This may be a stupid question but...
Do any of the openssl cnf files have a comment in them that says "easy-rsa
version 2.x"?
if you do 'echo $KEY_CONFIG', what does it say?
Thanks,
-Joe
On Tue, Aug 8, 2017 at 4:03 PM Mio Vlahović <mio.vlaho...@bcs.hr> wrote:
> On 08.08.2017 21:47, David Sommerseth wrote:
> > On 08/08/17 21:28, Mio Vlahović wrote:
> >> On 08.08.2017 21:13, David Sommerseth wrote:
> >>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
> >>>>
> >>>> You very likely created your certificated with MD5 hashing,
> which
> >>>> was disabled on newer OpenSSL versions of CentOS.
> >>>>
> >>>> Try:
> >>>>
> >>>> export NSS_HASH_ALG_SUPPORT=+MD5
> >>>> export OPENSSL_ENABLE_MD5_VERIFY=1
> >>>>
> >>>> before starting your OpenVPN daemon and watch if that make
> clients
> >>>> connect again ...
> >>> DON'T DO THAT.
> >>>
> >>> MD5 based certificates are broken. If you still use them, upgrade them
> >>> NOW. And this knowledge about the brokenness dates back to 2005.
> >>>
> >>> <http://eprint.iacr.org/2005/067.pdf>
> >>> <http://eprint.iacr.org/2005/102.pdf>
> >>>
> >>> Anyone using MD5 and re-enables them in the SSL libraries will put
> their
> >>> VPN's security at risk.
> >>
> >> No worries, I don't use MD5, but disabling crl_verify as suggested did
> >> the trick. Now I still have the issue with generating new certificates.
> >>
> >> I will quote myself again
> >> "One update... I can no longer generate new certificates. It seemse that
> >> whichopensslcnf scripts can't find openssl.cnf (which is there in the
> >> same directory...)
> >>
> >> [root@vpn 2.0]# pwd
> >> /etc/openvpn/easy-rsa/2.0
> >> [root@vpn 2.0]# ls -la
> >> drwx------. 3 nobody nobody 4096 Aug 8 20:25 .
> >> drwx------. 3 nobody nobody 33 Feb 6 2016 ..
> >> -rwx------. 1 nobody nobody 119 Feb 6 2016 build-ca
> >> -rwx------. 1 nobody nobody 352 Feb 6 2016 build-dh
> >> -rwx------. 1 nobody nobody 188 Feb 6 2016 build-inter
> >> -rwx------. 1 nobody nobody 163 Feb 6 2016 build-key
> >> -rwx------. 1 nobody nobody 157 Feb 6 2016 build-key-pass
> >> -rwx------. 1 nobody nobody 249 Feb 6 2016 build-key-pkcs12
> >> -rwx------. 1 nobody nobody 268 Feb 6 2016 build-key-server
> >> -rwx------. 1 nobody nobody 213 Feb 6 2016 build-req
> >> -rwx------. 1 nobody nobody 158 Feb 6 2016 build-req-pass
> >> -rwx------. 1 nobody nobody 449 Feb 6 2016 clean-all
> >> -rwx------. 1 nobody nobody 424 Feb 6 2016 dh2048.pem
> >> -rwx------. 1 nobody nobody 1471 Feb 6 2016 inherit-inter
> >> drwx------ 2 nobody nobody 36864 Jul 26 15:07 keys
> >> -rwx------. 1 nobody nobody 302 Feb 6 2016 list-crl
> >> -rwx------. 1 nobody nobody 7791 Feb 6 2016 openssl-0.9.6.cnf
> >> -rwx------. 1 nobody nobody 8348 Feb 6 2016 openssl-0.9.8.cnf
> >> -rwx------ 1 nobody nobody 8247 Aug 8 18:37 openssl-1.0.0.cnf
> >> -rwx------ 1 nobody nobody 8247 Aug 8 19:14 openssl.cnf
> >> -rwx------. 1 nobody nobody 12966 Feb 6 2016 pkitool
> >> -rwx------. 1 nobody nobody 928 Feb 6 2016 revoke-full
> >> -rwx------. 1 nobody nobody 178 Feb 6 2016 sign-req
> >> -rwx------ 1 nobody nobody 2138 Aug 8 20:25 vars
> >> -rwx------. 1 nobody nobody 740 Feb 6 2016 whichopensslcnf
> >>
> >> root@vpn 2.0]# ./build-key xxx
> >> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
> >> No such file or directory
> >> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> >> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
> >> /etc/openvpn/easy-rsa/2.0
> >> The correct version should have a comment that says: easy-rsa version
> 2.x"
> >
> > Did you remember to source the ./vars file first?
> >
> > $ . ./vars
> >
> > (yes, a single dot and then ./vars)
> >
> >
>
> Yes I did, same result... any other hints?
>
> Regards!
>
>
> --
> Mio Vlahović
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
