On 08.08.2017 23:18, Marco Lumachi wrote: >> On 08/08/17 21:50, Mio Vlahovi? wrote: >>> On 08.08.2017 21:47, David Sommerseth wrote: >>>> On 08/08/17 21:28, Mio Vlahovi? wrote: >>>>> On 08.08.2017 21:13, David Sommerseth wrote: >>>>>> On 08/08/17 20:34, Leonardo Rodrigues wrote: >>>>>>> >>>>>>> You very likely created your certificated with MD5 hashing, which >>>>>>> was disabled on newer OpenSSL versions of CentOS. >>>>>>> >>>>>>> Try: >>>>>>>> >>>>>>> export NSS_HASH_ALG_SUPPORT=+MD5 >>>>>>> export OPENSSL_ENABLE_MD5_VERIFY=1 >>>>>>> >>>>>>> before starting your OpenVPN daemon and watch if that make >>>>>>> clients >>>>>>> connect again ... >>>>>> DON'T DO THAT. >>>>>> >>>>>> MD5 based certificates are broken. If you still use them, upgrade them >>>>>> NOW. And this knowledge about the brokenness dates back to 2005. >>>>>> >>>>> <http://eprint.iacr.org/2005/067.pdf> >>>>> <http://eprint.iacr.org/2005/102.pdf> >>>>> >>>>> Anyone using MD5 and re-enables them in the SSL libraries will put their >>>>> VPN's security at risk. >>>>> >>>>> No worries, I don't use MD5, but disabling crl_verify as suggested did >>>>> the trick. Now I still have the issue with generating new certificates. >>>>> >>>>> I will quote myself again >>>>> "One update... I can no longer generate new certificates. It seemse that >>>>> whichopensslcnf scripts can't find openssl.cnf (which is there in the >>>>> same directory...) >>>>> >>>>> [root@vpn 2.0]# pwd >>>>> /etc/openvpn/easy-rsa/2.0 >>>>> [root@vpn 2.0]# ls -la >>>>> drwx------. 3 nobody nobody 4096 Aug 8 20:25 . >>>>> drwx------. 3 nobody nobody 33 Feb 6 2016 .. >>>>> -rwx------. 1 nobody nobody 119 Feb 6 2016 build-ca >>>>> -rwx------. 1 nobody nobody 352 Feb 6 2016 build-dh >>>>> -rwx------. 1 nobody nobody 188 Feb 6 2016 build-inter >>>>> -rwx------. 1 nobody nobody 163 Feb 6 2016 build-key >>>>> -rwx------. 1 nobody nobody 157 Feb 6 2016 build-key-pass >>>>> -rwx------. 1 nobody nobody 249 Feb 6 2016 build-key-pkcs12 >>>>> -rwx------. 1 nobody nobody 268 Feb 6 2016 build-key-server >>>>> -rwx------. 1 nobody nobody 213 Feb 6 2016 build-req >>>>> -rwx------. 1 nobody nobody 158 Feb 6 2016 build-req-pass >>>>> -rwx------. 1 nobody nobody 449 Feb 6 2016 clean-all >>>>> -rwx------. 1 nobody nobody 424 Feb 6 2016 dh2048.pem >>>>> -rwx------. 1 nobody nobody 1471 Feb 6 2016 inherit-inter >>>>> drwx------ 2 nobody nobody 36864 Jul 26 15:07 keys >>>>> -rwx------. 1 nobody nobody 302 Feb 6 2016 list-crl >>>>> -rwx------. 1 nobody nobody 7791 Feb 6 2016 openssl-0.9.6.cnf >>>>> -rwx------. 1 nobody nobody 8348 Feb 6 2016 openssl-0.9.8.cnf >>>>> -rwx------ 1 nobody nobody 8247 Aug 8 18:37 openssl-1.0.0.cnf >>>>> -rwx------ 1 nobody nobody 8247 Aug 8 19:14 openssl.cnf >>>>> -rwx------. 1 nobody nobody 12966 Feb 6 2016 pkitool >>>>> -rwx------. 1 nobody nobody 928 Feb 6 2016 revoke-full >>>>> -rwx------. 1 nobody nobody 178 Feb 6 2016 sign-req >>>>> -rwx------ 1 nobody nobody 2138 Aug 8 20:25 vars >>>>> -rwx------. 1 nobody nobody 740 Feb 6 2016 whichopensslcnf >>>>> >>>>> root@vpn 2.0]# ./build-key xxx >>>>> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0: >>>>> No such file or directory >>>>> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong >>>>> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf >>>>> /etc/openvpn/easy-rsa/2.0 >>>>> The correct version should have a comment that says: easy-rsa version 2.x" >>>> >>>> Did you remember to source the ./vars file first? >>>> >>>> $ . ./vars >>>> >>>> (yes, a single dot and then ./vars) >>>> >>>> >>> >>> Yes I did, same result... any other hints? >>> >>> Regards! >>> > > May I suggest running the script with shell debug enabled (sh -x build-key > xxx) ? Sometimes it helps me to find the error >
Yes, here is the result... # sh -x build-key xxxxxx + export EASY_RSA=/etc/openvpn/easy-rsa/2.0 + EASY_RSA=/etc/openvpn/easy-rsa/2.0 + /etc/openvpn/easy-rsa/2.0/pkitool --interact xxxxxx pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf The correct version should have a comment that says: easy-rsa version 2.x and here is the whichopensslcnf output: # sh -x whichopensslcnf + cnf=/openssl.cnf + '[' openssl ']' + openssl version + grep -E '0\.9\.6[[:alnum:]]?' + openssl version + grep -E '0\.9\.8[[:alnum:]]?' + openssl version + grep -E '1\.0\.[[:digit:]][[:alnum:]]?' + cnf=/openssl-1.0.0.cnf + echo /openssl-1.0.0.cnf /openssl-1.0.0.cnf + '[' '!' -r /openssl-1.0.0.cnf ']' + echo '**************************************************************' ************************************************************** + echo ' No /openssl-1.0.0.cnf file could be found' No /openssl-1.0.0.cnf file could be found + echo ' Further invocations will fail' Further invocations will fail + echo '**************************************************************' ************************************************************** + exit 0 I have even tried setting easy-rsa version to 2.x in the comment section of the openssl.cnf, but still have the same result... Any other pointers where should we look? We have new clients coming in every month, so this is a major problem for us now... -- Mio Vlahović ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
