Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-18 Thread Mio Vlahović
On 08.08.2017 22:37, Joe Patterson wrote:
> This may be a stupid question but...
> 
> Do any of the openssl cnf files have a comment in them that says 
> "easy-rsa version 2.x"?
> 
> if you do 'echo $KEY_CONFIG', what does it say?
> 

We figured it out... I tried reinstalling easy-rsa with the same 
results... After that, I changed "easy-rsa version 2.x" to "easy-rsa 
version 2.2" and it works as before!

Thank You all for helping us out!

Regards!

-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović
On 17.08.2017 15:49, Selva wrote:
> 
> 
> On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović  > wrote:
> 
> On 15.08.2017 02:13, Selva wrote:
>  > Hi,
>  >
>  > I do not use easy-rsa but the test you posted is not correct..
>  >
>  > # sh -x whichopensslcnf
>  >
>  >
>  > This will fail as whichopensslcnf takes an argument (the root folder
>  > name $EASY_RSA) without which it will be looking at the "root
> directory"
>  >
>  > + cnf=/openssl.cnf
>  > + '[' openssl ']'
>  > + openssl version
>  > + grep -E '0\.9\.6[[:alnum:]]?'
>  > + openssl version
>  > + grep -E '0\.9\.8[[:alnum:]]?'
>  > + openssl version
>  > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
>  > + cnf=/openssl-1.0.0.cnf
>  > + echo /openssl-1.0.0.cnf
>  > /openssl-1.0.0.cnf
> 
> [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
> + exit 0
> 
>  > Anyway, as your openssl version is 1.0.x, the script will use
>  > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.
> 
> [root@vpn 2.0]# sh -x build-key test1233
> + export EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> The correct version should have a comment that says: easy-rsa
> version 2.x
> 
> How can we generate new client certificates now? The openssl-1.0.0.cnf
> hasn't been touched, so I can't understand why it is not working
> anymore..
> 
> 
> Your email of Aug 14 showed
> 
>   -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> 
> So the file has been touched as recently as Aug 8. Does 
> openssl-1.0.0.cnf has the comment
> # For use with easy-rsa version 2.0 
> at the top? If not, it some how got over-written by a wrong file?
> 
> Selva

Well, yes... i tried modifying the first line of that file, as the 
output of the build-key suggested... (easy-rsa version from 2.0 to 2.x)

Regards!

-- 
Mio Vlahović
Linux/Network Administrator @ BCS d.o.o.
GSM: +385 95 6308 809
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Selva
On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović  wrote:

> On 15.08.2017 02:13, Selva wrote:
> > Hi,
> >
> > I do not use easy-rsa but the test you posted is not correct..
> >
> > # sh -x whichopensslcnf
> >
> >
> > This will fail as whichopensslcnf takes an argument (the root folder
> > name $EASY_RSA) without which it will be looking at the "root directory"
> >
> > + cnf=/openssl.cnf
> > + '[' openssl ']'
> > + openssl version
> > + grep -E '0\.9\.6[[:alnum:]]?'
> > + openssl version
> > + grep -E '0\.9\.8[[:alnum:]]?'
> > + openssl version
> > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> > + cnf=/openssl-1.0.0.cnf
> > + echo /openssl-1.0.0.cnf
> > /openssl-1.0.0.cnf
>
> [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
> + exit 0
>
> > Anyway, as your openssl version is 1.0.x, the script will use
> > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.
>
> [root@vpn 2.0]# sh -x build-key test1233
> + export EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> The correct version should have a comment that says: easy-rsa version 2.x
>
> How can we generate new client certificates now? The openssl-1.0.0.cnf
> hasn't been touched, so I can't understand why it is not working anymore..


Your email of Aug 14 showed

 -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf

So the file has been touched as recently as Aug 8. Does openssl-1.0.0.cnf
has the comment
# For use with easy-rsa version 2.0 
at the top? If not, it some how got over-written by a wrong file?

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović
On 08.08.2017 22:37, Joe Patterson wrote:
> This may be a stupid question but...
> 
> Do any of the openssl cnf files have a comment in them that says 
> "easy-rsa version 2.x"?
> 
> if you do 'echo $KEY_CONFIG', what does it say?

