Non-executable easy-rsa files cause module to fail
Closed this issue · 3 comments
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 4.8.2
- Ruby: 2.3.3p222
- Distribution: Respbian
- Module version: 7.4.0
How to reproduce (e.g Puppet code you use)
Add a simple server instance.
openvpn::server { 'winterthur':
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'root@example.org',
server => '10.200.200.0 255.255.255.0',
}
What are you seeing
I am getting errors such as the following:
Error: . ./vars && ./clean-all && ./build-dh returned 126 instead of one of [0]
Error: /Stage[main]/Vpn/Openvpn::Server[winterthur]/Openvpn::Ca[winterthur]/Exec[generate dh param winterthur]/returns: change from notrun to 0 failed: . ./vars && ./clean-all && ./build-dh returned 126 instead of one of [0]
What behaviour did you expect instead
I would expect the server to be configured without an error.
Any additional information you'd like to impart
The files in the easy-rsa directory are not executable.
-rw-r--r-- 1 root root 119 Dec 1 23:42 build-ca
-rw-r--r-- 1 root root 352 Dec 1 23:42 build-dh
-rw-r--r-- 1 root root 188 Dec 1 23:42 build-inter
-rw-r--r-- 1 root root 163 Dec 1 23:42 build-key
-rw-r--r-- 1 root root 157 Dec 1 23:42 build-key-pass
-rw-r--r-- 1 root root 249 Dec 1 23:42 build-key-pkcs12
-rw-r--r-- 1 root root 268 Dec 1 23:42 build-key-server
-rw-r--r-- 1 root root 213 Dec 1 23:42 build-req
-rw-r--r-- 1 root root 158 Dec 1 23:42 build-req-pass
-rw-r--r-- 1 root root 449 Dec 1 23:42 clean-all
-rw-r--r-- 1 root root 1471 Dec 1 23:42 inherit-inter
drwx------ 2 root root 4096 Dec 2 00:12 keys
-rw-r--r-- 1 root root 302 Dec 1 23:42 list-crl
-rw-r--r-- 1 root root 7859 Dec 1 23:42 openssl-0.9.6.cnf
-rw-r--r-- 1 root root 8416 Dec 1 23:42 openssl-0.9.8.cnf
-rw-r--r-- 1 root root 8313 Dec 1 23:42 openssl-1.0.0.cnf
lrwxrwxrwx 1 root nogroup 45 Dec 1 23:42 openssl.cnf -> /etc/openvpn/winterthur/easy-rsa/openssl-1.0.0.cnf
-rw-r--r-- 1 root root 13192 Dec 1 23:42 pkitool
drwxr-x--- 2 root nogroup 4096 Dec 1 23:42 revoked
-rw-r--r-- 1 root root 1035 Dec 1 23:42 revoke-full
-rw-r--r-- 1 root root 178 Dec 1 23:42 sign-req
-r-xr-x--- 1 root nogroup 1704 Dec 2 00:05 vars
-rw-r--r-- 1 root root 740 Dec 1 23:42 whichopensslcnf
I am working on a PR that fixes the problem.
Hi @dspinellis .
It is strange because if the files were not executable, the CI would fail. And the CI does not fail.
I tested locally and i am getting this with the CI executed locally :
$ docker exec -it 1e1d6307c3a7 /bin/bash
root@vpnserver:/# ls -l /etc/openvpn/
keys/ test_openvpn_server/ test_openvpn_server.conf update-resolv-conf
root@vpnserver:/# ls -l /etc/openvpn/test_openvpn_server/easy-rsa/
total 120
-rwxr-xr-x 1 root root 119 Dec 2 12:37 build-ca
-rwxr-xr-x 1 root root 352 Dec 2 12:37 build-dh
-rwxr-xr-x 1 root root 188 Dec 2 12:37 build-inter
-rwxr-xr-x 1 root root 163 Dec 2 12:37 build-key
-rwxr-xr-x 1 root root 157 Dec 2 12:37 build-key-pass
-rwxr-xr-x 1 root root 249 Dec 2 12:37 build-key-pkcs12
-rwxr-xr-x 1 root root 268 Dec 2 12:37 build-key-server
-rwxr-xr-x 1 root root 213 Dec 2 12:37 build-req
-rwxr-xr-x 1 root root 158 Dec 2 12:37 build-req-pass
-rwxr-xr-x 1 root root 449 Dec 2 12:37 clean-all
-rwxr-xr-x 1 root root 1471 Dec 2 12:37 inherit-inter
drwx------ 2 root root 4096 Dec 2 12:38 keys
-rwxr-xr-x 1 root root 302 Dec 2 12:37 list-crl
-rw-r--r-- 1 root root 7859 Dec 2 12:37 openssl-0.9.6.cnf
-rw-r--r-- 1 root root 8416 Dec 2 12:37 openssl-0.9.8.cnf
-rw-r--r-- 1 root root 8313 Dec 2 12:37 openssl-1.0.0.cnf
lrwxrwxrwx 1 root nogroup 59 Dec 2 12:38 openssl.cnf -> /etc/openvpn/test_openvpn_server/easy-rsa/openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13192 Dec 2 12:37 pkitool
-rwxr-xr-x 1 root root 1035 Dec 2 12:37 revoke-full
drwxr-x--- 2 root nogroup 4096 Dec 2 12:37 revoked
-rwxr-xr-x 1 root root 178 Dec 2 12:37 sign-req
-r-xr-x--- 1 root nogroup 1692 Dec 2 12:37 vars
-rwxr-xr-x 1 root root 740 Dec 2 12:37 whichopensslcnf
Can you give more informations about what you are using as operating system ?
Thank you for the feedback, @Dan33l ! I think I've narrowed down and problem, and I'm currently waiting for Puppet to finish in order to verify my hunch. A global File declaration was forcing permissions to become 0644 rather than inherit the easy-rsa mode and be 0755. Once I verify this I'll close the issue and the pull request.
Indeed a global File declaration was forcing permissions to become 0644 rather than inherit the easy-rsa mode and be 0755.