Bj�rn Voigt changed bug 985798
What Removed Added
CC   bjoernv@arcor.de

Comment # 5 on bug 985798 from 
This patch has disadvantages.

Setups, where OpenVPN is started as a daemon on boot with enabled management
interface and without an private key password, are broken now.

OpenVPN waits infinitely for someone who supplies a password via management
interface. Without the added --askpass option these setups boot fine.

>From "man openvpn":
--askpass [file]
       Get certificate password from console or file before we daemonize.

       For the extremely security conscious, it is possible to protect
       your private key with a password.  Of course this means that
       every time the OpenVPN daemon is started you must be there to
       type the password.  The --askpass option allows you to start
       OpenVPN from the command line.  It will query you for a password
       before it daemonizes.  To protect a private key with a password
       you should omit the -nodes option when you use the openssl
       command line tool to manage certificates and private keys.

       If file is specified, read the password from the first line of
       file.  Keep in mind that storing your password in a file to a
       certain extent invalidates the extra security provided by using
       an encrypted key.

$ journalctl -b -u openvpn@client-mybox
Feb 15 15:41:25 mybox systemd[1]: Starting OpenVPN tunneling daemon instance
using /etc/openvpn/client/mybox.conf...
Feb 15 15:41:25 mybox openvpn[7553]: OpenVPN 2.4.4 x86_64-suse-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] b
Feb 15 15:41:25 mybox openvpn[7553]: library versions: OpenSSL 1.1.0g-fips  2
Nov 2017, LZO 2.10
Feb 15 15:41:25 mybox systemd[1]: Started OpenVPN tunneling daemon instance
using /etc/openvpn/client/mybox.conf.
Feb 15 15:42:59 mybox openvpn[7554]: ERROR: could not read Private Key
username/password/ok/string from management interface
Feb 15 15:42:59 mybox openvpn[7554]: Exiting due to fatal error
Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Main process
exited, code=exited, status=1/FAILURE
Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Unit entered
failed state.
Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Failed with
result 'exit-code'.

You are receiving this mail because: