I can make simple mistakes, configuring Linux services.

One of the things which I do, is to operate an ‘OpenVPN’ server, the sole intention of which it is, to give myself access to resources on my LAN, while I am someplace else, let us say with my tablet as a client. This OpenVPN server uses encryption to secure access to my LAN, including a private and a public RSA key-set. And one of the abilities which I would like to have, is to revoke a client public key, in case one of my tablets was ever to get stolen or otherwise compromised.

The way this works with OpenVPN, is that the file which stores the CRL needs to be identified to the server at start-up, but after that, any public keys added to that file are effective immediately, because OpenVPN will check this file, every time a client logs in, assuming again, that this file was recognized once, when the server was started.

And so I added the following specification to my VPN config file some time ago, to prepare my CRL for eventual use:

crl-verfiy /usr/share/easy-rsa/(...)

I was disappointed to find, that once, as a part of my log-rotations, my OpenVPN server was restarted on April 1, it simply refused to restart. The reason had something to do with this specification. And so I actually searched high and low to find an external reason.

One reason some users give for this not working, is the fact that on their systems, OpenVPN runs as a user different from ‘root‘, and that on those systems, the file ‘crl.pem‘ needs to be made readable by the username which OpenVPN runs under. But the way my distribution is set up, OpenVPN simply runs as root. And so this frequent recital of a reason on the Web, for which this specification might not work, actually slowed down how long it took me, to find the reason, which applies to my system.

It took me more than an hour, to see that I had mistyped something, in that I had entered an ‘f’ and and ‘i’ in the wrong order. So once I corrected this typo, the server restarted fine.

But the world of Linux is still such a place, in which such a typo on the part of the user can stubbornly prevent something from working, until the source of the error is uncovered. This does not change core ideas I have about how the world works. It simply reminds me, that I should not make careless mistakes such as this one.

And it reminds me, that in theory things might seem easier to do, than they sometimes are in practice.



Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>