Hello listmates,
I've got this Centos 5.5 box which I am trying to configure as an OpenVPN server. Now 2.1.4 seems to have added pkcs11 support and that stops me from creating the CA and other necessary files:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/keys [root@gw5fl 2.0]# ./clean-all [root@gw5fl 2.0]# ./build-ca Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. [root@gw5fl 2.0]#
Now, the tool I seem to need (from the "vars" file):
export PKCS11TOOL="pkcs11-tool"
does not seem to be there and I am not sure how to install it as I couldn't find it.
So, any perspective on what this mess is all about and how to get out of it would be much appreciated.
Thanks.
Boris.
On Thu, Jan 20, 2011 at 12:03 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied
See that error above? Make that script executable... It's a bash script `vars` is calling and not able to execute. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Joseph,
Thanks, did that though this did not fix my problem - I still get the same error message.
Boris.
On Thu, Jan 20, 2011 at 12:25 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
Thanks, did that though this did not fix my problem - I still get the same error message.
The only error I saw was a lack of ability to run whichopensslcnf. pkitool is a shell script which should be executable and in that folder as well. Is it executable?
Yes it sure is.
Boris.
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:03 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied
See that error above? Make that script executable... It's a bash script `vars` is calling and not able to execute.
Thanks, did that though this did not fix my problem - I still get the same error message.
Two questions: first, what's the ownership of the file, and the directory, and second, is selinux enforcing?
mark
On Thu, Jan 20, 2011 at 12:39 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:03 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied
See that error above? Make that script executable... It's a bash script `vars` is calling and not able to execute.
Thanks, did that though this did not fix my problem - I still get the same error message.
Two questions: first, what's the ownership of the file, and the directory, and second, is selinux enforcing?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mark,
Thanks.
The SELinux is enforcing.
The easy-rsa directory/file permissions are as follows:
[root@gw5fl ~]# find /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0 -exec ls -ld {} ; drwxr-xr-x 3 root root 4096 Jan 20 11:22 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0 -rwxr-xr-x 1 root root 165 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-key -rwxr-xr-x 1 root root 354 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-dh -rw-r--r-- 1 root root 920 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/revoke-full -rw-r--r-- 1 root root 297 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/list-crl -rw-r--r-- 1 root root 1459 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/inherit-inter -rw-r--r-- 1 root root 9281 Oct 21 13:37 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/README -rw-r--r-- 1 root root 389 Oct 21 13:37 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/Makefile -rwxr-xr-x 1 root root 430 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/clean-all -rwxr-xr-x 1 root root 215 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-req -rw-r--r-- 1 root root 7768 Oct 21 13:37 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/openssl-0.9.6.cnf -rwxr-xr-x 1 root root 251 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-key-pkcs12 -rwxr-xr-x 1 root root 270 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-key-server drwx------ 2 root root 4096 Jan 20 11:22 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/keys -rw-r--r-- 1 root root 0 Jan 20 11:22 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/keys/index.txt -rw-r--r-- 1 root root 3 Jan 20 11:22 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/keys/serial -rwxr-xr-x 1 root root 121 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-ca -rw-r--r-- 1 root root 1696 Jan 20 10:46 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/vars -rwxr-xr-x 1 root root 190 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-inter -rw-r--r-- 1 root root 180 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/sign-req -rwxr-xr-x 1 root root 12504 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/pkitool -rwxr-xr-x 1 root root 160 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-req-pass -rwxr-xr-x 1 root root 190 Oct 21 13:37 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf -rw-r--r-- 1 root root 8328 Oct 21 13:37 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/openssl.cnf -rwxr-xr-x 1 root root 159 Nov 4 15:29 /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/build-key-pass [root@gw5fl ~]#
Boris.
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:39 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:03 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied
See that error above? Make that script executable... It's a bash script `vars` is calling and not able to execute.
Thanks, did that though this did not fix my problem - I still get the same error message.
Two questions: first, what's the ownership of the file, and the directory, and second, is selinux enforcing?
The SELinux is enforcing.
The easy-rsa directory/file permissions are as follows:
[root@gw5fl ~]# find /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0 -exec ls -ld {} ;
<snip> You missed it; first, find will cheerfully accept -ls, you don't need -exec ls... except in this case, where you need ls -alZ, to see the selinux contexts, including on the directories (which ls -l doesn't show).
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 01:39 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:39 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
On Thu, Jan 20, 2011 at 12:03 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied
See that error above? Make that script executable... It's a bash script `vars` is calling and not able to execute.
Thanks, did that though this did not fix my problem - I still get the same error message.
Two questions: first, what's the ownership of the file, and the directory, and second, is selinux enforcing?
The SELinux is enforcing.
The easy-rsa directory/file permissions are as follows:
[root@gw5fl ~]# find /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0 -exec ls -ld {} ;
<snip> You missed it; first, find will cheerfully accept -ls, you don't need -exec ls... except in this case, where you need ls -alZ, to see the selinux contexts, including on the directories (which ls -l doesn't show).
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
chcon -t bin_t -R /usr/share/doc/openvpn-2.1.4/easy-rsa
Will prpbably fix.
On Thu, Jan 20, 2011 at 2:31 PM, Boris Epstein borepstein@gmail.com wrote:
chcon -t bin_t -R /usr/share/doc/openvpn-2.1.4/easy-rsa
Will prpbably fix. -----BEGIN PGP SIGNATURE-----
Just tried that, thanks.
Unfortunately, it did not.
Boris.
OK, I deactivated SELinux and for now looks like I am in business. Still trying to figure out what if anything went wrong and what does not agree with what.
To be continued.
Boris.
Boris,
Are you using bash?
Try this: /bin/bash . ./vars
-- Peter
On 01/20/2011 08:28 AM, Boris Epstein wrote:
Hello listmates,
I've got this Centos 5.5 box which I am trying to configure as an OpenVPN server. Now 2.1.4 seems to have added pkcs11 support and that stops me from creating the CA and other necessary files:
[root@gw5fl 2.0]# . ./vars bash: /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/whichopensslcnf: Permission denied NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/keys [root@gw5fl 2.0]# ./clean-all [root@gw5fl 2.0]# ./build-ca Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. [root@gw5fl 2.0]#
Now, the tool I seem to need (from the "vars" file):
export PKCS11TOOL="pkcs11-tool"
does not seem to be there and I am not sure how to install it as I couldn't find it.
So, any perspective on what this mess is all about and how to get out of it would be much appreciated.
Thanks.
Boris. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Jan 20, 2011 at 2:46 PM, Peter Blajev pblajev@ucsd.edu wrote:
Boris,
Are you using bash?
Try this: /bin/bash . ./vars
-- Peter
Peter,
Yes, I am using bash:
[root@gw5fl 2.0]# echo $SHELL /bin/bash [root@gw5fl 2.0]#
Boris.
-
Boris Epstein -
Daniel J Walsh -
Joseph L. Casale -
m.roth@5-cent.us -
Peter Blajev