-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi,
please remember to copy the mailing list.
Comment below.
------- Original Message -------
On Sunday, March 5th, 2023 at 09:53, Bo Berglund <bo.bergl...@gmail.com> wrote:
> Hi,
> I tried to figure out why the CA check failed by reading what easyrsa does
> when it issues the error message...
> It looks like it tries to verify the content of ca.crt against the vars file
> using the easyrsa_openssl() function.
>
> # Match the current CA elements to the vars file settings
> CA_vars_match=1
> [ "$CA_countryName" = "$KEY_COUNTRY" ] || CA_vars_match=0
> [ "$CA_stateOrProvinceName" = "$KEY_PROVINCE" ] || CA_vars_match=0
> [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0
> [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0
> [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0
> [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0
>
> if [ "$CA_vars_match" -eq 1 ]
> then
> CURRENT_CA_IS_VERIFIED="partially"
> else
> up23_fail_upgrade "CA certificate does not match vars file settings"
> fi
>
> So I issued the extraction command on the command line as follows to check
> what is actually in ca.crt:
>
> ~/openvpn/EasyRSA-3.1.2/keys$ openssl x509 -subject -nameopt
> utf8,sep_multiline,space_eq,lname,align -noout -in ca.crt
> subject=
> countryName = SE
> stateOrProvinceName = Stockholm
> localityName = Stockholm
> organizationName = Private
> organizationalUnitName = Dev
> commonName = BosseOVPN
> name = server
> emailAddress = bo.bergl...@telia.com
>
> My vars file has this:
>
> # These are the default values for fields
> # which will be placed in the certificate.
> # Don't leave any of these fields blank.
> export KEY_COUNTRY="SE"
> export KEY_PROVINCE="--" # <= Notice difference
> export KEY_CITY="Stockholm"
> export KEY_ORG="Private"
> export KEY_EMAIL="bo.bergl...@telia.com"
> export KEY_OU="Dev"
>
> # X509 Subject Field
> export KEY_NAME="server"
>
> Since easyrsa is checking the 6 items I modified the KEY_PROVINCE var to also
> contain Stockholm and reran the command.
> But I got the exact same output this time too.
>
> Since the commonName is also there but not checked by easyrsa at that point I
> left that in place...
>
> At wits end...
>
> /Bo B
>
Sorry, I cannot see why there is a mismatch. However, we can omit that check.
Find this code below the code you copied above:
if [ "$CA_vars_match" -eq 1 ]
then
CURRENT_CA_IS_VERIFIED="partially"
else
up23_fail_upgrade "CA certificate does not match vars file
settings"
fi
Change 'up23_fail_upgrade' to 'warn', this will warn but not fail.
See how that goes.
Sorry for all these difficulties, it always worked for me.
R
> -----Original Message-----
> From: Bo Berglund bo.bergl...@gmail.com
>
> Sent: Sunday, 5 March 2023 07:27
> To: 'tincantech' tincant...@protonmail.com
>
> Subject: RE: [Openvpn-users] Easy-rsa 3 config questions
>
> Hi, new day more testing...
>
> Things changed a bit and I got a new output after using the easyrsa file from
> git trunk in place of the 3.1.2 release version.
>
> Attached is what I got now, where the temp issue is gone and it really starts
> looking around.
>
> The error line now is:
> ERROR: CA certificate does not match vars file settings
>
> And I don't know what this means...
>
> If needed I can send some files from the keys dir, if there is a problem with
> one of these...
>
> Best Regards,
>
> Bo Berglund
> email: bo.bergl...@gmail.com
>
>
>
> -----Original Message-----
> From: tincantech tincant...@protonmail.com
>
> Sent: Saturday, 4 March 2023 21:48
> To: bo.bergl...@gmail.com; openvpn users list
> (openvpn-users@lists.sourceforge.net) openvpn-users@lists.sourceforge.net
>
> Subject: RE: [Openvpn-users] Easy-rsa 3 config questions
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> FTR: Simply downloading git/master/easyrsa is enough,
> using say, Firefox.
>
> And yes, you only need the files that you have downloaded.
> I can only hope that they are in the correct place..
>
> With fingers-crossed, I look forward to our next chapter!
>
> Regards
> Richard
>
> Sent with Proton Mail secure email.
>
>
> ------- Original Message -------
> On Saturday, March 4th, 2023 at 17:41, tincantech tincant...@protonmail.com
> wrote:
>
>
>
> > Updating openvpn-users list.
> >
> > If you do not use a browser for your internet then I do not support
> > what-ever method that you do use.
> >
> > Regards
> >
> > ------- Original Message -------
> > On Saturday, March 4th, 2023 at 16:53, Bo Berglund bo.bergl...@gmail.com
> > wrote:
> >
> > > OK,
> > > I have limited knowledge of git and I don't want to check out a complete
> > > repository with all historical data etc.
