Bug 1611812

Summary: NM OVPN Error opening file p12
Product: [Fedora] Fedora Reporter: matvrix
Component: NetworkManager-openvpnAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 28CC: choeger, code, dcbw, lkundrak, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-04 00:54:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sample OVPN that works in TunnelBlick
none
VPN Config with p12 none

Description matvrix 2018-08-02 19:08:52 UTC 
Created attachment 1472811 [details]
sample OVPN that works in TunnelBlick

Description of problem:
NM can't load certificate based OVPN. NM logs states that the p12 can't be loaded.

Version-Release number of selected component (if applicable):
Fedora 28, openvpn 2.4.6, openssl 1.1

How reproducible:
Open WiFi icon, click VPN off> VPN Settings, Click (+), Add VPN > Import from file..> Choose the ovpn file and click open

Steps to Reproduce:
1. Click VPN Off > Connect
2.
3.

Actual results:
Activation of network connection failed

Expected results:
Connect to the VPN server

Additional info:
ug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error
A
Comment 1 matvrix 2018-08-02 19:17:50 UTC 
Created attachment 1472813 [details]
VPN Config with p12
Comment 2 Thomas Haller 2018-08-02 20:31:47 UTC 
> WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible

You must make sure that openvpn can read the file.

That means for example, that the file permissions (rwx) allow for that, including the parent directories of the file.

It also means, that the SELinux label must be correct. What gives 

$ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12


?
Comment 3 matvrix 2018-08-02 20:39:24 UTC 
Here's the permission setting :
[works@works-mobi ~]$ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
-rw-r--r--. 1 works works unconfined_u:object_r:user_home_t:s0 3957 Aug  1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

user works:works has the necessary permission to read.
Comment 4 Thomas Haller 2018-08-03 05:43:00 UTC 
The SELinux label isn't right. The journal should also be full of SELinux denials  trying to access the file.

It seems the file needs a label like "unconfined_u:object_r:home_cert_t:s0".

You'd get that automatically by placing the file into ~/.certs instead.

Does `chcon -t home_cert_t $FILE` help?
Comment 5 matvrix 2018-08-04 00:54:34 UTC 
Yes, that did the trick ! Cheers.