Content tagged sysadmin

As it turns out, openvpn on RHEL6 cannot run just any shell script as an event command despite the script-security 3 option being present in the config file. The event script needs to have the openvpn_etc_t type context set as well if SELinux policies are enforced.

]==> ls -lZ /etc/openvpn/up.sh
-rwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/up.sh

This can be done by running the following command.

]==> chcon -v --type=openvpn_etc_t /etc/openvpn/up.sh
changing security context of `/etc/openvpn/up.sh'

There are some recipies on the web but none of them seems to work. OpenSSL either complains about missing distinguised_name or generates a key that is too short.

You need a config file like this:

]==> cat openssl.cfg
[req]
req_extensions = v3_req
distinguished_name = req_dn

[req_dn]
CN=hostname1.yourdomain.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = hostname2.yourdomain.com
DNS.2 = hostname2.yourdomain.com
DNS.3 = hostname4.yourdomain.com

And then run:

openssl req -new -subj /CN=hostname1.yourdomain.com -out newcsr.csr \
-nodes -config openssl.cfg -keyout privkey.pem -newkey rsa:2048