/usr/local.org

User Tools

Site Tools

You are here: Home » Documents » Tips 'n tricks (IT) » ipfire
docs:tips_n_tricks:ipfire.html

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docs:tips_n_tricks:ipfire.html [27.10.2018 19:09 CEST] peterdocs:tips_n_tricks:ipfire.html [09.10.2023 14:42 CEST] (current) – [IPFire 2.17 (i586) - Core Update 98] peter
Line 2: Line 2:
 //This refers to the open source firewall [[http://www.ipfire.org|IPFire]]// //This refers to the open source firewall [[http://www.ipfire.org|IPFire]]//
 ===== Using external CA ===== ===== Using external CA =====
 +==== Setup ====
  
 Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions: Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions:
Line 11: Line 12:
   * As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the "Add" button in the client list, just use the "upload" feature instead of "generate ...".   * As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the "Add" button in the client list, just use the "upload" feature instead of "generate ...".
   * When creating client certificates by //TinyCA2//, pay attention to unset the "add email address to CN" checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.   * When creating client certificates by //TinyCA2//, pay attention to unset the "add email address to CN" checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.
 +==== Maintenance ====
 +=== Renew certificate ===
 +== Openvpn ==
  
 +  - Replace ''/var/ipfire/ovpn/certs/servercert.pem''
 +  - ''/usr/local/bin/openvpnctrl -r''
 +== https ==
 +
 +  - Replace ''/etc/httpd/server.crt''
 +  - ''apachectl restart''
 ===== Bugs ===== ===== Bugs =====
 +==== Route ... already used by another client ====
 +When adding a new OpenVPN client, any route configured for it - including GREEN / ORANGE - yielded in the error message "//Route xyz alread in use by another client//". It turned out, ''cddroute'' and ''cddroute2'' in ''/var/ipfire/ovpn'' contained somewhat empty or spurious lines (meaning strange network settings or referencing non-existing client names). I removed a line in ''cddroute'' that referenced a non-existing client and the networks //10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0,172.16.0.0/255.240.0.0//. It seems, this fixed the issue.
 +--- //peter 09.11.2021 13:43 CET//
 ==== IPFire 2.17 (i586) - Core Update 98  ==== ==== IPFire 2.17 (i586) - Core Update 98  ====
   * If a clients certificate subject consists **only** of the comon name (CN), TLS verification will fail due to the regular expression used in ''/usr/lib/openvpn/verify'' to get the value of CN=...   * If a clients certificate subject consists **only** of the comon name (CN), TLS verification will fail due to the regular expression used in ''/usr/lib/openvpn/verify'' to get the value of CN=...
 +======  ======
 +{{tag>IPFire}}
 +{{entry>IPFire}}
  
docs/tips_n_tricks/ipfire.html.1540660169.txt.gz · Last modified: 27.10.2018 19:09 CEST by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki