User Details
- User Since
- Nov 11 2017, 8:13 PM (335 w, 6 d)
Sat, Apr 13
Thanks for the quick fix! I intentionally messed with the file ownership and can confirm that VyOS 1.5-rolling-202404130016 will correct them to the proper values.
Sat, Mar 23
Jan 20 2024
Tested https://github.com/vyos/vyos-1x/pull/2857 and confirmed that it works properly now. Thanks for the quick fix!
Jan 17 2024
Sure. I did some further testing and it looks like this is triggered if the client sends DHCP option 81 (FQDN). To reproduce:
Jan 16 2024
Jan 8 2024
The issue with the missing domain name in /etc/hosts with hostfile-update, as mentioned above, seems to trigger another problem. The hostname requested by the client seems to be added to /etc/hosts verbatim and some clients (eg. some Windows machines and printers) request a fully qualified name with a trailing dot. Since pdns-recursor unconditionally appends a dot, there are now two trailing dots, causing pdns-recursor to crash if it restarts.
Apr 10 2023
I found the issue. This was caused by bumping the debian packaging scripts from debian/2%2.10-10 to debian/2%2.10-12, which includes https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c. This is not compatible with vyos because vyos uses a config path in /run.
Thanks, I ran the ethernet smoke tests, but not the wireless ones. I'll investigate right away.
Closing as resolved because the PRs were merged (thanks for the quick review!)
Apr 9 2023
For eapol specifically, if your use case involves only a single chain (1 root CA + 1 or more intermediate CAs), then my fix from T4245 should do the trick. You can add each root/intermediate CA to the PKI and then set eapol to the leaf intermediate CA. When the wpa_supplicant configuration is generated, vyos will add the intermediate CA and all of its parents to the .crt file.
Submitted PRs:
Sep 2 2022
In case anyone comes across this bug report, I submitted a couple PRs to fix this earlier this year: https://phabricator.vyos.net/T4245
I've submitted a PR to reintroduce the patch: https://github.com/vyos/vyos-build/pull/259
Sep 1 2022
Feb 20 2022
Closing this as resolved since both PRs have been merged.
Feb 18 2022
PR for documentation: https://github.com/vyos/vyos-documentation/pull/719
I've submitted a PR here: https://github.com/vyos/vyos-1x/pull/1227
Feb 17 2022
After further testing, it looks like it's not necessary to have <iface>_ca.pem contain both the server and client chains of trust.
I started working on implementing my "alternative" idea. It's a little bit more complicated than I first thought because we have to consider both the server and client chain of trust.
Feb 14 2022
Alternatively, since the pki code seems to already recognize parents/issuers:
I've submitted a PR to fix this here: https://github.com/vyos/vyos-1x/pull/1220