Yes, we did try that but with the same result...

[root@vpn 2.0]# echo $KEY_CONFIG
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

-- 
Mio Vlahović
Linux/Network Administrator @ BCS d.o.o.
GSM: +385 95 6308 809
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović
On 15.08.2017 02:13, Selva wrote:
> Hi,
> 
> I do not use easy-rsa but the test you posted is not correct..
> 
> # sh -x whichopensslcnf
> 
> 
> This will fail as whichopensslcnf takes an argument (the root folder 
> name $EASY_RSA) without which it will be looking at the "root directory"
> 
> + cnf=/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/openssl-1.0.0.cnf
> + echo /openssl-1.0.0.cnf
> /openssl-1.0.0.cnf

[root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
+ '[' openssl ']'
+ openssl version
+ grep -E '0\.9\.6[[:alnum:]]?'
+ openssl version
+ grep -E '0\.9\.8[[:alnum:]]?'
+ openssl version
+ grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
+ exit 0

> Anyway, as your openssl version is 1.0.x, the script will use 
> openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.

[root@vpn 2.0]# sh -x build-key test1233
+ export EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
The correct version should have a comment that says: easy-rsa version 2.x

How can we generate new client certificates now? The openssl-1.0.0.cnf 
hasn't been touched, so I can't understand why it is not working anymore...

Regards!

-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-14 Thread Selva
Hi,

I do not use easy-rsa but the test you posted is not correct..


> # sh -x whichopensslcnf
>

This will fail as whichopensslcnf takes an argument (the root folder name
$EASY_RSA) without which it will be looking at the "root directory"


> + cnf=/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/openssl-1.0.0.cnf
> + echo /openssl-1.0.0.cnf
> /openssl-1.0.0.cnf
>

See, its looking for /openssl-1.0.0.cnf instead of
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf


> + '[' '!' -r /openssl-1.0.0.cnf ']'
> + echo '**'
> **
> + echo '  No /openssl-1.0.0.cnf file could be found'
>No /openssl-1.0.0.cnf file could be found
> + echo '  Further invocations will fail'
>Further invocations will fail
> + echo '**'
> **
> + exit 0
>
>
> I have even tried setting easy-rsa version to 2.x in the comment section
> of the openssl.cnf, but still have the same result...
>

Anyway, as your openssl version is 1.0.x, the script will use
openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-14 Thread Mio Vlahović
On 08.08.2017 23:18, Marco Lumachi wrote:
>> On 08/08/17 21:50, Mio Vlahovi? wrote:
>>> On 08.08.2017 21:47, David Sommerseth wrote:
 On 08/08/17 21:28, Mio Vlahovi? wrote:
> On 08.08.2017 21:13, David Sommerseth wrote:
>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
>>>
>>>You very likely created your certificated with MD5 hashing, which
>>> was disabled on newer OpenSSL versions of CentOS.
>>>
>>>Try:

>>> export NSS_HASH_ALG_SUPPORT=+MD5
>>> export OPENSSL_ENABLE_MD5_VERIFY=1
>>>
>>>before starting your OpenVPN daemon and watch if that make 
>>> clients
>>> connect again ...
>> DON'T DO THAT.
>>
>> MD5 based certificates are broken.  If you still use them, upgrade them
>> NOW.  And this knowledge about the brokenness dates back to 2005.
>>
> 
> 
>
> Anyone using MD5 and re-enables them in the SSL libraries will put their
> VPN's security at risk.
>
> No worries, I don't use MD5, but disabling crl_verify as suggested did
> the trick. Now I still have the issue with generating new certificates.
>
> I will quote myself again
> "One update... I can no longer generate new certificates. It seemse that
> whichopensslcnf scripts can't find openssl.cnf (which is there in the
> same directory...)
>
> [root@vpn 2.0]# pwd
> /etc/openvpn/easy-rsa/2.0
> [root@vpn 2.0]# ls -la
> drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
> drwx--. 3 nobody nobody33 Feb  6  2016 ..
> -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
> -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
> -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
> -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
> -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
> -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
> -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
> -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
> -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
> -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
> -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
> -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
> drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
> -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
> -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
> -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
> -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
> -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
> -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
> -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
> -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
> -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
>
> root@vpn 2.0]# ./build-key xxx
> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
> No such file or directory
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
> /etc/openvpn/easy-rsa/2.0
> The correct version should have a comment that says: easy-rsa version 2.x"

 Did you remember to source the ./vars file first?

