http://bugzilla.opensuse.org/show_bug.cgi?id=985798 http://bugzilla.opensuse.org/show_bug.cgi?id=985798#c5 Björn Voigt <bjoernv@arcor.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoernv@arcor.de --- Comment #5 from Björn Voigt <bjoernv@arcor.de> --- This patch has disadvantages. Setups, where OpenVPN is started as a daemon on boot with enabled management interface and without an private key password, are broken now. OpenVPN waits infinitely for someone who supplies a password via management interface. Without the added --askpass option these setups boot fine.

From "man openvpn": --askpass [file] Get certificate password from console or file before we daemonize.

For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys. If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using an encrypted key. $ journalctl -b -u openvpn@client-mybox Feb 15 15:41:25 mybox systemd[1]: Starting OpenVPN tunneling daemon instance using /etc/openvpn/client/mybox.conf... Feb 15 15:41:25 mybox openvpn[7553]: OpenVPN 2.4.4 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] b Feb 15 15:41:25 mybox openvpn[7553]: library versions: OpenSSL 1.1.0g-fips 2 Nov 2017, LZO 2.10 Feb 15 15:41:25 mybox systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/client/mybox.conf. Feb 15 15:42:59 mybox openvpn[7554]: ERROR: could not read Private Key username/password/ok/string from management interface Feb 15 15:42:59 mybox openvpn[7554]: Exiting due to fatal error Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Main process exited, code=exited, status=1/FAILURE Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Unit entered failed state. Feb 15 15:42:59 mybox systemd[1]: openvpn@client-mybox.service: Failed with result 'exit-code'. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=985798 http://bugzilla.opensuse.org/show_bug.cgi?id=985798#c7 --- Comment #7 from Reinhard Max <max@suse.com> --- OK, here is at least a workaround: --askpass does not have to be put on the command line. Like most other openvpn options it can be used in a config file as well. So, until we find a better solution, configurations requiring a password should add a line that says "askpass" to their .conf file. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=985798 Sebastian Wagner <sebix+novell.com@sebix.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sebix+novell.com@sebix.at -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=985798 Mischa Salle <mischa.salle@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mischa.salle@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.