On 17.08.2017 15:49, Selva wrote: > > > On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović <mio.vlaho...@bcs.hr > <mailto:mio.vlaho...@bcs.hr>> wrote: > > On 15.08.2017 02:13, Selva wrote: > > Hi, > > > > I do not use easy-rsa but the test you posted is not correct.. > > > > # sh -x whichopensslcnf > > > > > > This will fail as whichopensslcnf takes an argument (the root folder > > name $EASY_RSA) without which it will be looking at the "root > directory" > > > > + cnf=/openssl.cnf > > + '[' openssl ']' > > + openssl version > > + grep -E '0\.9\.6[[:alnum:]]?' > > + openssl version > > + grep -E '0\.9\.8[[:alnum:]]?' > > + openssl version > > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?' > > + cnf=/openssl-1.0.0.cnf > > + echo /openssl-1.0.0.cnf > > /openssl-1.0.0.cnf > > [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA > + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf > + '[' openssl ']' > + openssl version > + grep -E '0\.9\.6[[:alnum:]]?' > + openssl version > + grep -E '0\.9\.8[[:alnum:]]?' > + openssl version > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?' > + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf > + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf > /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf > + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']' > + exit 0 > > > Anyway, as your openssl version is 1.0.x, the script will use > > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa. > > [root@vpn 2.0]# sh -x build-key test1233 > + export EASY_RSA=/etc/openvpn/easy-rsa/2.0 > + EASY_RSA=/etc/openvpn/easy-rsa/2.0 > + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233 > pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong > version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf > The correct version should have a comment that says: easy-rsa > version 2.x > > How can we generate new client certificates now? The openssl-1.0.0.cnf > hasn't been touched, so I can't understand why it is not working > anymore.. > > > Your email of Aug 14 showed > > -rwx------ 1 nobody nobody 8247 Aug 8 18:37 openssl-1.0.0.cnf > > So the file has been touched as recently as Aug 8. Does > openssl-1.0.0.cnf has the comment > # For use with easy-rsa version 2.0 .... > at the top? If not, it some how got over-written by a wrong file? > > Selva
Well, yes... i tried modifying the first line of that file, as the output of the build-key suggested... (easy-rsa version from 2.0 to 2.x) Regards! -- Mio Vlahović Linux/Network Administrator @ BCS d.o.o. GSM: +385 95 6308 809 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users