 $ . ./vars

 (yes, a single dot and then ./vars)


>>>
>>> Yes I did, same result... any other hints?
>>>
>>> Regards!
>>>
> 
> May I suggest running the script with shell debug enabled (sh -x build-key 
> xxx) ? Sometimes it helps me to find the error
> 

Yes, here is the result...

# sh -x build-key xx
+ export EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ /etc/openvpn/easy-rsa/2.0/pkitool --interact xx
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

and here is the whichopensslcnf output:

# sh -x whichopensslcnf
+ cnf=/openssl.cnf
+ '[' openssl ']'
+ openssl version
+ grep -E '0\.9\.6[[:alnum:]]?'
+ openssl version
+ grep -E '0\.9\.8[[:alnum:]]?'
+ openssl version
+ grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
+ cnf=/openssl-1.0.0.cnf
+ echo /openssl-1.0.0.cnf
/openssl-1.0.0.cnf
+ '[' '!' -r /openssl-1.0.0.cnf ']'
+ echo '**'
**
+ echo '  No /openssl-1.0.0.cnf file could be found'
   No /openssl-1.0.0.cnf file could be found
+ echo '  Further invocations will fail'
   Further invocations will fail
+ echo 

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Marco Lumachi
> On 08/08/17 21:50, Mio Vlahovi? wrote:
>> On 08.08.2017 21:47, David Sommerseth wrote:
>>> On 08/08/17 21:28, Mio Vlahovi? wrote:
 On 08.08.2017 21:13, David Sommerseth wrote:
> On 08/08/17 20:34, Leonardo Rodrigues wrote:
>>
>>   You very likely created your certificated with MD5 hashing, which
>> was disabled on newer OpenSSL versions of CentOS.
>>
>>   Try:
>>>
>> export NSS_HASH_ALG_SUPPORT=+MD5
>> export OPENSSL_ENABLE_MD5_VERIFY=1
>>
>>   before starting your OpenVPN daemon and watch if that make clients
>> connect again ...
> DON'T DO THAT.
>
> MD5 based certificates are broken.  If you still use them, upgrade them
> NOW.  And this knowledge about the brokenness dates back to 2005.
>
 
 

 Anyone using MD5 and re-enables them in the SSL libraries will put their
 VPN's security at risk.

 No worries, I don't use MD5, but disabling crl_verify as suggested did
 the trick. Now I still have the issue with generating new certificates.

 I will quote myself again
 "One update... I can no longer generate new certificates. It seemse that
 whichopensslcnf scripts can't find openssl.cnf (which is there in the
 same directory...)

 [root@vpn 2.0]# pwd
 /etc/openvpn/easy-rsa/2.0
 [root@vpn 2.0]# ls -la
 drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
 drwx--. 3 nobody nobody33 Feb  6  2016 ..
 -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
 -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
 -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
 -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
 -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
 -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
 -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
 -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
 -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
 -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
 -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
 -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
 drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
 -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
 -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
 -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
 -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
 -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
 -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
 -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
 -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
 -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
 -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf

 root@vpn 2.0]# ./build-key xxx
 grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
 No such file or directory
 pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
 version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
 /etc/openvpn/easy-rsa/2.0
 The correct version should have a comment that says: easy-rsa version 2.x"
>>>
>>> Did you remember to source the ./vars file first?
>>>
>>> $ . ./vars
>>>
>>> (yes, a single dot and then ./vars)
>>>
>>>
>>
>> Yes I did, same result... any other hints?
>>
>> Regards!
>>

May I suggest running the script with shell debug enabled (sh -x build-key xxx) 
? Sometimes it helps me to find the error

Marco



PRIVILEGED AND CONFIDENTIAL ***

This message contains confidential information and is intended only for the 
individual(s) addressed in the message. Please refer to 
DISCLAIMER for important disclaimers and 
the firm's regulatory position.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Joe Patterson
This may be a stupid question but...

