Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure on delete CA key step #1391

Closed
ejheil opened this issue Apr 9, 2019 · 5 comments · Fixed by #1393
Closed

Failure on delete CA key step #1391

ejheil opened this issue Apr 9, 2019 · 5 comments · Fixed by #1393
Assignees
@jackivanov
Labels
bug

Comments

@ejheil
Copy link

ejheil commented Apr 9, 2019

Describe the bug

Tried to create DO droplet with algo, everything defaults except selected ad blocking. I was on another DO droplet while doing this.

Got the following error:

TASK [Delete the CA key] *******************************************************
fatal: [157.230.91.66]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ipsec_pki_path' is undefined\n\nThe error appears to have been in '/home/ed/src/algo/server.yml': line 40, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - block:\n - name: Delete the CA key\n ^ here\n"}

To Reproduce

do the same thing again, happens the same way

Expected behavior

I get a beatiful new vpn droplet

Additional context

This is my uname -a from the droplet I'm running the scripts on

(env) ➜ algo git:(master) uname -a
Linux gdangus 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Full log

(env) ➜ algo git:(master) ./algo

PLAY [Ask user for the input] *********************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Vultr
5. Microsoft Azure
6. Google Compute Engine
7. Scaleway
8. OpenStack (DreamCompute optimised)
9. Install to existing Ubuntu 18.04 server (Advanced)

Enter the number of your desired provider
:
1
ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Name the vpn server
[algo]
:

ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

ok: [localhost]

TASK [pause] **************************************************************************************************************

TASK [pause] **************************************************************************************************************
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:

ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:

ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N]
:
y
ok: [localhost]

TASK [pause] **************************************************************************************************************
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************
ok: [localhost]

PLAY [Provision the server] ***********************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************
ok: [localhost]

TASK [Display the invocation environment] *********************************************************************************

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 16.04.5 LTS (Virtualized: kvm)
Created from git clone. Last commit: c4ea880 Refactoring to support roles inclusion (#1365)
Python 2.7.12
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "X251bGw="
algo_local_dns "True"
algo_ssh_tunneling "False"
algo_windows "False"
wireguard_enabled "True"
dns_encryption "True"
changed: [localhost -> localhost]

TASK [Install the requirements] *******************************************************************************************
ok: [localhost -> localhost]

TASK [Generate the SSH private key] ***************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] ****************************************************************************************
ok: [localhost]

TASK [Include a provisioning role] ****************************************************************************************

TASK [cloud-digitalocean : Clean up the environment] **********************************************************************

TASK [cloud-digitalocean : Install requirements] **************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : pause] *****************************************************************************************
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):
ok: [localhost]

TASK [cloud-digitalocean : Set the token as a fact] ***********************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Get regions] ***********************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set facts about thre regions] ******************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set default region] ****************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : pause] *****************************************************************************************
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. blr1 Bangalore 1
3. fra1 Frankfurt 1
4. lon1 London 1
5. nyc1 New York 1
6. nyc3 New York 3
7. sfo2 San Francisco 2
8. sgp1 Singapore 1
9. tor1 Toronto 1

Enter the number of your desired region
[6]
:
5
ok: [localhost]

TASK [cloud-digitalocean : Set additional facts] **************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] *************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] ****************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] *************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] **************************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] *******************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Delete the new Algo SSH key] *******************************************************************
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).
ok: [localhost]

TASK [Set subjectAltName as afact] ****************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] *******************************************************************************
changed: [localhost]

TASK [Additional variables for the server] ********************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] ************************************************************************************
ok: [localhost]

TASK [debug] **************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "157.230.178.183"
}

TASK [A short pause, in order to be sure the instance is ready] ***********************************************************
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]

PLAY [Configure the server and install required software] *****************************************************************

TASK [common : Check the system] ******************************************************************************************
changed: [157.230.178.183]

TASK [common : include_tasks] *********************************************************************************************
included: /home/ed/src/algo/roles/common/tasks/ubuntu.yml for 157.230.178.183

TASK [common : Gather facts] **********************************************************************************************
ok: [157.230.178.183]

TASK [common : Install software updates] **********************************************************************************
changed: [157.230.178.183]

TASK [common : Check if reboot is required] *******************************************************************************
changed: [157.230.178.183]

TASK [common : Reboot] ****************************************************************************************************
changed: [157.230.178.183]

