> On 08/08/17 21:50, Mio Vlahovi? wrote:
>> On 08.08.2017 21:47, David Sommerseth wrote:
>>> On 08/08/17 21:28, Mio Vlahovi? wrote:
>>>> On 08.08.2017 21:13, David Sommerseth wrote:
>>>>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
>>>>>>
>>>>>>       You very likely created your certificated with MD5 hashing, which
>>>>>> was disabled on newer OpenSSL versions of CentOS.
>>>>>>
>>>>>>       Try:
>>>>>>>
>>>>>> export NSS_HASH_ALG_SUPPORT=+MD5
>>>>>> export OPENSSL_ENABLE_MD5_VERIFY=1
>>>>>>
>>>>>>       before starting your OpenVPN daemon and watch if that make clients
>>>>>> connect again ...
>>>>> DON'T DO THAT.
>>>>>
>>>>> MD5 based certificates are broken.  If you still use them, upgrade them
>>>>> NOW.  And this knowledge about the brokenness dates back to 2005.
>>>>>
>>>> <http://eprint.iacr.org/2005/067.pdf>
>>>> <http://eprint.iacr.org/2005/102.pdf>
>>>>
>>>> Anyone using MD5 and re-enables them in the SSL libraries will put their
>>>> VPN's security at risk.
>>>>
>>>> No worries, I don't use MD5, but disabling crl_verify as suggested did
>>>> the trick. Now I still have the issue with generating new certificates.
>>>>
>>>> I will quote myself again
>>>> "One update... I can no longer generate new certificates. It seemse that
>>>> whichopensslcnf scripts can't find openssl.cnf (which is there in the
>>>> same directory...)
>>>>
>>>> [root@vpn 2.0]# pwd
>>>> /etc/openvpn/easy-rsa/2.0
>>>> [root@vpn 2.0]# ls -la
>>>> drwx------. 3 nobody nobody  4096 Aug  8 20:25 .
>>>> drwx------. 3 nobody nobody    33 Feb  6  2016 ..
>>>> -rwx------. 1 nobody nobody   119 Feb  6  2016 build-ca
>>>> -rwx------. 1 nobody nobody   352 Feb  6  2016 build-dh
>>>> -rwx------. 1 nobody nobody   188 Feb  6  2016 build-inter
>>>> -rwx------. 1 nobody nobody   163 Feb  6  2016 build-key
>>>> -rwx------. 1 nobody nobody   157 Feb  6  2016 build-key-pass
>>>> -rwx------. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
>>>> -rwx------. 1 nobody nobody   268 Feb  6  2016 build-key-server
>>>> -rwx------. 1 nobody nobody   213 Feb  6  2016 build-req
>>>> -rwx------. 1 nobody nobody   158 Feb  6  2016 build-req-pass
>>>> -rwx------. 1 nobody nobody   449 Feb  6  2016 clean-all
>>>> -rwx------. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
>>>> -rwx------. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
>>>> drwx------  2 nobody nobody 36864 Jul 26 15:07 keys
>>>> -rwx------. 1 nobody nobody   302 Feb  6  2016 list-crl
>>>> -rwx------. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
>>>> -rwx------. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
>>>> -rwx------  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
>>>> -rwx------  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
>>>> -rwx------. 1 nobody nobody 12966 Feb  6  2016 pkitool
>>>> -rwx------. 1 nobody nobody   928 Feb  6  2016 revoke-full
>>>> -rwx------. 1 nobody nobody   178 Feb  6  2016 sign-req
>>>> -rwx------  1 nobody nobody  2138 Aug  8 20:25 vars
>>>> -rwx------. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
>>>>
>>>> root@vpn 2.0]# ./build-key xxx
>>>> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
>>>> No such file or directory
>>>> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
>>>> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
>>>> /etc/openvpn/easy-rsa/2.0
>>>> The correct version should have a comment that says: easy-rsa version 2.x"
>>>
>>> Did you remember to source the ./vars file first?
>>>
>>> $ . ./vars
>>>
>>> (yes, a single dot and then ./vars)
>>>
>>>
>>
>> Yes I did, same result... any other hints?
>>
>> Regards!
>>

May I suggest running the script with shell debug enabled (sh -x build-key xxx) 
? Sometimes it helps me to find the error

Marco



PRIVILEGED AND CONFIDENTIAL *******************************

This message contains confidential information and is intended only for the 
individual(s) addressed in the message. Please refer to 
DISCLAIMER<http://www.atscom.it/maildisclaimer> for important disclaimers and 
the firm's regulatory position.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to