Do any of the openssl cnf files have a comment in them that says "easy-rsa
version 2.x"?

if you do 'echo $KEY_CONFIG', what does it say?

Thanks,

-Joe

On Tue, Aug 8, 2017 at 4:03 PM Mio Vlahović  wrote:

> On 08.08.2017 21:47, David Sommerseth wrote:
> > On 08/08/17 21:28, Mio Vlahović wrote:
> >> On 08.08.2017 21:13, David Sommerseth wrote:
> >>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
> 
>    You very likely created your certificated with MD5 hashing,
> which
>  was disabled on newer OpenSSL versions of CentOS.
> 
>    Try:
> 
>  export NSS_HASH_ALG_SUPPORT=+MD5
>  export OPENSSL_ENABLE_MD5_VERIFY=1
> 
>    before starting your OpenVPN daemon and watch if that make
> clients
>  connect again ...
> >>> DON'T DO THAT.
> >>>
> >>> MD5 based certificates are broken.  If you still use them, upgrade them
> >>> NOW.  And this knowledge about the brokenness dates back to 2005.
> >>>
> >>> 
> >>> 
> >>>
> >>> Anyone using MD5 and re-enables them in the SSL libraries will put
> their
> >>> VPN's security at risk.
> >>
> >> No worries, I don't use MD5, but disabling crl_verify as suggested did
> >> the trick. Now I still have the issue with generating new certificates.
> >>
> >> I will quote myself again
> >> "One update... I can no longer generate new certificates. It seemse that
> >> whichopensslcnf scripts can't find openssl.cnf (which is there in the
> >> same directory...)
> >>
> >> [root@vpn 2.0]# pwd
> >> /etc/openvpn/easy-rsa/2.0
> >> [root@vpn 2.0]# ls -la
> >> drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
> >> drwx--. 3 nobody nobody33 Feb  6  2016 ..
> >> -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
> >> -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
> >> -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
> >> -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
> >> -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
> >> -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
> >> -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
> >> -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
> >> -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
> >> -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
> >> -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
> >> -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
> >> drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
> >> -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
> >> -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
> >> -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
> >> -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> >> -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
> >> -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
> >> -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
> >> -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
> >> -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
> >> -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
> >>
> >> root@vpn 2.0]# ./build-key xxx
> >> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
> >> No such file or directory
> >> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> >> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
> >> /etc/openvpn/easy-rsa/2.0
> >> The correct version should have a comment that says: easy-rsa version
> 2.x"
> >
> > Did you remember to source the ./vars file first?
> >
> > $ . ./vars
> >
> > (yes, a single dot and then ./vars)
> >
> >
>
> Yes I did, same result... any other hints?
>
> Regards!
>
>
> --
> Mio Vlahović
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Xen

Mio Vlahović schreef op 08-08-2017 22:02:

On 08.08.2017 21:47, David Sommerseth wrote:

On 08/08/17 21:28, Mio Vlahović wrote:

On 08.08.2017 21:13, David Sommerseth wrote:

On 08/08/17 20:34, Leonardo Rodrigues wrote:


  You very likely created your certificated with MD5 hashing, 
which

was disabled on newer OpenSSL versions of CentOS.

  Try:

export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1

  before starting your OpenVPN daemon and watch if that make 
clients

connect again ...

DON'T DO THAT.

MD5 based certificates are broken.  If you still use them, upgrade 
them

NOW.  And this knowledge about the brokenness dates back to 2005.




Anyone using MD5 and re-enables them in the SSL libraries will put 
their

VPN's security at risk.


No worries, I don't use MD5, but disabling crl_verify as suggested 
did
the trick. Now I still have the issue with generating new 
certificates.


I will quote myself again
"One update... I can no longer generate new certificates. It seemse 
that

whichopensslcnf scripts can't find openssl.cnf (which is there in the
same directory...)

