Page MenuHomeVyOS Platform

Not possible to add existing ca?
Closed, InvalidPublicBUG

Description

Hello,

I don't understand how to add an existing ca or cert in 1.4? Is it not possible?
This doesn't work:

vyos@hostname# set pki ca test certificate "-----BEGIN CERTIFICATE-----
>cert1 data
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> cert2 data
> -----END CERTIFICATE-----"

  Cannot use the newline character in a value string
  Value validation failed
  Set failed

[edit]

I also tried to remove all newlines, but that didn't work etither.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav changed the subtype of this task from "Task" to "Bug".Sep 7 2021, 6:26 AM
Viacheslav added a project: VyOS 1.4 Sagitta.

You don't need line like "begin|end"
For example

set pki ca openvpn_vtun10 certificate 'MIIDSzCCAjOgAwIBAgIUEtkjCVKmZCwUeYLenoznpkxMeZswQ=='

Hello, Sorry, but I tried this I get "Invalid certificate on CA certificate "test"

# cat /config/auth/my_working_ca  | head -n -1 | tr -d '\n'
MII....
# set pki ca test certificate MII...
# set interfaces openvpn vtun0 tls ca-certificate test
(i removed ---begin, and end.---)
[edit]
# commit

Invalid certificate on CA certificate "test"

[[]] failed

Must specify OpenVPN operation mode

[[interfaces openvpn vtun0]] failed
Commit failed

Also, I don't understand how I add a CA certificate chain with both CA and intermediate.

I don't have control over the openvpn server so I cant change anything over there, it worked in the june snapshot before pki was introduced.

Edit: I saw another error when i fixed the "Openvpn opertion mode":
Missing "tls certificate" on openvpn interface vtun0

I don't have a tls certificate, only CA and user/pass auth.

Can you share your CAs public cert for testing?

Missing "tls certificate" on openvpn interface vtun0

This error was fixed in todays rolling release while fixing T3805.

I use:

cpo@LR1.wue3:~$ show configuration commands | match "vtun|VyOS_OpenVPN" | strip-private
set interfaces openvpn vtun10 authentication password xxxxxx
set interfaces openvpn vtun10 authentication username 'vyos'
set interfaces openvpn vtun10 disable
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-host 'xxx.xxx.151.254'
set interfaces openvpn vtun10 tls ca-certificate 'VyOS_OpenVPN'
set interfaces openvpn vtun10 use-lzo-compression
set pki ca VyOS_OpenVPN certificate 'MIIDeDCCAuGgAwIBAgIJAK1IW9pa2Z3ZMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAeFw0xMzA4MTkwODI1NTJaFw0yMzA4MTcwODI1NTJaMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcqEvHetUIRZ3gAkn0+cj6PobVQ17FZfTJCOXXq5yCVsyuQYtkjXQ+ZkLAS2p235KlmRUB14YVKy5MthW82ItJuyVFF8LrO5krKsFQDwgR3JnmpwMt2jA0ydnUdvSutaWowL5vqgekoiNgAdEst0b/gRKujPks5JhIAzGAmjTlUCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUmcbBtMQu6jyDeINoJypPPD9F280wgboGA1UdIwSBsjCBr4AUmcbBtMQu6jyDeINoJypPPD9F282hgYukgYgwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xGDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkArUhb2lrZndkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCx8RNilfXN2p+o+CeuKPfwv9mxlNpHLUzezM97ZzCw8TevBRBJS25mOOMMgos01KsUx12NBM5m2q5hfZ2MnsCMAzyMot0aCF1Cd3kjFDbpk1SfAUyxfzdN2h0mCUzwaD1xQGjFQL2WoUueBpf3gZJsdwOCCONfeM5EJ/NKh4WphA=='
This comment was removed by danielpo.

Your problem is that this is not a CA certificate, it's the servers certificate.

cpo@LR1.wue3:~$ openssl x509 -in foo.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            93:14:e4:75:eb:64:31:88:eb:95:eb:83:d4:bf:36:a2
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: CN = Loopia
        Validity
            Not Before: Oct 19 07:20:59 2020 GMT
            Not After : Jan 22 07:20:59 2023 GMT
        Subject: CN = openvpn.loopia.se
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:c7:52:5d:54:54:eb:34:c2:e7:89:56:6f:c9:2f:
                    e5:ab:38:cf:89:df:5a:e4:a2:bf:b1:b5:b6:25:bc:
                    69:d1:2b:82:25:65:ee:c4:a1:35:58:28:ff:23:a8:
                    c9:e1:65:9f:58:e6:89:72:df:c5:45:d3:9e:84:47:
                    97:78:a0:d9:87:62:88:ab:97:30:39:7a:29:b7:36:
                    0f:7d:33:e7:81:ff:4b:91:fd:f6:80:21:0e:ab:9c:
                    66:07:ac:1f:c3:e5:14
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                0B:30:8C:DE:62:38:01:ED:17:EA:DC:EE:08:6A:66:FB:62:84:CC:E7
            X509v3 Authority Key Identifier:
                keyid:3F:89:F1:82:97:DE:0A:C5:C9:B5:17:00:66:BA:45:1B:A1:D1:0E:26
                DirName:/CN=Loopia
                serial:29:F0:A2:0E:EE:98:C2:29:45:42:51:85:A8:2E:FE:2F:E4:82:04:9F

