[feisty] network-manager-openvpn doesn't work when using x509 and private key file has password

It should be possible to remove the passphrase with a simple `openssl (rsa|dsa) -in private.key -out privatekey-without-passphrase.key' with RSA or DSA depending on the type of the private key used.

I agree with you, that there should be a prompt instead, though.

I'm using this configuration in /etc/openvpn/client.conf:
------------------8<------------------
client
dev tun
proto udp
remote 10.0.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
cert client.pem
key clientkey.pem
verb 3
------------------8<--------------
even though it works with invoke-rc.d in the command line, nm doesn't seem to support a config like that.
I've tried many different configurations, even one that does ask for a password, but they didn't work.
I even tried changing the nm openvpn GConf entries with gconf-editor, but those only caused nm-applet to break beyond repair till next reboot (logoff doesn't fix it and I haven't determined exactly where the error goes).

I had the same issue. Running Feisty, network-manager-gnome 0.6.4-6ubuntu7 and network-manager-openvpn 0.3.2snv2342-0ubuntu3. Appears that if my key is encrypted using a passphrase which contains spaces the connection fails

== syslog ==
 Oct 1 11:44:37 tero nm-openvpn[13635]: Cannot load private key file /home/tero/openvpn/tero.key: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:
error:0906A065:PEM routines:PEM_do_header:bad decrypt: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Oct 1 11:44:37 tero nm-openvpn[13635]: Error: private key password verification failed
Oct 1 11:44:37 tero nm-openvpn[13635]: Exiting
== syslog ==

If I (don't tell mama and) decrypt the key as Philipp suggests connection works. It works also if I encrypt the key with a password which does NOT have any spaces. Looks like a pw containing spaces breaks something.

I'm having exact the same problem, only, I do not have spaces in my password.
Decrypting the private passwordfiles without password is not an option. It's not my network.

Would be nice though, using networking manager to connect. Although good old openvpncmd does it well.

syslog:
Oct 5 02:58:23 mainframe nm-openvpn[24972]: Cannot load private key
file /home/deception/.openvpn/pascal.key: error:06065064:digital
envelope routines:EVP_DecryptFinal_ex:bad decrypt: error:0906A065:PEM
routines:PEM_do_header:bad decrypt: error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib

Hi, i use Gutsy and have the same problem.

I am using Gutsy and I would like to see this functionality present in the applet as well. I really enjoy the simplicity of NetworkManager in general and the ease of configuring an OpenVPN connection is great for my users except for this little hickup. Thanks in advance for looking into it.

Hi guys
as for today this is no longer an issue to me, well, don't really know when this was solved, but i try it today just out of curiosity.
could anyone of you who experience the same issue please confirm the fix?, obviously under Hardy Heron with the latest updates, my current version of network-manager-openvpn is 0.3.2svn2342-1ubuntu4.

Thanks in advance.

I am using Hardy Heron with network-manager-openvpn 0.3.2svn2342-1ubuntu4. Using a passphrase with blanks did not work for me. It took me a while to reach this bug report which has drawn my attention to the blanks in the passphrase. Trying without blanks solved my problem.

As far as I can see, the problem with blanks in passphrases still exists.

In reply to Basilio,

I can confirm that the problem no longer in exists in Hardy Heron, this is; a passsword without blanks.

I can't confirm for Debian yet. Haven't updated for a while.

For me, this bug is solved, and can be closed.

Thx, for the guy(s) who fixed this.

AFAICS the problem is still in, if you are using KDE. Using Gnome I get the popup asking for the passphrase, and OpenVPN works. Using KDE there is no popup, and the connection fails.

I filed a bug against the debian package, along with a patch to fix the "fails if password contains spaces" bug, but the maintainer, <email address hidden>, seems to be ignoring debian bugs filed against his package. The problem is that network-manager-openvpn passes the passphrases to openvpn unquoted. If these are quoted, it works perfectly.

