Re: [Openvpn-users] Clients can't connect after server reboot

Thu, 17 Aug 2017 06:51:00 -0700 

On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović <mio.vlaho...@bcs.hr> wrote:

> On 15.08.2017 02:13, Selva wrote:
> > Hi,
> >
> > I do not use easy-rsa but the test you posted is not correct..
> >
> >     # sh -x whichopensslcnf
> >
> >
> > This will fail as whichopensslcnf takes an argument (the root folder
> > name $EASY_RSA) without which it will be looking at the "root directory"
> >
> >     + cnf=/openssl.cnf
> >     + '[' openssl ']'
> >     + openssl version
> >     + grep -E '0\.9\.6[[:alnum:]]?'
> >     + openssl version
> >     + grep -E '0\.9\.8[[:alnum:]]?'
> >     + openssl version
> >     + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> >     + cnf=/openssl-1.0.0.cnf
> >     + echo /openssl-1.0.0.cnf
> >     /openssl-1.0.0.cnf
>
> [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
> + exit 0
>
> > Anyway, as your openssl version is 1.0.x, the script will use
> > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.
>
> [root@vpn 2.0]# sh -x build-key test1233
> + export EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> The correct version should have a comment that says: easy-rsa version 2.x
>
> How can we generate new client certificates now? The openssl-1.0.0.cnf
> hasn't been touched, so I can't understand why it is not working anymore..


Your email of Aug 14 showed

 -rwx------  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf

So the file has been touched as recently as Aug 8. Does openssl-1.0.0.cnf
has the comment
# For use with easy-rsa version 2.0 ....
at the top? If not, it some how got over-written by a wrong file?

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to