security : Disable Secure ICMP Redirect Acceptance] ** ok: [localhost] => (item=net.ipv4.conf.all.secure_redirects) ok: [localhost] => (item=net.ipv4.conf.default.secure_redirects)

TASK [security : Enable Bad Error Message Protection] ** ok: [localhost]

TASK [security : Enable RFC-recommended Source Route Validation] *** ok: [localhost] => (item=net.ipv4.conf.all.rp_filter) ok: [localhost] => (item=net.ipv4.conf.default.rp_filter)

TASK [security : Do not send ICMP redirects (we are not a router)] ***** ok: [localhost]

TASK [security : SSH config] *** ok: [localhost]

TASK [dns_adblocking : The DNS tag is defined] ***** ok: [localhost]

TASK [dns_adblocking : Dnsmasq installed] ** ok: [localhost]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] ***** ok: [localhost]

TASK [dns_adblocking : The dnsmasq directory created] ** ok: [localhost]

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *** ok: [localhost]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] *** changed: [localhost]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] *** ok: [localhost]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *** ok: [localhost]

TASK [dns_adblocking : FreeBSD / HardenedBSD | Enable dnsmasq] ***** skipping: [localhost]

TASK [dns_adblocking : Dnsmasq configured] ***** ok: [localhost]

TASK [dns_adblocking : Adblock script created] ***** ok: [localhost]

TASK [dns_adblocking : Adblock script added to cron] *** ok: [localhost]

TASK [dns_adblocking : Update adblock hosts] *** changed: [localhost]

TASK [dns_adblocking : Dnsmasq enabled and started] **** ok: [localhost]

TASK [vpn : Ensure that the strongswan group exist] **** ok: [localhost]

TASK [vpn : Ensure that the strongswan user exist] ***** ok: [localhost]

TASK [vpn : set_fact] ** ok: [localhost]

TASK [vpn : Ubuntu | Install strongSwan] *** changed: [localhost]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] **** changed: [localhost] => (item=/usr/lib/ipsec/charon) changed: [localhost] => (item=/usr/lib/ipsec/lookip) changed: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] ** ok: [localhost] => (item=apparmor) ok: [localhost] => (item=strongswan) ok: [localhost] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *** ok: [localhost]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** ok: [localhost]

TASK [vpn : Iptables configured] *** ok: [localhost] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] *** skipping: [localhost] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : FreeBSD / HardenedBSD | Get the existing kernel parameters] **** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Set the rebuild_needed fact] *** skipping: [localhost] => (item=IPSEC_NAT_T) skipping: [localhost] => (item=IPSEC) skipping: [localhost] => (item=crypto)

TASK [vpn : FreeBSD / HardenedBSD | Make the kernel config] **** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Ensure the all options are enabled] **** skipping: [localhost] => (item=options IPSEC_NAT_T) skipping: [localhost] => (item=options IPSEC) skipping: [localhost] => (item=device crypto)

TASK [vpn : HardenedBSD | Determine the sources] *** skipping: [localhost]

TASK [vpn : FreeBSD | Determine the sources] *** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Increase the git postBuffer size] ** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Fetching the sources...] *** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | The kernel is being built...] ** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Reboot] **** skipping: [localhost]

TASK [vpn : FreeBSD / HardenedBSD | Enable strongswan] ***** skipping: [localhost]

TASK [vpn : Install strongSwan] **** ok: [localhost]

TASK [vpn : Setup the config files from our templates] ***** ok: [localhost] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) ok: [localhost] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) ok: [localhost] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] **** changed: [localhost]

TASK [vpn : Disable unneeded plugins] ** skipping: [localhost] => (item=nonce) ok: [localhost] => (item=test-vectors) skipping: [localhost] => (item=openssl) ok: [localhost] => (item=connmark) skipping: [localhost] => (item=revocation) skipping: [localhost] => (item=socket-default) skipping: [localhost] => (item=pubkey) ok: [localhost] => (item=xcbc) skipping: [localhost] => (item=pem) skipping: [localhost] => (item=random) ok: [localhost] => (item=updown) ok: [localhost] => (item=resolve) ok: [localhost] => (item=agent) ok: [localhost] => (item=fips-prf) skipping: [localhost] => (item=kernel-netlink) ok: [localhost] => (item=constraints) skipping: [localhost] => (item=pgp) ok: [localhost] => (item=gmp) ok: [localhost] => (item=dnskey) skipping: [localhost] => (item=pkcs7) skipping: [localhost] => (item=hmac) skipping: [localhost] => (item=pkcs8) ok: [localhost] => (item=pkcs1) skipping: [localhost] => (item=stroke) skipping: [localhost] => (item=aes) skipping: [localhost] => (item=x509) skipping: [localhost] => (item=sha2) ok: [localhost] => (item=sshkey) ok: [localhost] => (item=attr) ok: [localhost] => (item=rc2) ok: [localhost] => (item=sha1) ok: [localhost] => (item=md4) ok: [localhost] => (item=md5) skipping: [localhost] => (item=gcm) skipping: [localhost] => (item=pkcs12)