I would suggest to set the "patch" tag on the Debian bug report,
and eventually increase the priority. It would be important to
get your fix in for both Intrepid and the next Debian release.

Many thanx

Harri

I rebuilt network-manager-openvpn including your patch, and tried it: Still no passphrase dialog. Knetworkmanager shows a scrollbar, but this gets stuck at 80%. After a few seconds there is a bubble saying

VPN Connect Failure
Could not start the VPN connection 'myvpn' due to a connection error.
 The VPN login failed because the VPN program could not connect to the VPN server.

/var/log/daemon.log says

ERROR: could not read Private Key username/password/ok/string from management interface.

Seems that the patch doesn't help :-(

On Wed, 2008-10-01 at 07:36 +0000, Harri wrote:
> I rebuilt network-manager-openvpn including your patch, and tried it:
> Still no passphrase dialog. Knetworkmanager shows a scrollbar, but this
> gets stuck at 80%. After a few seconds there is a bubble saying
>
> VPN Connect Failure
> Could not start the VPN connection 'myvpn' due to a connection error.
> The VPN login failed because the VPN program could not connect to the VPN server.
>
> /var/log/daemon.log says
>
> ERROR: could not read Private Key username/password/ok/string from
> management interface.
>
>
> Seems that the patch doesn't help :-(

It addresses the issue that I mentioned, and that several other
commenters on this issue described. Apparently, your bug and mine are
not related :-(

-davidc

--
gpg-key: http://www.zettazebra.com/files/key.gpg

Probably, but bug #132060 is about not getting a passphrase dialog. I would suggest to not post unrelated patches in a bug report.

On Wed, 2008-10-01 at 12:18 +0000, Harri wrote:
> Probably, but bug #132060 is about not getting a passphrase dialog. I
> would suggest to not post unrelated patches in a bug report.
>

It was not completely unrelated:

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/132060/comments/3

However, you are right that the original bug does describe a situation
where the user it not even prompted for a password, rather than the
password failing to decrypt the key.

I'll open another bug.

-davidc

--
gpg-key: http://www.zettazebra.com/files/key.gpg

hi,

i have the same problem on KDE 3 and 4 (Hardy and Intrepid) with network-manager-kde. The OpenVPN works fine with network-manager-gnome (nm-applet) and in the terminal but didn't work with network-manager-kde.

Regards

Obelix

same issue and error message in Jaunty
issue should be renamed [feisty~jaunty]

actually, my private key with password used to work just fine with Hardy's network-manager-openvpn package
therefore, I'd like this issue flagged as a regression

shame shame shame on me, the "problem lied between keyboard and screen"
please disregard my last 2 comments, no problem in Jaunty

Hi
Fiesty is now EOL, can you still reproduce this bug on lucid or maverick?

I still encounter the same bug using Kubuntu Lucid Lynx 10.04 on i386 achitecture:

openvpn-2.1.0-1ubuntu1.1
network-manager-openvpn-0.8ubuntu3
network-manager-openvpn-kde-0.9~svn1112085-0ubuntu4

Connection with x509 and unprotected keyfile works, passphrase-protected keyfile fails.
Message in daemon.log:

ERROR: could not read Private Key username/password/ok/string from management interface

Metoo. I tried 10.04 today. Using network-manager-openvpn-gnome in the Gnome environment it works like a charm.

Looking at how long this bug report is open (>3 years!) it seems to me that KDE and OpenVPN are low priority. I can surely live without KDE, but OpenVPN support is a must-have to connect to the office.

Hi.

I tested KDE Networkmanager on many Distributions. At all Versions the KDE Networkmanager dosen't work with x509 and private key. Gnome Networkmanager (nm-applet) works fine.

Conclusion for my part: It's not only a Problem with Ubuntu. The question I ask myself is, who can ask?

Best regards

Obelix

Obelix, 2010-08-28 09:21:
> I tested KDE Networkmanager on many Distributions. At all Versions
> the KDE Networkmanager dosen't work with x509 and private key. Gnome
> Networkmanager (nm-applet) works fine.

