Re: [Openvpn-users] Clients can't connect after server reboot

Thu, 17 Aug 2017 05:35:20 -0700 

On 15.08.2017 02:13, Selva wrote:
> Hi,
> 
> I do not use easy-rsa but the test you posted is not correct..
> 
>     # sh -x whichopensslcnf
> 
> 
> This will fail as whichopensslcnf takes an argument (the root folder 
> name $EASY_RSA) without which it will be looking at the "root directory"
> 
>     + cnf=/openssl.cnf
>     + '[' openssl ']'
>     + openssl version
>     + grep -E '0\.9\.6[[:alnum:]]?'
>     + openssl version
>     + grep -E '0\.9\.8[[:alnum:]]?'
>     + openssl version
>     + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
>     + cnf=/openssl-1.0.0.cnf
>     + echo /openssl-1.0.0.cnf
>     /openssl-1.0.0.cnf

[root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
+ '[' openssl ']'
+ openssl version
+ grep -E '0\.9\.6[[:alnum:]]?'
+ openssl version
+ grep -E '0\.9\.8[[:alnum:]]?'
+ openssl version
+ grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
+ exit 0

> Anyway, as your openssl version is 1.0.x, the script will use 
> openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.

[root@vpn 2.0]# sh -x build-key test1233
+ export EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
The correct version should have a comment that says: easy-rsa version 2.x

How can we generate new client certificates now? The openssl-1.0.0.cnf 
hasn't been touched, so I can't understand why it is not working anymore...

Regards!

-- 
Mio Vlahović
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to