Bug 753933

Summary: nm-openvpn is unable to load the private key file
Product: [Fedora] Fedora Reporter: Pierre <pwieser>
Component: NetworkManager-openvpnAssignee: Dan Williams <dcbw>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: choeger, danw, dcbw, huzaifas, jklimes, smol.robert, steve
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-13 13:47:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pierre 2011-11-14 21:37:44 UTC 
Description of problem:
Unable to start OpenVPN from the NetworkManager

Version-Release number of selected component (if applicable):
rpm -q NetworkManager-openvpn
NetworkManager-openvpn-0.9.0-1.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Just configure an OpenVPN client
2. Try to run it
3. tail log

Actual results:
Nov 14 21:44:15 toshiba nm-openvpn[15620]: OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep  9 2011
Nov 14 21:44:15 toshiba nm-openvpn[15620]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 14 21:44:15 toshiba nm-openvpn[15620]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 14 21:44:15 toshiba nm-openvpn[15620]: Cannot load private key file /etc/openvpn/keys/03.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Nov 14 21:44:15 toshiba nm-openvpn[15620]: Error: private key password verification failed
Nov 14 21:44:15 toshiba nm-openvpn[15620]: Exiting


Expected results:
Should work

Additional info:
SELinux is disabled:
[pierre@toshiba ~]$ cat /etc/selinux/config (and the notebook has been rebooted)

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

Fresh Fedora 16 install (Previous Fedora 15 used to to work fine with same files)

OpenVPN itself works fine:
# openvpn --config /etc/openvpn/client.conf
actually establishes the connection.
Comment 1 Robert Smol 2012-06-25 17:14:01 UTC 
Hi, I am having exactly same issue:

NetworkManager-openvpn-0.9.3.997-1.fc17.x86_64

If I do manualy sudo openvpn connection.vpn I do get connected with the same certificate. Is there any additional info needed?
Comment 2 Robert Smol 2012-06-25 17:52:43 UTC 
OK, please disregard my previous comment, I've swapped crt with key files. Works OK for me now.
Comment 3 Jirka Klimes 2012-07-17 10:03:41 UTC 
Pierre, is that still an issue?
Is 03.pem file in place and valid? It should contain something like this
-----BEGIN RSA PRIVATE KEY-----
(base64 encoded data)
-----END RSA PRIVATE KEY-----
Comment 4 Dan Winship 2012-07-23 16:58:16 UTC 
I'm thinking we should change the dialogs to let you select any file with the correct extension, but then pop up an error after the user selects the file if the contents are not in the expected format. That would make it clearer to users what's going on.

(It would also be good if we documented somewhere what formats were allowed...)
Comment 5 Fedora End Of Life 2013-01-16 13:07:42 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Fedora End Of Life 2013-02-13 13:47:50 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.