Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create client with a previously deleted username #1

Open
wnkz opened this issue Aug 10, 2015 · 1 comment · May be fixed by #2
Open

Cannot create client with a previously deleted username #1

wnkz opened this issue Aug 10, 2015 · 1 comment · May be fixed by #2

Comments

@wnkz
Copy link

wnkz commented Aug 10, 2015

After default setup on DCOS I cannot create a client with the same name as a previously deleted client, steps to reproduce:

1/

curl -X POST --data "name=wnkz" 'http://dcos/service/openvpn/client'`

2/

curl -X DELETE 'http://dcos/service/openvpn/client/wnkz'
{"msg": "success", "type": "status"}

3/

curl -X POST --data "name=wnkz" 'http://dcos/service/openvpn/client'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request.  Either the server is overloaded or there is an error in the application.</p>

On step 3, the following logs are produced on the container:

Easy-RSA error:

Request file already exists. Aborting build to avoid overwriting this file.
If you wish to continue, please use a different name or remove the file.
Matching file found at:  /etc/openvpn/pki/reqs/wnkz.req
2015-08-10 14:54:10,411 - dcos_openvpn.web - ERROR - Exception on /client [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/local/lib/python2.7/dist-packages/webargs-0.13.0-py2.7.egg/webargs/core.py", line 462, in wrapper
    return func(parsed_args, *args, **kwargs)
  File "dcos_openvpn/web.py", line 33, in create_client
    cert.generate(args.get("name"))
  File "dcos_openvpn/cert.py", line 16, in generate
    name), shell=True)
  File "/usr/lib/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '/dcos/bin/easyrsa build-client-full wnkz nopass' returned non-zero exit status 1
2015-08-10 14:54:10,411 - dcos_openvpn.web - ERROR - Exception on /client [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/local/lib/python2.7/dist-packages/webargs-0.13.0-py2.7.egg/webargs/core.py", line 462, in wrapper
    return func(parsed_args, *args, **kwargs)
  File "dcos_openvpn/web.py", line 33, in create_client
    cert.generate(args.get("name"))
  File "dcos_openvpn/cert.py", line 16, in generate
    name), shell=True)
  File "/usr/lib/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '/dcos/bin/easyrsa build-client-full wnkz nopass' returned non-zero exit status 1
2015-08-10 14:54:10,412 - werkzeug - INFO - 10.0.6.220 - - [10/Aug/2015 14:54:10] "POST /client HTTP/1.0" 500 -

It turns out those files are never removed:

/etc/openvpn/pki/reqs/wnkz.req
/etc/openvpn/pki/issued/wnkz.crt
/etc/openvpn/pki/private/wnkz.key

The client reference is also present in those files (XX being a number eg. 04):

/etc/openvpn/pki/certs_by_serial/XX.pem
/etc/openvpn/pki/index.txt

After removing the first four files and the line in /etc/openvpn/pki/index.txt I was able to create the user again from the API.
@wnkz
Copy link
Author

wnkz commented Aug 10, 2015

My first guess is that you should use revoke-full in the delete process ; this way the certificate would be properly removed and added to the certificate revocation list.

@wnkz wnkz linked a pull request Aug 10, 2015 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PoC on how to fix client delete wnkz/dcos-openvpn
1 participant
@wnkz