Created attachment 1472811 [details] sample OVPN that works in TunnelBlick Description of problem: NM can't load certificate based OVPN. NM logs states that the p12 can't be loaded. Version-Release number of selected component (if applicable): Fedora 28, openvpn 2.4.6, openssl 1.1 How reproducible: Open WiFi icon, click VPN off> VPN Settings, Click (+), Add VPN > Import from file..> Choose the ovpn file and click open Steps to Reproduce: 1. Click VPN Off > Connect 2. 3. Actual results: Activation of network connection failed Expected results: Connect to the VPN server Additional info: ug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018 Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips 27 Mar 2018, LZO 2.08 Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12 Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error A
Created attachment 1472813 [details] VPN Config with p12
> WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible You must make sure that openvpn can read the file. That means for example, that the file permissions (rwx) allow for that, including the parent directories of the file. It also means, that the SELinux label must be correct. What gives $ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12 ?
Here's the permission setting : [works@works-mobi ~]$ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12 -rw-r--r--. 1 works works unconfined_u:object_r:user_home_t:s0 3957 Aug 1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12 user works:works has the necessary permission to read.
The SELinux label isn't right. The journal should also be full of SELinux denials trying to access the file. It seems the file needs a label like "unconfined_u:object_r:home_cert_t:s0". You'd get that automatically by placing the file into ~/.certs instead. Does `chcon -t home_cert_t $FILE` help?
Yes, that did the trick ! Cheers.