hello,
no, I did not set this up. I cannot contact the person who did.
Indeed, it would be better to start over from scratch.
Still, I would like to understand what went wrong.
It do see in the Openvpn docs the advise to copy easy-rsa away from
/usr/local/openvpn so not to be
overwritten by updates.
So maybe that's what happened.
Greetings, J.
op 21-01-14 15:02, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
yes. against better judgment, I'm trying everything that has " key"
written in it, e.g.
/data0/etc/ssl/servercerts/serverkey.pem
did you set this up originally? if not, perhaps you can ask the person
who did? there is an off-chance that the original ca.key was included
in the ca.pem file (which is **extremely** bad, BTW).
Also, you could consider scratching the current setup and starting
fresh - your existing clients will still be able to connect (if you do
this right) and you could then replace certificates with certs signed
using the new CA. This might be easier&quicker than trying to hunt
down the original ca.key file.
HTH,
JJK
op 21-01-14 14:23, Joe Patterson schreef:
The directory listing you sent me earlier had
/usr/share/openvpn/easy-rsa/2.0/keys/ca.key and ca.key.orig.
-Joe
On Tue, Jan 21, 2014 at 8:22 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>> wrote:
hello,
I'm unable to find the key.pem or the *.key
What I don't understand is: I do have a backup.
And the setup on the original Opensuse-server is still there,
from different versions of Openvpn
I just can't find the keys.
I don't understand it.
minas:~ # locate easy-rsa
/data0/usr/share/openvpn/easy-rsa
/data0/usr/share/openvpn/easy-rsa/2.0
/data0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data0/usr/share/openvpn/easy-rsa/2.0/build-key
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data0/usr/share/openvpn/easy-rsa/2.0/build-req
/data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data0/usr/share/openvpn/easy-rsa/2.0/README
/data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data0/usr/share/openvpn/easy-rsa/2.0/vars
/data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data0/usr/share/openvpn/easy-rsa/build-ca
/data0/usr/share/openvpn/easy-rsa/build-dh
/data0/usr/share/openvpn/easy-rsa/build-inter
/data0/usr/share/openvpn/easy-rsa/build-key
/data0/usr/share/openvpn/easy-rsa/build-key-pass
/data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/build-key-server
/data0/usr/share/openvpn/easy-rsa/build-req
/data0/usr/share/openvpn/easy-rsa/build-req-pass
/data0/usr/share/openvpn/easy-rsa/clean-all
/data0/usr/share/openvpn/easy-rsa/list-crl
/data0/usr/share/openvpn/easy-rsa/make-crl
/data0/usr/share/openvpn/easy-rsa/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/README
/data0/usr/share/openvpn/easy-rsa/revoke-crt
/data0/usr/share/openvpn/easy-rsa/revoke-full
/data0/usr/share/openvpn/easy-rsa/sign-req
/data0/usr/share/openvpn/easy-rsa/vars
/data0/usr/share/openvpn/easy-rsa/Windows
/data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/data/md0/usr/share/openvpn/easy-rsa
/data/md0/usr/share/openvpn/easy-rsa/2.0
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data/md0/usr/share/openvpn/easy-rsa/2.0/README
/data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/vars
/data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data/md0/usr/share/openvpn/easy-rsa/build-ca
/data/md0/usr/share/openvpn/easy-rsa/build-dh
/data/md0/usr/share/openvpn/easy-rsa/build-inter
/data/md0/usr/share/openvpn/easy-rsa/build-key
/data/md0/usr/share/openvpn/easy-rsa/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/build-req
/data/md0/usr/share/openvpn/easy-rsa/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/clean-all
/data/md0/usr/share/openvpn/easy-rsa/list-crl
/data/md0/usr/share/openvpn/easy-rsa/make-crl
/data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/README
/data/md0/usr/share/openvpn/easy-rsa/revoke-crt
/data/md0/usr/share/openvpn/easy-rsa/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/sign-req
/data/md0/usr/share/openvpn/easy-rsa/vars
/data/md0/usr/share/openvpn/easy-rsa/Windows
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
op 21-01-14 13:08, Joe Patterson schreef:
openssl x509 -noout -modulus -in ca.pem
then look for a key where the output of:
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>>
wrote:
hello All,
thanks again for helping me out, this is great.
So getting a ca.pem from a backup, and a client certificate
that was made before the trouble, I get:
[root@caw-server1 keys]# openssl verify -CAfile ca.pem
elien-crt.pem /etc/pki/tls/certs/servercert.pem
elien-crt.pem: OK
/etc/pki/tls/certs/servercert.pem: OK
Any other combination would give me EM:
error 20 at 0 depth lookup:unable to get local issuer
certificate
Does this mean I have the right ca.crt ( ca.pem)?
Can I look for the right ca.key the same way?
greetings, J.
op 21-01-14 11:43, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
Dear All,
since a long time we have an Openvpn-server, now on
Centos6,
originaly setup on OpenSuse
[root@caw-server1 2.0]# rpm -qa openvpn
openvpn-2.3.1-3.el6.x86_64
It is very reliable, and my only activity on it, is
generate new client keys.
Not sure what happened -- a ./clean-all could have been
run on it -- but since last week, I'm unable to generate
new client keys.
[root@caw-server1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/usr/share/openvpn/easy-rsa/2.0/keys
[root@caw-server1 2.0]# ./build-key testjohan
pkitool: Need a readable ca.crt and ca.key in
/usr/share/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
look inside the directory
/usr/share/openvpn/easy-rsa/2.0/keys
and see if you can find a ca.crt and ca.key file there;
you can post an 'ls -l' if you like.
If they are not there then a './clean-all' was run most
likely. I hope you have a backup somewhere :)
The EM is straightforward enough, but I'm unsure on how
to proceed.
As far as I can tell the important files are in
/etc/pki/tls/certs/ :
[root@caw-server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt ca.pem make-dummy-cert
Makefile servercert.pem serverkey.pem slapd.pem
as is reflected in /etc/openvpn/server.conf :
ca /etc/pki/tls/certs/ca.pem
cert /etc/pki/tls/certs/servercert.pem
key /etc/pki/tls/certs/serverkey.pem
These are the keys used for openvpn ; key management
(generation) is separated from key usage by OpenVPN; the
ca.pem and servercert+serverkey are not sufficient to
generated new client keys. You will need a ca.crt (or
ca.pem) and ca.key file for that.
HTH,
JJK
PS The openssl version does not matter in this case, as
CentOS 6 is new enough; you could/should consider
upgrading to 6.5 , however.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything
In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
<mailto:Openvpn-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
