1611812 – NM OVPN Error opening file p12

Bug 1611812 - NM OVPN Error opening file p12

Summary: NM OVPN Error opening file p12

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	NetworkManager-openvpn
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lubomir Rintel
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-02 19:08 UTC by matvrix
Modified:	2018-08-04 00:54 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-08-04 00:54:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sample OVPN that works in TunnelBlick (255 bytes, text/plain) 2018-08-02 19:08 UTC, matvrix	no flags	Details
VPN Config with p12 (603.59 KB, image/png) 2018-08-02 19:17 UTC, matvrix	no flags	Details
View All

Description matvrix 2018-08-02 19:08:52 UTC

Created attachment 1472811 [details]
sample OVPN that works in TunnelBlick

Description of problem:
NM can't load certificate based OVPN. NM logs states that the p12 can't be loaded.

Version-Release number of selected component (if applicable):
Fedora 28, openvpn 2.4.6, openssl 1.1

How reproducible:
Open WiFi icon, click VPN off> VPN Settings, Click (+), Add VPN > Import from file..> Choose the ovpn file and click open

Steps to Reproduce:
1. Click VPN Off > Connect
2.
3.

Actual results:
Activation of network connection failed

Expected results:
Connect to the VPN server

Additional info:
ug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error
A

Comment 1 matvrix 2018-08-02 19:17:50 UTC

Created attachment 1472813 [details]
VPN Config with p12

Comment 2 Thomas Haller 2018-08-02 20:31:47 UTC

> WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible

You must make sure that openvpn can read the file.

That means for example, that the file permissions (rwx) allow for that, including the parent directories of the file.

It also means, that the SELinux label must be correct. What gives 

$ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12


?

Comment 3 matvrix 2018-08-02 20:39:24 UTC

Here's the permission setting :
[works@works-mobi ~]$ ls -laZ /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
-rw-r--r--. 1 works works unconfined_u:object_r:user_home_t:s0 3957 Aug  1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

user works:works has the necessary permission to read.

Comment 4 Thomas Haller 2018-08-03 05:43:00 UTC

The SELinux label isn't right. The journal should also be full of SELinux denials  trying to access the file.

It seems the file needs a label like "unconfined_u:object_r:home_cert_t:s0".

You'd get that automatically by placing the file into ~/.certs instead.

Does `chcon -t home_cert_t $FILE` help?

Comment 5 matvrix 2018-08-04 00:54:34 UTC

Yes, that did the trick ! Cheers.

Note You need to log in before you can comment on or make changes to this bug.