Bug when changing certificate in PKI with openconnect

When I try to change a certificate in the PKI section using the commands below while the cert is associated with an openvpn ssl setting vyos throws the error below.

set pki certificate openconnect certificate "<cert redacted for security>"
set pki certificate openconnect private key "<cert redacted for security>"
pki: Updating config: vpn openconnect ssl certificate openconnect
[ pki ]
pki: Updating config: vpn openconnect ssl certificate openconnect
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
- Make sure you are running the latest version of VyOS available at:
- Consult the community forum to see how to handle this issue:
- Join us on Slack where our users exchange help and advice:

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2023-02-17 15:41:17
Image version:    VyOS 1.4-rolling-202302150317
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Wed 15 Feb 2023 03:17 UTC
Build UUID:       e62b2d4d-c09c-4dd6-a722-884b782e4d13
Build commit ID:  5207b6f510d677

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 22 c5 7d de 7c 5e 7c-3e 50 a9 b4 af 9c 98 97
Hardware UUID:    7dc52242-7cde-7c5e-3e50-a9b4af9c9897

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/pki.py", line 305, in <module>
  File "/usr/libexec/vyos/conf_mode/pki.py", line 296, in apply
  File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 95, in call_dependents
  File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 78, in func_impl
    run_config_mode_script(script, config)
  File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 65, in run_config_mode_script
    c = mod.get_config(config)
TypeError: get_config() takes 0 positional arguments but 1 was given

[[pki]] failed
Commit failed

The same happens if I do the change in config.boot and run:


A workaround is to assign the cert to a new name, switch the cert for openconnect to the new cert and then remove the old cert:

set pki certificate openconnect2 certificate <cert>
set pki certificate openconnect2 private key <cert>
set vpn openconnect ssl certificate openconnect2
delete pki certificate openconnect

This is a bit inconvinent since it would be good to be able to automate this when renewing let’s encrypt certificates.

Right now I am using a script that I run from cron to switch certs…

source /opt/vyatta/etc/functions/script-template
# TEMP=`tail -n +2 /etc/ssl/certs/GTS_Root_R3.pem | head -n -1 | tr -d '\n'`
# set pki ca R3 certificate $TEMP

# ----------------------------------------------------------------------------------------
# Get name of current certificate
# ----------------------------------------------------------------------------------------
CURRENTNAME=`show vpn openconnect ssl certificate | awk {'print $2'}`
# ----------------------------------------------------------------------------------------
# Switch between openconnect2 and openconnect as name for certs
# ----------------------------------------------------------------------------------------

TEMP=`sudo tail -n +2 /etc/letsencrypt/live/openconnect.MYDOMAIN.com/cert.pem | head -n -1 | tr -d '\n'`
set pki certificate $NEW certificate $TEMP
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/openconnect.MYDOMAIN.com/privkey.pem |head -n -1 | tr -d '\n'`
set pki certificate $NEW private key $TEMP
set vpn openconnect ssl certificate $NEW
delete pki certificate $CURRENTNAME

A bug report was submitted: ⚓ T5023 PKI commit fails to update dependents

Can you please test in the latest rolling release.

I have tested in VyOS 1.4-rolling-202303030317 and the problem seems to be resolved now.
Thanks and keep up the good work :slight_smile: