Ubuntu
openvpn package

revoke-full fails

Bug #231199 reported by KM on 2008-05-16

This bug report is a duplicate of: Bug #392013: Properly package easy-rsa as a separate binary package. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	openvpn (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

Binary package hint: openvpn

# lsb_release -rd
Description: Ubuntu 8.04
Release: 8.04
# apt-cache policy openvpn
openvpn:
  Installed: 2.1~rc7-1ubuntu3.2
  Candidate: 2.1~rc7-1ubuntu3.2
  Version table:
*** 2.1~rc7-1ubuntu3.2 0
        500 http://us.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status
     2.1~rc7-1ubuntu3 0
        500 http://us.archive.ubuntu.com hardy/main Packages

This might arise from #218569

I ran the revoke-full script, which I expected to revoke the given certificate. Instead (slightly edited),

# ./revoke-full somename
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
23924:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282

where /etc/openvpn/easy-rsa had been copied from /usr/share/doc/openvpn/examples/easy-rsa/2.0.

I removed the entire '[ pkcs11_section ]' at the end of openssl.cnf. Another attempt at revoke-full then succeeded.

Revision history for this message

Dieter Verlaeckt (dieter-verlaeckt-gmail) wrote on 2008-06-02:

I can confirm this bug. I had the same problem, commenting out the '[pkcs11_section]' section fixed it.

Revision history for this message

Thierry Carrez (ttx) wrote on 2008-07-21:

We are not using PKCS#11, and the "pkcs11 = pkcs11_section" line in openssl.cnf is properly commented out. The problem is that openssl doesn't just ignore the [ pkcs11_section ]: it still parses its configuration lines and MODULE_PATH = $ENV::PKCS11_MODULE_PATH results in an undefined variable :

----------------
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
----------------------

The solution is to comment those lines or implement PKCS#11 support in openvpn and fix those lines accordingly.

Changed in openvpn:
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

Frédéric Sheedy (fsheedy) wrote on 2008-08-31:

Confirming this bug.

Revision history for this message

Thierry Carrez (ttx) wrote on 2008-10-30:

This should be fixed in Intrepid as PKCS#11 support is enabled there.
Could one of you please confirm ?

Revision history for this message

KM (ubuntubug-acrasis) wrote on 2008-11-04:

No change here, except that the error message appears twice.

# ./revoke-full nick2
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
21626:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
21627:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282
nick2.crt: OK
# echo $?
0

Another attempt to revoke succeeds after removing the '[ pkcs11_section ]' section from openssl.cnf. My "Intrepid" installation:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.10
Release: 8.10
Codename: intrepid
# apt-cache policy openvpn
openvpn:
  Installed: 2.1~rc11-1ubuntu2
  Candidate: 2.1~rc11-1ubuntu2
  Version table:
*** 2.1~rc11-1ubuntu2 0
        500 http://us.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Revision history for this message

Thierry Carrez (ttx) wrote on 2009-06-25:

Main issue here is that easy-rsa isn't properly supported, but just shipped as a documentation example. I filed bug 392013 to track proper packaging of easy-rsa and fixing this bug would be part of it, so I'm marking this one as a duplicate.