TASK [common : Wait until SSH becomes ready...] ***************************************************************************
ok: [157.230.178.183 -> localhost]

TASK [common : Install unattended-upgrades] *******************************************************************************
ok: [157.230.178.183]

TASK [common : Configure unattended-upgrades] *****************************************************************************
changed: [157.230.178.183]

TASK [common : Periodic upgrades configured] ******************************************************************************
changed: [157.230.178.183]

TASK [common : Unattended reboots configured] *****************************************************************************
changed: [157.230.178.183]

TASK [common : Disable MOTD on login and SSHD] ****************************************************************************
changed: [157.230.178.183] => (item={u'regexp': u'^session.*optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [157.230.178.183] => (item={u'regexp': u'^session.*optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] **************************************************************************
changed: [157.230.178.183]

TASK [common : systemd services enabled and started] **********************************************************************
ok: [157.230.178.183] => (item=systemd-networkd)
ok: [157.230.178.183] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] ***********************************************************************
changed: [157.230.178.183]

TASK [common : Check apparmor support] ************************************************************************************
changed: [157.230.178.183]

TASK [common : set_fact] **************************************************************************************************
ok: [157.230.178.183]

TASK [common : Generate password for the CA key] **************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [common : Generate p12 export password] ******************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [common : Define facts] **********************************************************************************************
ok: [157.230.178.183]

TASK [common : set_fact] **************************************************************************************************
ok: [157.230.178.183]

TASK [common : Set IPv6 support as a fact] ********************************************************************************
ok: [157.230.178.183]

TASK [common : Check size of MTU] *****************************************************************************************
ok: [157.230.178.183]

TASK [common : set_fact] **************************************************************************************************
ok: [157.230.178.183]

TASK [common : Install tools] *********************************************************************************************
changed: [157.230.178.183]

TASK [common : Install headers] *******************************************************************************************
ok: [157.230.178.183]

TASK [common : include_tasks] *********************************************************************************************
included: /home/ed/src/algo/roles/common/tasks/iptables.yml for 157.230.178.183

TASK [common : Iptables configured] ***************************************************************************************
changed: [157.230.178.183] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [common : Iptables configured] ***************************************************************************************
changed: [157.230.178.183] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [common : include_tasks] *********************************************************************************************

TASK [common : Sysctl tuning] *********************************************************************************************
changed: [157.230.178.183] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [157.230.178.183] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [157.230.178.183] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

RUNNING HANDLER [common : restart iptables] *******************************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : Include tasks for Ubuntu] **************************************************************************
included: /home/ed/src/algo/roles/dns_encryption/tasks/ubuntu.yml for 157.230.178.183

TASK [dns_encryption : Add the repository] ********************************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : Install dnscrypt-proxy] ****************************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : Configure unattended-upgrades] *********************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] **************************************************
changed: [157.230.178.183]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ***********************************************
ok: [157.230.178.183]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***********************************
changed: [157.230.178.183]

TASK [dns_encryption : Ubuntu | Add custom requirements to successfully start the unit] ***********************************
changed: [157.230.178.183]

TASK [dns_encryption : Include tasks for FreeBSD] *************************************************************************

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] ************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : dnscrypt-proxy configured] *************************************************************************
changed: [157.230.178.183]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ****************************************************************
ok: [157.230.178.183]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] *****************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Dnsmasq installed] *********************************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : The dnsmasq directory created] *********************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : include_tasks] *************************************************************************************
included: /home/ed/src/algo/roles/dns_adblocking/tasks/ubuntu.yml for 157.230.178.183

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] **************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ******************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ******************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ****************************************
changed: [157.230.178.183]

TASK [dns_adblocking : include_tasks] *************************************************************************************

TASK [dns_adblocking : Dnsmasq configured] ********************************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Adblock script created] ****************************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Adblock script added to cron] **********************************************************************
changed: [157.230.178.183]

TASK [dns_adblocking : Update adblock hosts] ******************************************************************************
changed: [157.230.178.183]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] ************************************************************************
changed: [157.230.178.183]

RUNNING HANDLER [dns_adblocking : daemon-reload] **************************************************************************
ok: [157.230.178.183]

TASK [dns_adblocking : Dnsmasq enabled and started] ***********************************************************************
ok: [157.230.178.183]

TASK [wireguard : Ensure the required directories exist] ******************************************************************
changed: [157.230.178.183 -> localhost] => (item=private)
changed: [157.230.178.183 -> localhost] => (item=public)

