> On 08/08/17 21:50, Mio Vlahovi? wrote: >> On 08.08.2017 21:47, David Sommerseth wrote: >>> On 08/08/17 21:28, Mio Vlahovi? wrote: >>>> On 08.08.2017 21:13, David Sommerseth wrote: >>>>> On 08/08/17 20:34, Leonardo Rodrigues wrote: >>>>>> >>>>>> You very likely created your certificated with MD5 hashing, which >>>>>> was disabled on newer OpenSSL versions of CentOS. >>>>>> >>>>>> Try: >>>>>>> >>>>>> export NSS_HASH_ALG_SUPPORT=+MD5 >>>>>> export OPENSSL_ENABLE_MD5_VERIFY=1 >>>>>> >>>>>> before starting your OpenVPN daemon and watch if that make clients >>>>>> connect again ... >>>>> DON'T DO THAT. >>>>> >>>>> MD5 based certificates are broken. If you still use them, upgrade them >>>>> NOW. And this knowledge about the brokenness dates back to 2005. >>>>> >>>> <http://eprint.iacr.org/2005/067.pdf> >>>> <http://eprint.iacr.org/2005/102.pdf> >>>> >>>> Anyone using MD5 and re-enables them in the SSL libraries will put their >>>> VPN's security at risk. >>>> >>>> No worries, I don't use MD5, but disabling crl_verify as suggested did >>>> the trick. Now I still have the issue with generating new certificates. >>>> >>>> I will quote myself again >>>> "One update... I can no longer generate new certificates. It seemse that >>>> whichopensslcnf scripts can't find openssl.cnf (which is there in the >>>> same directory...) >>>> >>>> [root@vpn 2.0]# pwd >>>> /etc/openvpn/easy-rsa/2.0 >>>> [root@vpn 2.0]# ls -la >>>> drwx------. 3 nobody nobody 4096 Aug 8 20:25 . >>>> drwx------. 3 nobody nobody 33 Feb 6 2016 .. >>>> -rwx------. 1 nobody nobody 119 Feb 6 2016 build-ca >>>> -rwx------. 1 nobody nobody 352 Feb 6 2016 build-dh >>>> -rwx------. 1 nobody nobody 188 Feb 6 2016 build-inter >>>> -rwx------. 1 nobody nobody 163 Feb 6 2016 build-key >>>> -rwx------. 1 nobody nobody 157 Feb 6 2016 build-key-pass >>>> -rwx------. 1 nobody nobody 249 Feb 6 2016 build-key-pkcs12 >>>> -rwx------. 1 nobody nobody 268 Feb 6 2016 build-key-server >>>> -rwx------. 1 nobody nobody 213 Feb 6 2016 build-req >>>> -rwx------. 1 nobody nobody 158 Feb 6 2016 build-req-pass >>>> -rwx------. 1 nobody nobody 449 Feb 6 2016 clean-all >>>> -rwx------. 1 nobody nobody 424 Feb 6 2016 dh2048.pem >>>> -rwx------. 1 nobody nobody 1471 Feb 6 2016 inherit-inter >>>> drwx------ 2 nobody nobody 36864 Jul 26 15:07 keys >>>> -rwx------. 1 nobody nobody 302 Feb 6 2016 list-crl >>>> -rwx------. 1 nobody nobody 7791 Feb 6 2016 openssl-0.9.6.cnf >>>> -rwx------. 1 nobody nobody 8348 Feb 6 2016 openssl-0.9.8.cnf >>>> -rwx------ 1 nobody nobody 8247 Aug 8 18:37 openssl-1.0.0.cnf >>>> -rwx------ 1 nobody nobody 8247 Aug 8 19:14 openssl.cnf >>>> -rwx------. 1 nobody nobody 12966 Feb 6 2016 pkitool >>>> -rwx------. 1 nobody nobody 928 Feb 6 2016 revoke-full >>>> -rwx------. 1 nobody nobody 178 Feb 6 2016 sign-req >>>> -rwx------ 1 nobody nobody 2138 Aug 8 20:25 vars >>>> -rwx------. 1 nobody nobody 740 Feb 6 2016 whichopensslcnf >>>> >>>> root@vpn 2.0]# ./build-key xxx >>>> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0: >>>> No such file or directory >>>> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong >>>> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf >>>> /etc/openvpn/easy-rsa/2.0 >>>> The correct version should have a comment that says: easy-rsa version 2.x" >>> >>> Did you remember to source the ./vars file first? >>> >>> $ . ./vars >>> >>> (yes, a single dot and then ./vars) >>> >>> >> >> Yes I did, same result... any other hints? >> >> Regards! >>
May I suggest running the script with shell debug enabled (sh -x build-key xxx) ? Sometimes it helps me to find the error Marco PRIVILEGED AND CONFIDENTIAL ******************************* This message contains confidential information and is intended only for the individual(s) addressed in the message. Please refer to DISCLAIMER<http://www.atscom.it/maildisclaimer> for important disclaimers and the firm's regulatory position. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