> > > I tried using svn like this:
> > >
> > > svn export https://github.com/OpenVPN/easy-rsa/trunk/easyrsa3
> > >
> > > And it seemed to have worked, so I will go ahead tomorrow morning with
> > > this version of easyrsa.
> > > This export actually got me fewer files too:
> > > easyrsa
> > > openssl-easyrsa.cnf
> > > vars.example
> > > x509-types (a directory)
> > >
> > > Are these enough for now?
> > >
> > > /Bo B
> > >
> > > -----Original Message-----
> > > From: tincantech tincant...@protonmail.com
> > >
> > > Sent: Saturday, 4 March 2023 16:20
> > > To: bo.bergl...@gmail.com; openvpn users list
> > > (openvpn-users@lists.sourceforge.net) openvpn-users@lists.sourceforge.net
> > >
> > > Subject: RE: [Openvpn-users] Easy-rsa 3 config questions
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Hi,
> > >
> > > EASYRSA_TEMP_DIR is a temporary directory, which MUST exist
> > > and you MUST have write access to it. It can be anywhere.
> > >
> > > Also, env-vars can be specified on the command line.
> > > eg: $ EASYRSA_TEMP_DIR="/tmp/easyrsa" easyrsa upgrade pki
> > > Without ';' termination, is valid.
> > >
> > > Finally:
> > > There is a bug in EasyRSA 3.1.2 which has been fixed in git/master.
> > >
> > > Please try git/master from:
> > > https://github.com/OpenVPN/easy-rsa/tree/master/easyrsa3
> > >
> > > The bug-fix verifies that you have a working openssl before creating
> > > a temporary session and file.
> > >
> > > Regards
> > > Richard
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: ProtonMail
> > >
> > > wsBzBAEBCAAnBQJkA2GBCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
> > > kLidAAABigf9G2hForbZwvt5NBq2rSUa7okkiAsTcv6IwCC578o4RzbE2J8A
> > > uN63tN7+1nfblAmfcSdi5zqyxSUFjfOBESXcLjZkezeP6xA2mGfvk9inh0i1
> > > Ol2GXqg5NCc7NGTn6SQLviTmD/NA2YR52NmbaGZqcrTt8szjMwKnOpKdwdF+
> > > etO+YqIJMx7to4GzDsYixYtbUOeZBt7SsgeRq7NFPK9z20xoMsH8NdofwHn6
> > > 4rghzJQ7cBFDZ/c65LupWV/aZTzw6lv/WHblmzpd4pEtDaSp1UJCwYOx0OAz
> > > 3XHq8lFd5srZs7D0K0N6Pogq9kZVLnnv3Z+brfMeqUgjolSf7FyRpw==
> > > =oRJ+
> > > -----END PGP SIGNATURE-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: ProtonMail
>
> wsBzBAEBCAAnBQJkA65pCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
> kLidAAA8cgf/XwSQ+gOVtSn5Jnfkwpsl5eF61FGnc1BuiImfbwS7nsJ83XqR
> M4bRtM04dSdrfXXXse6jSRl9FxsR98l45OLeRV+uHuOjNtlcFkVu2byLSJgt
> 5KOfhrqjMYFVRsj/otzRVoa8aH7YjhmkjIOB1Ry7MlReWkt+l0tsX/J6YZR2
> PF2OLefxAzDFyA65gqssNIsRfVPmhbVC6m5l27Bdt7IZChXBuWRtZYbRU1yJ
> 3+lCfyOzh9gPHnScNAxxqwKqXlVi7GV9eSQ+TVYf72QdE66zYrsxlo6KdqP2
> 3vcj+OvzPTDp6XrzjJmefBFYQvcUS8xu6rIktTXjVjFlAap1lQxwSA==
> =U/kN
> -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsBzBAEBCAAnBQJkBLShCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAACAOwgAvyZ//zJXTuCs53OlZTG2WzdgSvsVuosBl2xeBTAq2jdXrPaR
hv1hUzTr4DTmP/v26C1DuDTGtXm1k30UuEt1AJuUMPL+utdAneTOdUUxK5Zc
tgxNiksOmvfERyBz/iR2NxvZkDNfabkFepq0BCVtFM+Jm44XnMRVdZOHPRfD
84XiL9Rh5mZqmk3KCNGDBZXXL+R/9Wlkgulhoojfc0IkcPbdPWkldjYCuZzv
lNsLiLtvJ6MpwzYFfvsABcOL89WfltFVhM/14bYCRxT+AvJOlteKUxqAoEba
uA4yHV76dNyKyIhflJefBjEfz0IwBAjdktXaS2AtEBf6ce6bY2bM+Q==
=X6g4
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