TASK [wireguard : Include tasks for Ubuntu] *******************************************************************************
included: /home/ed/src/algo/roles/wireguard/tasks/ubuntu.yml for 157.230.178.183

TASK [wireguard : WireGuard repository configured] ************************************************************************
changed: [157.230.178.183]

TASK [wireguard : WireGuard installed] ************************************************************************************
changed: [157.230.178.183]

TASK [wireguard : WireGuard reload-module-on-update] **********************************************************************
changed: [157.230.178.183]

TASK [wireguard : Configure unattended-upgrades] **************************************************************************
changed: [157.230.178.183]

TASK [wireguard : set_fact] ***********************************************************************************************
ok: [157.230.178.183]

TASK [wireguard : Include tasks for FreeBSD] ******************************************************************************

TASK [wireguard : Delete the lock files] **********************************************************************************

TASK [wireguard : Generate private keys] **********************************************************************************
changed: [157.230.178.183] => (item=phone)
changed: [157.230.178.183] => (item=laptop)
changed: [157.230.178.183] => (item=desktop)
changed: [157.230.178.183] => (item=157.230.178.183)

TASK [wireguard : Save private keys] **************************************************************************************
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)

TASK [wireguard : Touch the lock file] ************************************************************************************
changed: [157.230.178.183] => (item=phone)
changed: [157.230.178.183] => (item=laptop)
changed: [157.230.178.183] => (item=desktop)
changed: [157.230.178.183] => (item=157.230.178.183)

TASK [wireguard : Generate public keys] ***********************************************************************************
ok: [157.230.178.183] => (item=phone)
ok: [157.230.178.183] => (item=laptop)
ok: [157.230.178.183] => (item=desktop)
ok: [157.230.178.183] => (item=157.230.178.183)

TASK [wireguard : Save public keys] ***************************************************************************************
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)

TASK [wireguard : WireGuard user list updated] ****************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [wireguard : set_fact] ***********************************************************************************************
ok: [157.230.178.183 -> localhost]

TASK [wireguard : WireGuard users config generated] ***********************************************************************
changed: [157.230.178.183 -> localhost] => (item=(0, u'phone'))
changed: [157.230.178.183 -> localhost] => (item=(1, u'laptop'))
changed: [157.230.178.183 -> localhost] => (item=(2, u'desktop'))

TASK [wireguard : Generate QR codes] **************************************************************************************
ok: [157.230.178.183 -> localhost] => (item=(0, u'phone'))
ok: [157.230.178.183 -> localhost] => (item=(1, u'laptop'))
ok: [157.230.178.183 -> localhost] => (item=(2, u'desktop'))

TASK [wireguard : WireGuard configured] ***********************************************************************************
changed: [157.230.178.183]

TASK [wireguard : WireGuard enabled and started] **************************************************************************
changed: [157.230.178.183]

RUNNING HANDLER [wireguard : restart wireguard] ***************************************************************************
changed: [157.230.178.183]

TASK [strongswan : include_tasks] *****************************************************************************************
included: /home/ed/src/algo/roles/strongswan/tasks/ubuntu.yml for 157.230.178.183

TASK [strongswan : set_fact] **********************************************************************************************
ok: [157.230.178.183]

TASK [strongswan : Ubuntu | Install strongSwan] ***************************************************************************
changed: [157.230.178.183]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ****************************************************************
changed: [157.230.178.183] => (item=/usr/lib/ipsec/charon)
changed: [157.230.178.183] => (item=/usr/lib/ipsec/lookip)
changed: [157.230.178.183] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] ******************************************************************************
ok: [157.230.178.183] => (item=apparmor)
ok: [157.230.178.183] => (item=strongswan)
ok: [157.230.178.183] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exist] *******************************************
changed: [157.230.178.183]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********************************************
changed: [157.230.178.183]

TASK [strongswan : Ensure that the strongswan user exist] *****************************************************************
ok: [157.230.178.183]

TASK [strongswan : Install strongSwan] ************************************************************************************
ok: [157.230.178.183]

TASK [strongswan : Setup the config files from our templates] *************************************************************
changed: [157.230.178.183] => (item={u'dest': u'strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [157.230.178.183] => (item={u'dest': u'ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [157.230.178.183] => (item={u'dest': u'ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [strongswan : Get loaded plugins] ************************************************************************************
changed: [157.230.178.183]