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:openvpn.loopia.se
    Signature Algorithm: ecdsa-with-SHA512
         30:65:02:31:00:e9:54:b6:d5:72:6c:af:3b:ef:51:a9:69:c3:
         8d:5e:89:0f:76:44:da:92:4c:1c:fc:4d:24:ed:c3:2c:e6:ad:
         e0:da:43:74:ca:83:c8:5f:bc:e9:42:4d:b5:cf:15:27:ea:02:
         30:2d:33:bd:36:53:a5:d5:e4:db:89:6c:00:dd:53:8e:86:6a:
         4d:63:4f:81:ca:18:b3:7f:58:44:9d:f6:39:41:01:35:3f:a5:
         77:44:99:25:d9:9c:3c:79:7f:45:29:9d:dc
-----BEGIN CERTIFICATE-----
MIICJTCCAaugAwIBAgIRAJMU5HXrZDGI65Xrg9S/NqIwCgYIKoZIzj0EAwQwETEP
MA0GA1UEAwwGTG9vcGlhMB4XDTIwMTAxOTA3MjA1OVoXDTIzMDEyMjA3MjA1OVow
HDEaMBgGA1UEAwwRb3BlbnZwbi5sb29waWEuc2UwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAATHUl1UVOs0wueJVm/JL+WrOM+J31rkor+xtbYlvGnRK4IlZe7EoTVYKP8j
qMnhZZ9Y5oly38VF056ER5d4oNmHYoirlzA5eim3Ng99M+eB/0uR/faAIQ6rnGYH
rB/D5RSjgbswgbgwCQYDVR0TBAIwADAdBgNVHQ4EFgQUCzCM3mI4Ae0X6tzuCGpm
+2KEzOcwTAYDVR0jBEUwQ4AUP4nxgpfeCsXJtRcAZrpFG6HRDiahFaQTMBExDzAN
BgNVBAMMBkxvb3BpYYIUKfCiDu6YwilFQlGFqC7+L+SCBJ8wEwYDVR0lBAwwCgYI
KwYBBQUHAwEwCwYDVR0PBAQDAgWgMBwGA1UdEQQVMBOCEW9wZW52cG4ubG9vcGlh
LnNlMAoGCCqGSM49BAMEA2gAMGUCMQDpVLbVcmyvO+9RqWnDjV6JD3ZE2pJMHPxN
JO3DLOat4NpDdMqDyF+86UJNtc8VJ+oCMC0zvTZTpdXk24lsAN1TjoZqTWNPgcoY
s39YRJ32OUEBNT+ld0SZJdmcPHl/RSmd3A==
-----END CERTIFICATE-----

So the error is correct.

You must import it as a certificate:

cpo@LR1.wue3# set pki certificate t3809 certificate MIICJTCCAaugAwIBAgIRAJMU5HXrZDGI65Xrg9S/NqIwCgYIKoZIzj0EAwQwETEPMA0GA1UEAwwGTG9vcGlhMB4XDTIwMTAxOTA3MjA1OVoXDTIzMDEyMjA3MjA1OVowHDEaMBgGA1UEAwwRb3BlbnZwbi5sb29waWEuc2UwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATHUl1UVOs0wueJVm/JL+WrOM+J31rkor+xtbYlvGnRK4IlZe7EoTVYKP8jqMnhZZ9Y5oly38VF056ER5d4oNmHYoirlzA5eim3Ng99M+eB/0uR/faAIQ6rnGYHrB/D5RSjgbswgbgwCQYDVR0TBAIwADAdBgNVHQ4EFgQUCzCM3mI4Ae0X6tzuCGpm+2KEzOcwTAYDVR0jBEUwQ4AUP4nxgpfeCsXJtRcAZrpFG6HRDiahFaQTMBExDzANBgNVBAMMBkxvb3BpYYIUKfCiDu6YwilFQlGFqC7+L+SCBJ8wEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBwGA1UdEQQVMBOCEW9wZW52cG4ubG9vcGlhLnNlMAoGCCqGSM49BAMEA2gAMGUCMQDpVLbVcmyvO+9RqWnDjV6JD3ZE2pJMHPxNJO3DLOat4NpDdMqDyF+86UJNtc8VJ+oCMC0zvTZTpdXk24lsAN1TjoZqTWNPgcoYs39YRJ32OUEBNT+ld0SZJdmcPHl/RSmd3A==
cpo@LR1.wue3# commit

Thanks, I got it working now.