FS#47481 - [openvpn] 2.3.8 no longer prompts for certificate private key password

Attached to Project: Arch Linux
Opened by sgt_b2002 (sgt_b2002) - Monday, 21 December 2015, 23:15 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 17:28 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Sébastien Luttringer (seblu)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


After upgrading from OpenVPN 2.3.8 from 2.3.5 attempts to start an OpenVPN connection via systemd do not include a prompt for certificate private key password. Instead, only the username and password prompts appear. Executing OpenVPN outside of systemd via command line works correctly and prompts for username, password, and certificate private key password are provided.

There are no errors that I can see.

Removing --daemon from the unit file results in the prompt for the private key password appearing, but this is not ideal.
Adding --askpass to the unit file does not appear to have any effect.

Additional info:
openvpn 2.3.8-2
May be related to https://bugs.archlinux.org/task/46422

Steps to reproduce:
Launch openvpn via systemd with a private key requiring a password.
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Monday, 28 December 2015, 17:28 GMT
Reason for closing:  Fixed
Comment by Doug Newgard (Scimmia) - Wednesday, 23 December 2015, 00:27 GMT
In a Qt environment? May have to do with pinentry-qt4 no longer existing.
Comment by sgt_b2002 (sgt_b2002) - Wednesday, 23 December 2015, 02:02 GMT
Previously the password prompt would show up in the console, not a pop-up. GPG password prompt is a pinentry and works fine.
If there's something specific you need me to provide just let me know.
Comment by Sébastien Luttringer (seblu) - Saturday, 26 December 2015, 11:43 GMT
Test with 2.3.9, there is new fix about systemd askpass.
Comment by sgt_b2002 (sgt_b2002) - Saturday, 26 December 2015, 15:29 GMT
Running 2.3.9 now. OpenVPN 2.3.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015
Still not being prompted for my certificate private key password.
If there's anything you'd like me to do just let me know.
Comment by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 12:56 GMT
Yes, report this issue upstream. There is at least 2 bug reports about this kind of trouble closed as fixed in last version.

For reference:
Comment by sgt_b2002 (sgt_b2002) - Monday, 28 December 2015, 15:53 GMT Comment by sgt_b2002 (sgt_b2002) - Monday, 28 December 2015, 16:56 GMT
As advised in OpenVPN ticket 641 (https://community.openvpn.net/openvpn/ticket/641#no1), adding --askpass to the unit file after upgrading to 2.3.9 is required in order to receive a prompt for the certificate private key password.
Modifying /lib/systemd/system/openvpn@.service as follows resolved the issue for me.

Description=OpenVPN connection to %i

ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --askpass --daemon openvpn@%i --writepid /run/openvpn@%i.pid

Comment by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 17:28 GMT
No need to change the unit. Put askpass in your ovpn config.