TASK [strongswan : Disable unneeded plugins] ******************************************************************************
changed: [157.230.178.183] => (item=bypass-lan)
changed: [157.230.178.183] => (item=gmp)
changed: [157.230.178.183] => (item=md5)
changed: [157.230.178.183] => (item=updown)
changed: [157.230.178.183] => (item=connmark)
changed: [157.230.178.183] => (item=xauth-generic)
changed: [157.230.178.183] => (item=constraints)
changed: [157.230.178.183] => (item=mgf1)
changed: [157.230.178.183] => (item=sshkey)
changed: [157.230.178.183] => (item=attr)
changed: [157.230.178.183] => (item=pkcs1)
changed: [157.230.178.183] => (item=resolve)
changed: [157.230.178.183] => (item=counters)
changed: [157.230.178.183] => (item=md4)
changed: [157.230.178.183] => (item=fips-prf)
changed: [157.230.178.183] => (item=dnskey)
changed: [157.230.178.183] => (item=aesni)
changed: [157.230.178.183] => (item=xcbc)
changed: [157.230.178.183] => (item=rc2)
changed: [157.230.178.183] => (item=agent)
changed: [157.230.178.183] => (item=sha1)
changed: [157.230.178.183] => (item=eap-mschapv2)

TASK [strongswan : Ensure that required plugins are enabled] **************************************************************
changed: [157.230.178.183] => (item=pubkey)
changed: [157.230.178.183] => (item=stroke)
changed: [157.230.178.183] => (item=pem)
changed: [157.230.178.183] => (item=nonce)
changed: [157.230.178.183] => (item=openssl)
changed: [157.230.178.183] => (item=kernel-netlink)
changed: [157.230.178.183] => (item=aes)
changed: [157.230.178.183] => (item=random)
changed: [157.230.178.183] => (item=pkcs7)
changed: [157.230.178.183] => (item=pkcs12)
changed: [157.230.178.183] => (item=pkcs8)
changed: [157.230.178.183] => (item=socket-default)
changed: [157.230.178.183] => (item=hmac)
changed: [157.230.178.183] => (item=x509)
changed: [157.230.178.183] => (item=revocation)
changed: [157.230.178.183] => (item=sha2)
changed: [157.230.178.183] => (item=pgp)
changed: [157.230.178.183] => (item=gcm)

TASK [strongswan : Set subjectAltName as a fact] **************************************************************************
ok: [157.230.178.183 -> localhost]

TASK [strongswan : Ensure the pki directory does not exist] ***************************************************************

TASK [strongswan : Ensure the pki directories exist] **********************************************************************
changed: [157.230.178.183 -> localhost] => (item=ecparams)
changed: [157.230.178.183 -> localhost] => (item=certs)
changed: [157.230.178.183 -> localhost] => (item=crl)
changed: [157.230.178.183 -> localhost] => (item=newcerts)
changed: [157.230.178.183 -> localhost] => (item=private)
changed: [157.230.178.183 -> localhost] => (item=public)
changed: [157.230.178.183 -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] *******************************************************************
changed: [157.230.178.183 -> localhost] => (item=apple)
changed: [157.230.178.183 -> localhost] => (item=windows)
changed: [157.230.178.183 -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] ********************************************************************************
changed: [157.230.178.183 -> localhost] => (item=.rnd)
changed: [157.230.178.183 -> localhost] => (item=private/.rnd)
changed: [157.230.178.183 -> localhost] => (item=index.txt)
changed: [157.230.178.183 -> localhost] => (item=index.txt.attr)
changed: [157.230.178.183 -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] *******************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Build the CA pair] *************************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Copy the CA certificate] *******************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Generate the serial number] ****************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Build the server pair] *********************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Build the client's pair] *******************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Build openssh public keys] *****************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12] ********************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Copy the p12 certificates] *****************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Get active users] **************************************************************************************
changed: [157.230.178.183 -> localhost]

TASK [strongswan : Revoke non-existing users] *****************************************************************************

TASK [strongswan : Genereate new CRL file] ********************************************************************************

TASK [strongswan : Copy the CRL to the vpn server] ************************************************************************

