FS#47481 : [openvpn] 2.3.8 no longer prompts for certificate private key password

FS#47481 - [openvpn] 2.3.8 no longer prompts for certificate private key password

Attached to Project: Arch Linux
Opened by sgt_b2002 (sgt_b2002) - Monday, 21 December 2015, 23:15 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 17:28 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Thomas Bächler (brain0) Sébastien Luttringer (seblu)
Architecture	x86_64
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
After upgrading from OpenVPN 2.3.8 from 2.3.5 attempts to start an OpenVPN connection via systemd do not include a prompt for certificate private key password. Instead, only the username and password prompts appear. Executing OpenVPN outside of systemd via command line works correctly and prompts for username, password, and certificate private key password are provided.

There are no errors that I can see.

Removing --daemon from the unit file results in the prompt for the private key password appearing, but this is not ideal.
Adding --askpass to the unit file does not appear to have any effect.

Additional info:
openvpn 2.3.8-2
May be related to https://bugs.archlinux.org/task/46422

Steps to reproduce:
Launch openvpn via systemd with a private key requiring a password.

This task depends upon

Closed by Sébastien Luttringer (seblu)
Monday, 28 December 2015, 17:28 GMT
Reason for closing: Fixed

Comment by Doug Newgard (Scimmia) - Wednesday, 23 December 2015, 00:27 GMT

In a Qt environment? May have to do with pinentry-qt4 no longer existing.

Comment by sgt_b2002 (sgt_b2002) - Wednesday, 23 December 2015, 02:02 GMT

Previously the password prompt would show up in the console, not a pop-up. GPG password prompt is a pinentry and works fine.
If there's something specific you need me to provide just let me know.

Comment by Sébastien Luttringer (seblu) - Saturday, 26 December 2015, 11:43 GMT

Test with 2.3.9, there is new fix about systemd askpass.

Comment by sgt_b2002 (sgt_b2002) - Saturday, 26 December 2015, 15:29 GMT

Running 2.3.9 now. OpenVPN 2.3.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015
Still not being prompted for my certificate private key password.
If there's anything you'd like me to do just let me know.

Comment by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 12:56 GMT

Yes, report this issue upstream. There is at least 2 bug reports about this kind of trouble closed as fixed in last version.

For reference:
https://community.openvpn.net/openvpn/ticket/630
https://community.openvpn.net/openvpn/ticket/618
https://github.com/OpenVPN/openvpn/commit/015fe7177181fb4944ddf33debcfcd20c62ba55a

Comment by sgt_b2002 (sgt_b2002) - Monday, 28 December 2015, 15:53 GMT

Opened ticket upstream.
https://community.openvpn.net/openvpn/ticket/641

Comment by sgt_b2002 (sgt_b2002) - Monday, 28 December 2015, 16:56 GMT

As advised in OpenVPN ticket 641 (https://community.openvpn.net/openvpn/ticket/641#no1), adding --askpass to the unit file after upgrading to 2.3.9 is required in order to receive a prompt for the certificate private key password.
Modifying /lib/systemd/system/openvpn@.service as follows resolved the issue for me.

[Unit]
Description=OpenVPN connection to %i

[Service]
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --askpass --daemon openvpn@%i --writepid /run/openvpn@%i.pid
PIDFile=/run/openvpn@%i.pid

[Install]
WantedBy=multi-user.target

Comment by Sébastien Luttringer (seblu) - Monday, 28 December 2015, 17:28 GMT

No need to change the unit. Put askpass in your ovpn config.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#47481 - [openvpn] 2.3.8 no longer prompts for certificate private key password

Details

Loading...