FS#53445 - [openvpn] opevnpn-client systemd service stops asking for a client certificate password
Attached to Project:
Arch Linux
Opened by Dolf Andringa (dolfandringa) - Saturday, 25 March 2017, 05:18 GMT
Last edited by Christian Hesse (eworm) - Sunday, 23 April 2017, 20:19 GMT
Opened by Dolf Andringa (dolfandringa) - Saturday, 25 March 2017, 05:18 GMT
Last edited by Christian Hesse (eworm) - Sunday, 23 April 2017, 20:19 GMT
|
Details
Description:
Since the recent upgrade to openvpn 2.4.1, the openvpn-client systemd service stops asking for a password for the encrypted client certificate. This is caused by a change that makes the --askpass directive necessary instead of optional. This causes systemctl to report the startup as successful without asking for a password. As a consequence the openvpn connection is actually never started. I got it working by adding the --askpass option to the ExecStart line in /usr/lib/systemd/system/openvpn-client@.service Additional info: * openvpn 2.4.1 * any openvpn config with the option "pkcs12 <path-to-your-encrypted-pkcs12-client.crt>". Steps to reproduce: * Create an openvpn client config with an encrypted client certificate * systemctl start openvpn-client@<myconfig> * Systemd reports startup as successful without asking for a password. The openvpn connection is not actually started. |
This task depends upon
Closed by Christian Hesse (eworm)
Sunday, 23 April 2017, 20:19 GMT
Reason for closing: Not a bug
Additional comments about closing: This is expected behaviour. Please discuss upstream if you disagree.
Sunday, 23 April 2017, 20:19 GMT
Reason for closing: Not a bug
Additional comments about closing: This is expected behaviour. Please discuss upstream if you disagree.
> Note: as soon as OpenVPN has daemonized, it can not ask for usernames,
> passwords, or key pass phrases anymore. This has certain consequences,
> namely that using a password-protected private key will fail unless
> the --askpass option is used to tell OpenVPN to ask for the pass phrase
> (this requirement is new in 2.3.7, and is a consequence of calling
> daemon() before initializing the crypto layer).
So I think this is the expected behaviour now... No need to alter the unit file, though. You should be fine to add 'askpass' to your config file.