When I try to change a certificate in the PKI section using the commands below while the cert is associated with an openvpn ssl setting vyos throws the error below.
set pki certificate openconnect certificate "<cert redacted for security>"
set pki certificate openconnect private key "<cert redacted for security>"
commit
pki: Updating config: vpn openconnect ssl certificate openconnect
[ pki ]
pki: Updating config: vpn openconnect ssl certificate openconnect
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
business policy requires it)
- and include all the information presented below
Report time: 2023-02-17 15:41:17
Image version: VyOS 1.4-rolling-202302150317
Release train: current
Built by: [email protected]
Built on: Wed 15 Feb 2023 03:17 UTC
Build UUID: e62b2d4d-c09c-4dd6-a722-884b782e4d13
Build commit ID: 5207b6f510d677
Architecture: x86_64
Boot via: installed image
System type: VMware guest
Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: VMware-42 22 c5 7d de 7c 5e 7c-3e 50 a9 b4 af 9c 98 97
Hardware UUID: 7dc52242-7cde-7c5e-3e50-a9b4af9c9897
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/pki.py", line 305, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/pki.py", line 296, in apply
call_dependents()
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 95, in call_dependents
f()
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 78, in func_impl
run_config_mode_script(script, config)
File "/usr/lib/python3/dist-packages/vyos/configdep.py", line 65, in run_config_mode_script
c = mod.get_config(config)
TypeError: get_config() takes 0 positional arguments but 1 was given
[[pki]] failed
Commit failed
The same happens if I do the change in config.boot and run:
configure
load
commit
A workaround is to assign the cert to a new name, switch the cert for openconnect to the new cert and then remove the old cert:
set pki certificate openconnect2 certificate <cert>
set pki certificate openconnect2 private key <cert>
commit
set vpn openconnect ssl certificate openconnect2
commit
delete pki certificate openconnect
commit
This is a bit inconvinent since it would be good to be able to automate this when renewing let’s encrypt certificates.
Right now I am using a script that I run from cron to switch certs…
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
# TEMP=`tail -n +2 /etc/ssl/certs/GTS_Root_R3.pem | head -n -1 | tr -d '\n'`
# set pki ca R3 certificate $TEMP
# ----------------------------------------------------------------------------------------
# Get name of current certificate
# ----------------------------------------------------------------------------------------
CURRENTNAME=`show vpn openconnect ssl certificate | awk {'print $2'}`
# ----------------------------------------------------------------------------------------
# Switch between openconnect2 and openconnect as name for certs
# ----------------------------------------------------------------------------------------
case $CURRENTNAME in
"openconnect")
NEW="openconnect2"
;;
"openconnect2")
NEW="openconnect"
;;
esac
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/openconnect.MYDOMAIN.com/cert.pem | head -n -1 | tr -d '\n'`
set pki certificate $NEW certificate $TEMP
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/openconnect.MYDOMAIN.com/privkey.pem |head -n -1 | tr -d '\n'`
set pki certificate $NEW private key $TEMP
commit
set vpn openconnect ssl certificate $NEW
commit
delete pki certificate $CURRENTNAME
commit
save
exit