[root@vpn 2.0]# pwd
/etc/openvpn/easy-rsa/2.0
[root@vpn 2.0]# ls -la
drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
drwx--. 3 nobody nobody33 Feb  6  2016 ..
-rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
-rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
-rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
-rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
-rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
-rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
-rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
-rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
-rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
-rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
-rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
-rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
-rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
-rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
-rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
-rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
-rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
-rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
-rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
-rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
-rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
-rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf

root@vpn 2.0]# ./build-key xxx
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf 
/etc/openvpn/easy-rsa/2.0:

No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the 
wrong

version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
/etc/openvpn/easy-rsa/2.0
The correct version should have a comment that says: easy-rsa version 
2.x"


Did you remember to source the ./vars file first?

$ . ./vars

(yes, a single dot and then ./vars)




Yes I did, same result... any other hints?


Add the comment it says it needs to have.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Mio Vlahović
On 08.08.2017 21:47, David Sommerseth wrote:
> On 08/08/17 21:28, Mio Vlahović wrote:
>> On 08.08.2017 21:13, David Sommerseth wrote:
>>> On 08/08/17 20:34, Leonardo Rodrigues wrote:

   You very likely created your certificated with MD5 hashing, which
 was disabled on newer OpenSSL versions of CentOS.

   Try:

 export NSS_HASH_ALG_SUPPORT=+MD5
 export OPENSSL_ENABLE_MD5_VERIFY=1

   before starting your OpenVPN daemon and watch if that make clients
 connect again ...
>>> DON'T DO THAT.
>>>
>>> MD5 based certificates are broken.  If you still use them, upgrade them
>>> NOW.  And this knowledge about the brokenness dates back to 2005.
>>>
>>> 
>>> 
>>>
>>> Anyone using MD5 and re-enables them in the SSL libraries will put their
>>> VPN's security at risk.
>>
>> No worries, I don't use MD5, but disabling crl_verify as suggested did
>> the trick. Now I still have the issue with generating new certificates.
>>
>> I will quote myself again
>> "One update... I can no longer generate new certificates. It seemse that
>> whichopensslcnf scripts can't find openssl.cnf (which is there in the
>> same directory...)
>>
>> [root@vpn 2.0]# pwd
>> /etc/openvpn/easy-rsa/2.0
>> [root@vpn 2.0]# ls -la
>> drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
>> drwx--. 3 nobody nobody33 Feb  6  2016 ..
>> -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
>> -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
>> -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
>> -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
>> -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
>> -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
>> -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
>> -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
>> -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
>> -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
>> -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
>> -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
>> drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
>> -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
>> -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
>> -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
>> -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
>> -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
>> -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
>> -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
>> -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
>> -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
>> -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
>>
>> root@vpn 2.0]# ./build-key xxx
>> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
>> No such file or directory
>> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
>> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
>> /etc/openvpn/easy-rsa/2.0
>> The correct version should have a comment that says: easy-rsa version 2.x"
> 
> Did you remember to source the ./vars file first?
> 
> $ . ./vars
> 
> (yes, a single dot and then ./vars)
> 
> 

Yes I did, same result... any other hints?

Regards!


-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread David Sommerseth
On 08/08/17 21:28, Mio Vlahović wrote:
> On 08.08.2017 21:13, David Sommerseth wrote:
>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
>>>
>>>  You very likely created your certificated with MD5 hashing, which
>>> was disabled on newer OpenSSL versions of CentOS.
>>>
>>>  Try:
>>>
>>> export NSS_HASH_ALG_SUPPORT=+MD5
>>> export OPENSSL_ENABLE_MD5_VERIFY=1
>>>
>>>  before starting your OpenVPN daemon and watch if that make clients
>>> connect again ...
>> DON'T DO THAT.
>>
>> MD5 based certificates are broken.  If you still use them, upgrade them
>> NOW.  And this knowledge about the brokenness dates back to 2005.
>>
>> 
>> 
>>
>> Anyone using MD5 and re-enables them in the SSL libraries will put their
>> VPN's security at risk.
> 
> No worries, I don't use MD5, but disabling crl_verify as suggested did 
> the trick. Now I still have the issue with generating new certificates.
> 
> I will quote myself again
> "One update... I can no longer generate new certificates. It seemse that
> whichopensslcnf scripts can't find openssl.cnf (which is there in the
> same directory...)
> 
> [root@vpn 2.0]# pwd
> /etc/openvpn/easy-rsa/2.0
> [root@vpn 2.0]# ls -la
> drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
> drwx--. 3 nobody nobody33 Feb  6  2016 ..
> -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
> -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
> -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
> -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
> -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
> -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
> -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
> -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
> -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
> -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
> -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
> -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
> drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
> -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
> -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
> -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
> -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
> -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
> -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
> -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
> -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
> -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
> 
> root@vpn 2.0]# ./build-key xxx
> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
> No such file or directory
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
> /etc/openvpn/easy-rsa/2.0
> The correct version should have a comment that says: easy-rsa version 2.x"

