I can make simple mistakes, configuring Linux services.

One of the things which I do, is to operate an ‘OpenVPN’ server, the sole intention of which it is, to give myself access to resources on my LAN, while I am someplace else, let us say with my tablet as a client. This OpenVPN server uses encryption to secure access to my LAN, including a private and a public RSA key-set. And one of the abilities which I would like to have, is to revoke a client public key, in case one of my tablets was ever to get stolen or otherwise compromised.

The way this works with OpenVPN, is that the file which stores the CRL needs to be identified to the server at start-up, but after that, any public keys added to that file are effective immediately, because OpenVPN will check this file, every time a client logs in, assuming again, that this file was recognized once, when the server was started.

And so I added the following specification to my VPN config file some time ago, to prepare my CRL for eventual use:


crl-verfiy /usr/share/easy-rsa/(...)

I was disappointed to find, that once, as a part of my log-rotations, my OpenVPN server was restarted on April 1, it simply refused to restart. The reason had something to do with this specification. And so I actually searched high and low to find an external reason.

One reason some users give for this not working, is the fact that on their systems, OpenVPN runs as a user different from ‘root‘, and that on those systems, the file ‘crl.pem‘ needs to be made readable by the username which OpenVPN runs under. But the way my distribution is set up, OpenVPN simply runs as root. And so this frequent recital of a reason on the Web, for which this specification might not work, actually slowed down how long it took me, to find the reason, which applies to my system.

It took me more than an hour, to see that I had mistyped something, in that I had entered an ‘f’ and and ‘i’ in the wrong order. So once I corrected this typo, the server restarted fine.

But the world of Linux is still such a place, in which such a typo on the part of the user can stubbornly prevent something from working, until the source of the error is uncovered. This does not change core ideas I have about how the world works. It simply reminds me, that I should not make careless mistakes such as this one.

And it reminds me, that in theory things might seem easier to do, than they sometimes are in practice.

Dirk

 

How I typically Solve my Kleopatra Start-Up Delay Problem

Both under Linux and under Windows, I use “Kleopatra”, which is a GUI for the ‘GnuPG’ system – the “GNU Privacy Guard”. In case the reader does not know, GnuPG or ‘GPG’ is one software alternative for providing ‘Public Key Cryptography’, which can be used in practice to sign and/or encrypt emails, as well as to validate digital signatures made by other people’s computers.

Using GPG does not strictly require that we use Kleopatra, because there exists the capability which some power-users have, to use GPG from the command-line, and Kleopatra is a distinctly KDE-based front-end, even though there exist Windows ports of it.

One problem which I eventually run in to, and which has been reported elsewhere on the Internet, is that at first after installation, Kleopatra seems to run fine, but that after some point in time we encounter a strange delay, when we start up this program, which can last for several minutes or even longer, during which the program does not respond properly to user commands. Our GPG installation does not seem to be compromised.

In my case, this seems to take place entirely, because Kleopatra has been instructed to check the revocation status of some certificates, but no ‘OCSP Server’ has been specified in its settings. According to some other reports on the Web, this is a problem specific to “CACert” certificates, and in my case also, the problem seems to set in, after I’ve added a CACert certificate to my key-ring. Yet, AFAIK, this problem could just as easily occur after we’ve added other certificates.

The way I eventually solve this problem – on every computer I own – is to open Kleopatra somehow, and then to go into Settings -> Configure Kleopatra -> S/MIME Validation , and then to look at the field which says “OCSP responder URL”. By default, this field will be blank.

Since in my case the problem starts after I’ve added my CACert certificate, I actually add the OCSP Server which is provided by CACert there, which is currently “http://ocsp.cacert.org/”. After that, I find that when I open Kleopatra, a narrow and subtle progress-bar in the lower right of the application window, sweeps to completion within one second, and the program opens fine.

I need to explain why this solution works for me, so that anybody who may be having the same problem, but not with a CACert certificate, can also solve this problem.

Certificates which are not self-signed, are signed by a ‘Certificate Authority’, such as CACert. When Kleopatra starts, one of the functions which it automatically performs is to check its certificates against a ‘Revocation List’, in case the Certificate Authority has decided to revoke it.

The actual certificate which I received from CACert, has the detail encoded into its plain-text data, that its revocation status must always be checked. But what I’ve found happens with Kleopatra specifically, is that if no OCSP Server has been specified, instead of somehow recognizing the fact that it cannot check the revocation status, this program goes into some type of infinite loop, never actually connecting to any server, but also never seeming to exit this state.

I choose to put this OCSP, because in my case, I know that it is the CACert certificate which has this need set with a high priority. It should be possible to put some other OCSP Server into the same field, because ultimately they should all be synchronized. But finally, the OCSP Server provided by the same Certificate Authority, also provides the fastest response time, for validating its own certificates.

As I see it, there was a problem in priorities somewhere, in programming this application. There was the bureaucratic priority, which states that the status of this certificate must always be checked. but then there was also the programming priority, which states that an attempt to connect to a server, without any specification of which server, will lead to some sort of malfunction eventually. And between these two, the bureaucratic priority won out.

There are some people on the Web who choose to solve this problem, by simply deactivating the feature, of online revocation checking. This can be done within the same settings tab, by unchecking the first check-box in that tab. This check-box is located directly before the setting, to “Check certificate validity every Hour” (on my setup, with a drop-down window set to “hour”). I prefer to let my software do everything it’s supposed to do, including to check the revocation status of my certificates. And the way to do the latter is to specify an OCSP Server. The fact that this problem can apparently be solved both ways, affirms the quality of the programming.

Dirk