TASK [vpn : Ensure that required plugins are enabled] ** skipping: [localhost] => (item=test-vectors) ok: [localhost] => (item=nonce) ok: [localhost] => (item=openssl) skipping: [localhost] => (item=connmark) ok: [localhost] => (item=revocation) skipping: [localhost] => (item=xcbc) ok: [localhost] => (item=socket-default) ok: [localhost] => (item=pubkey) ok: [localhost] => (item=pem) ok: [localhost] => (item=random) skipping: [localhost] => (item=updown) skipping: [localhost] => (item=resolve) skipping: [localhost] => (item=agent) skipping: [localhost] => (item=fips-prf) skipping: [localhost] => (item=constraints) ok: [localhost] => (item=kernel-netlink) ok: [localhost] => (item=pgp) skipping: [localhost] => (item=gmp) skipping: [localhost] => (item=dnskey) ok: [localhost] => (item=pkcs7) ok: [localhost] => (item=hmac) ok: [localhost] => (item=pkcs8) skipping: [localhost] => (item=pkcs1) ok: [localhost] => (item=stroke) ok: [localhost] => (item=aes) ok: [localhost] => (item=x509) ok: [localhost] => (item=sha2) skipping: [localhost] => (item=sshkey) skipping: [localhost] => (item=attr) skipping: [localhost] => (item=rc2) skipping: [localhost] => (item=sha1) skipping: [localhost] => (item=md4) skipping: [localhost] => (item=md5) ok: [localhost] => (item=gcm) ok: [localhost] => (item=pkcs12)

TASK [vpn : Ensure the pki directory does not exist] *** skipping: [localhost]

TASK [vpn : Ensure the pki directories exist] ** ok: [localhost -> localhost] => (item=ecparams) ok: [localhost -> localhost] => (item=certs) ok: [localhost -> localhost] => (item=crl) ok: [localhost -> localhost] => (item=newcerts) ok: [localhost -> localhost] => (item=private) ok: [localhost -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] **** changed: [localhost -> localhost] => (item=.rnd) changed: [localhost -> localhost] => (item=private/.rnd) changed: [localhost -> localhost] => (item=index.txt) changed: [localhost -> localhost] => (item=index.txt.attr) changed: [localhost -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *** ok: [localhost -> localhost]

TASK [vpn : Build the CA pair] ***** ok: [localhost -> localhost]

TASK [vpn : Copy the CA certificate] *** ok: [localhost -> localhost]

TASK [vpn : Generate the serial number] **** ok: [localhost -> localhost]

TASK [vpn : Build the server pair] ***** ok: [localhost -> localhost]

TASK [vpn : Build the client's pair] *** ok: [localhost -> localhost] => (item=willow)

TASK [vpn : Build the client's p12] **** changed: [localhost -> localhost] => (item=willow)

TASK [vpn : Copy the p12 certificates] ***** changed: [localhost -> localhost] => (item=willow)

TASK [vpn : Get active users] ** changed: [localhost -> localhost]

TASK [vpn : Revoke non-existing users] ***** failed: [localhost -> localhost] (item=dan) => {"changed": true, "cmd": "openssl ca -gencrl -config <(cat openssl.cnf <(printf \"[basic_exts]\nsubjectAltName=DNS:dan\")) -passin pass:\"0e822f25711206a8bce60cb680e09248\" -revoke certs/dan.crt -out crl/dan.crt", "delta": "0:00:00.007306", "end": "2018-02-08 17:54:30.095845", "failed": true, "item": "dan", "rc": 1, "start": "2018-02-08 17:54:30.088539", "stderr": "Using configuration from /dev/fd/63\nError opening CA private key ./private/cakey.pem\n139662132991640:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./private/cakey.pem','r')\n139662132991640:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\nunable to load CA private key", "stdout": "", "stdout_lines": [], "warnings": []} failed: [localhost -> localhost] (item=jack) => {"changed": true, "cmd": "openssl ca -gencrl -config <(cat openssl.cnf <(printf \"[basic_exts]\nsubjectAltName=DNS:jack\")) -passin pass:\"0e822f25711206a8bce60cb680e09248\" -revoke certs/jack.crt -out crl/jack.crt", "delta": "0:00:00.006648", "end": "2018-02-08 17:54:30.196912", "failed": true, "item": "jack", "rc": 1, "start": "2018-02-08 17:54:30.190264", "stderr": "Using configuration from /dev/fd/63\nError opening CA private key ./private/cakey.pem\n139890687444632:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./private/cakey.pem','r')\n139890687444632:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:\nunable to load CA private key", "stdout": "", "stdout_lines": [], "warnings": []} skipping: [localhost] => (item=willow)

TASK [vpn : debug] ***** ok: [localhost] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }

TASK [vpn : fail] ** fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Failed as requested from task"}

RUNNING HANDLER [dns_adblocking : restart apparmor] ****

PLAY RECAP ***** localhost : ok=80 changed=16 unreachable=0 failed=1

zerongtonywang commented 6 years ago

i believe this was because i did not retain CA key, i will close this issue now.