Chrome OS doesn’t load new certificate used by OpenVPN when certificate is replaced. |
||||||||
Issue descriptionChromeOS version: Chrome 67, 68.0.3440.118 and 69.0.3497.95 ChromeOS device model: Google_Eve.9584.160.0 Case#: 17108393 Description: Chrome OS doesn’t load new certificate which used by openvpn when certificate is replaced. Steps to reproduce: 1) Replace TPM-backed certificate on ChromeOS device using OpenVPN. 2) Disconnect VPN 3) Upon attempting to reconnect VPN, it will eventually time out and surface the OpenVPN config page. 4) Further connection attempts will not work (because shill is attempting to load the old certificate). The customer has reported that rebooting resolves this issue. Current Behavior / Reproduction: Error message “Cannot load certificate “XXX” using PKCS#11 interface appears when certificate is replaced. Investigation notes. -When replacing a users TPN-back certificate, shill does not properly load the new certificate when reconnecting the VPN (openvpn) and fails while attempting to load the load (replaced) certificate. - Affected username(s) and/or device serial numbers: anyone who's certificate is replaced. Sample User info: -It is reproduced in Chrome 67, 68 and 69 (Customer was initially using chrome 68, Asked to update to version 69 where issue is reproduced as well. ) -The customer has reported that it didn’t reproduce in Chrome 64. -One device was updated to Beta. The same error occurs but pressing the "Connect" button when it errors seems to resolve the issue (so this seems to only fail once?). Drive link to logs: -Shill logs collected with v68: https://drive.google.com/open?id=1egBpptwcdzKQH56cuB0zhYkSfgoAv5LI -Shill logs collected with v69 https://drive.google.com/open?id=1-OU1nJ6k-pr6KwHtjroBK_5-HXemEYQi -Json policies :https://drive.google.com/open?id=1Okdm1YkQiPwsUZFKA93EtYqhvr8RsxYF -Device debug logs with V68 :https://drive.google.com/open?id=1OHHInMsctKiyQAM4youHcppn_1sHdi23 -device Debug logs with v69 https://drive.google.com/open?id=1KgjbKyW4ARRQuWSkMa4jFeNU48uLWET3 2018-10-03T17:03:47.962789-07:00 NOTICE openvpn[4659]: MANAGEMENT: >STATE:1538611427,RECONNECTING,private-key-password-failure,,,,, 2018-10-03T17:03:47.995064-07:00 INFO shill[1365]: [INFO:openvpn_management_server.cc(391)] OpenVPN state: RECONNECTING -> RECONNECTING (private-key-password-failure) 2018-10-03T17:03:47.995094-07:00 INFO shill[1365]: [INFO:openvpn_driver.cc(1008)] OnReconnecting(0) 2018-10-03T17:03:47.995185-07:00 INFO shill[1365]: [INFO:openvpn_management_server.cc(426)] Client waiting for hold release. 2018-10-03T17:03:47.995200-07:00 INFO shill[1365]: [INFO:openvpn_management_server.cc(155)] Releasing hold. 2018-10-03T17:03:47.995315-07:00 NOTICE openvpn[4659]: MANAGEMENT: CMD 'hold release' 2018-10-03T17:03:47.995421-07:00 WARNING openvpn[4659]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2018-10-03T17:03:47.995459-07:00 INFO shill[1365]: [INFO:openvpn_management_server.cc(438)] SUCCESS: hold release succeeded 2018-10-03T17:03:48.000452-07:00 WARNING openvpn[4659]: Cannot load certificate "18D4979D5FB26C8D17613055933F31B09DB32739" using PKCS#11 interface 2018-10-03T17:03:48.000547-07:00 NOTICE openvpn[4659]: SIGUSR1[soft,private-key-password-failure] received, process restarting
,
Oct 9
@aseda, @shchen, Can you take a look at this issue?
,
Jan 11
Hello! This bug is receiving this notice because there has been no acknowledgment of its existence in quite a bit of time. - If you are currently working on this bug, please provide an update. - If you are currently affected by this bug, please update with your current symptoms and relevant logs. If there has been no updates provided by EOD Thursday, 01/17/19 (5pm EST), this bug will be archived and can be re-opened at any time deemed necessary. Thank you!
,
Jan 11
How were shchen@ and I chosen for this bug? I don't know anything about shill or OpenVPN...
,
Jan 11
Thanks for the update. @bigo - is there someone else that could potentially look into this issue?
,
Jan 11
,
Jan 11
This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this.
,
Jan 11
Apologies for the mis-assignement. As it has been a while since this issue was reported, Is this still an issue in current versions of Chrome 71+? The customer case was closed, but they should be still receiving updates as they have starred the bug.
,
Jan 11
,
Jan 15
,
Jan 17
(5 days ago)
Due to lack of action this bug has been Archived. If work is still being done on this issue or you are still experiencing this issue please feel free to re-open with the appropriate information. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ryutas@chromium.org
, Oct 5