Did you test Gnome nm-applet using private key with passphrase that
contains spaces? It used to work for me except in that particular
case. (I'm not currently using VPN and don't really care, just being
curious)

--
Tero Tilus ## 050 3635 235 ## http://tero.tilus.net/

Passphrase dosen't have spaces.

regards

Obelix

Hi,

I concur with Obelix: the problem is not specific to Ubuntu (nor Debian). Obviously an upstream fix should be sought.
In case it helps getting the status updated to "Confirmed", here is a summary:

Package: network-manager-openvpn-kde, version 0.9~svn1112085-0ubuntu4

Summary: Passphrase for the openvpn key cannot be entered. There is no field for it on the setup panel, and the user is not prompted for it when trying to connect.

Steps to reproduce:
1. Configure an openvpn connection via network-manager > Manage connections... > VPN > Add... Make sure to use a passphrase protected key (otherwise everything works fine).
2. When online, try to activate the tunnel by clicking on its icon in the kde-network-manager menu.
3. The interface will report 'Activating...', and the connection attempt will then fail silently.

Log traces (from syslog):

Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> Starting VPN service 'org.free
desktop.NetworkManager.openvpn'...
Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> VPN service 'org.freedesktop.N
etworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 902
8
Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> VPN service 'org.freedesktop.N
etworkManager.openvpn' just appeared, activating connections
Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> VPN plugin state changed: 1
Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> VPN plugin state changed: 3
Sep 15 17:26:50 lap-ibm12 nm-openvpn[9031]: OpenVPN 2.1.0 x86_64-pc-linux-gnu [S
SL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Sep 15 17:26:50 lap-ibm12 NetworkManager: <info> VPN connection 'xxx' (Connect)
 reply received.
Sep 15 17:26:50 lap-ibm12 nm-openvpn[9031]: WARNING: No server certificate verif
ication method has been enabled. See http://openvpn.net/howto.html#mitm for mor
e info.
Sep 15 17:26:50 lap-ibm12 nm-openvpn[9031]: NOTE: the current --script-security
setting may allow this configuration to call user-defined scripts
Sep 15 17:27:31 lap-ibm12 NetworkManager: <info> VPN connection 'xxx' (IP Confi
g Get) timeout exceeded.
Sep 15 17:27:31 lap-ibm12 nm-openvpn[9031]: ERROR: could not read Private Key us
ername/password/ok/string from management interface
Sep 15 17:27:31 lap-ibm12 nm-openvpn[9031]: Exiting

Hope it helps !

From the logtrace above, it seems that network-manager leaves to the management interface (in my case network-manager-openvpn-kde) the duty to request the passphrase from the user (which makes sense).
The package affected is therefore definitely network-manager-openvpn-kde (and it indeed works nicely with Gnome).

As this looks like a missing feature, has it been reported upstream?

Well, looks like:

https://bugs.kde.org/show_bug.cgi?id=150680

I am also affected by this bug (for quite some time now actually).

I was so fed up with this situation that I decided to do something about it: I created a patch which adds support for password protected keys.

Here it is:
http://reviewboard.kde.org/r/6054/
You need to apply this patch to a "trunk" checkout from KDE's Subversion repository.

My patch is still pending review, so the fix is not yet upstream.

Cool, Andy!

Does it also support authentication which asks for a user *and* password upon connecting?
A customer of mine runs an OpenVpn which behaves like that.

Yves: The code for connection types "Certificates" and "Certificates with password" is similar. So if your customer's issue was that he could not provide his "key password" for the "Certificates with password" type, then yes, his issue should be fixed by this patch.

Note that you will not see a dialog asking for username, password and key password upon connecting. You need to enter those values in the settings window before starting a new openvpn connection.

I have committed my patch upstream (KDE's NetworkManager).

Marking as fix commited, packages will soon be shipped with this patch

This was confirmed as fixed upstream some time ago (more than a year ago), and the packages are now in Ubuntu; marking as Fix Released.