TASK [strongswan : Copy the keys to the strongswan directory] *************************************************************
changed: [157.230.178.183] => (item={u'dest': u'cacerts/ca.crt', u'src': u'cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [157.230.178.183] => (item={u'dest': u'certs/157.230.178.183.crt', u'src': u'certs/157.230.178.183.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [157.230.178.183] => (item={u'dest': u'private/157.230.178.183.key', u'src': u'private/157.230.178.183.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [strongswan : Register p12 PayloadContent] ***************************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Set facts for mobileconfigs] ***************************************************************************
ok: [157.230.178.183 -> localhost]

TASK [strongswan : Build the mobileconfigs] *******************************************************************************
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)
changed: [157.230.178.183] => (item=None)

TASK [strongswan : Build the client ipsec config file] ********************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Build the client ipsec secret file] ********************************************************************
changed: [157.230.178.183 -> localhost] => (item=phone)
changed: [157.230.178.183 -> localhost] => (item=laptop)
changed: [157.230.178.183 -> localhost] => (item=desktop)

TASK [strongswan : Build the windows client powershell script] ************************************************************

TASK [strongswan : Restrict permissions for the local private directories] ************************************************
ok: [157.230.178.183 -> localhost]

TASK [strongswan : strongSwan started] ************************************************************************************
ok: [157.230.178.183]

RUNNING HANDLER [dns_adblocking : restart apparmor] ***********************************************************************
changed: [157.230.178.183]

RUNNING HANDLER [dns_adblocking : daemon-reload] **************************************************************************
ok: [157.230.178.183]

RUNNING HANDLER [strongswan : restart strongswan] *************************************************************************
changed: [157.230.178.183]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ***********************************************

TASK [ssh_tunneling : Ensure that the algo group exist] *******************************************************************

TASK [ssh_tunneling : Ensure that the jail directory exist] ***************************************************************

TASK [ssh_tunneling : Ensure that the SSH users exist] ********************************************************************

TASK [ssh_tunneling : Clean up the ssh-tunnel directory] ******************************************************************

TASK [ssh_tunneling : Ensure the config directories exist] ****************************************************************

TASK [ssh_tunneling : Check if the private keys exist] ********************************************************************

TASK [ssh_tunneling : Build ssh private keys] *****************************************************************************

TASK [ssh_tunneling : Build ssh public keys] ******************************************************************************

TASK [ssh_tunneling : Build the client ssh config] ************************************************************************

TASK [ssh_tunneling : The authorized keys file created] *******************************************************************

TASK [ssh_tunneling : Get active users] ***********************************************************************************

TASK [ssh_tunneling : Delete non-existing users] **************************************************************************

TASK [Delete the CA key] **************************************************************************************************
fatal: [157.230.178.183]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ipsec_pki_path' is undefined\n\nThe error appears to have been in '/home/ed/src/algo/server.yml': line 40, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - block:\n - name: Delete the CA key\n ^ here\n"}

TASK [include_tasks] ******************************************************************************************************
included: /home/ed/src/algo/playbooks/rescue.yml for 157.230.178.183

TASK [debug] **************************************************************************************************************
ok: [157.230.178.183] => {
"fail_hint": [
"Sorry, but something went wrong!",
"Please check the troubleshooting guide.",
"https://trailofbits.github.io/algo/troubleshooting.html"
]
}

TASK [fail] ***************************************************************************************************************
fatal: [157.230.178.183]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP ****************************************************************************************************************
157.230.178.183 : ok=116 changed=80 unreachable=0 failed=2
localhost : ok=36 changed=6 unreachable=0 failed=0

(env) ➜ algo git:(master)
@ejheil
Copy link
Author

ejheil commented Apr 9, 2019

FWIW, it works fine if you don't delete the key

@anschoewe
Copy link

I encountered this same error today installing on Azure

@jackivanov jackivanov self-assigned this Apr 9, 2019
@jackivanov jackivanov added the bug label Apr 9, 2019
@brindu
Copy link

brindu commented Apr 10, 2019

I encountered the same issue today deploying on my own Ubuntu 18.04 server.

@nealevans
Copy link

Quick fix: change line 43 in server.yml to the following:

path: "configs/{{ IP_subject_alt_name }}/pki/private/cakey.pem"

@rampageservices
Copy link

+1 same error on ec2, with delete key option selected

@jackivanov jackivanov mentioned this issue Apr 13, 2019
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jackivanov jackivanov

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Move Delete the CA key task to the appropriate role trailofbits/algo
6 participants
@nealevans @anschoewe @ejheil @brindu @jackivanov @rampageservices