Did you remember to source the ./vars file first?

$ . ./vars

(yes, a single dot and then ./vars)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Mio Vlahović
On 08.08.2017 21:13, David Sommerseth wrote:
> On 08/08/17 20:34, Leonardo Rodrigues wrote:
>>
>>  You very likely created your certificated with MD5 hashing, which
>> was disabled on newer OpenSSL versions of CentOS.
>>
>>  Try:
>>
>> export NSS_HASH_ALG_SUPPORT=+MD5
>> export OPENSSL_ENABLE_MD5_VERIFY=1
>>
>>  before starting your OpenVPN daemon and watch if that make clients
>> connect again ...
> DON'T DO THAT.
> 
> MD5 based certificates are broken.  If you still use them, upgrade them
> NOW.  And this knowledge about the brokenness dates back to 2005.
> 
> 
> 
> 
> Anyone using MD5 and re-enables them in the SSL libraries will put their
> VPN's security at risk.

No worries, I don't use MD5, but disabling crl_verify as suggested did 
the trick. Now I still have the issue with generating new certificates.

I will quote myself again
"One update... I can no longer generate new certificates. It seemse that
whichopensslcnf scripts can't find openssl.cnf (which is there in the
same directory...)

[root@vpn 2.0]# pwd
/etc/openvpn/easy-rsa/2.0
[root@vpn 2.0]# ls -la
drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
drwx--. 3 nobody nobody33 Feb  6  2016 ..
-rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
-rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
-rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
-rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
-rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
-rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
-rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
-rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
-rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
-rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
-rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
-rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
-rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
-rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
-rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
-rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
-rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
-rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
-rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
-rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
-rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
-rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf

root@vpn 2.0]# ./build-key xxx
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
/etc/openvpn/easy-rsa/2.0
The correct version should have a comment that says: easy-rsa version 2.x"


-- 
Mio Vlahović
Linux/Network Administrator @ BCS d.o.o.
GSM: +385 95 6308 809
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread David Sommerseth
On 08/08/17 20:34, Leonardo Rodrigues wrote:
> 
> You very likely created your certificated with MD5 hashing, which
> was disabled on newer OpenSSL versions of CentOS.
> 
> Try:
> 
> export NSS_HASH_ALG_SUPPORT=+MD5
> export OPENSSL_ENABLE_MD5_VERIFY=1
> 
> before starting your OpenVPN daemon and watch if that make clients
> connect again ...
DON'T DO THAT.

MD5 based certificates are broken.  If you still use them, upgrade them
NOW.  And this knowledge about the brokenness dates back to 2005.




Anyone using MD5 and re-enables them in the SSL libraries will put their
VPN's security at risk.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Steffan Karger

On 08-08-17 20:34, Leonardo Rodrigues wrote:
> 
> You very likely created your certificated with MD5 hashing, which
> was disabled on newer OpenSSL versions of CentOS.
> 
> Try:
> 
> export NSS_HASH_ALG_SUPPORT=+MD5
> export OPENSSL_ENABLE_MD5_VERIFY=1
> 
> before starting your OpenVPN daemon and watch if that make clients
> connect again ...

That's great for debugging the issue, but if this works it's time to
redo your certificates with SHA2 instead.  Nobody should be using MD5
certificates anymore.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Steffan Karger


On 08-08-17 20:34, Xen wrote:
> Mio Vlahović schreef op 08-08-2017 19:59:
> 
>> Can anyone assist us on this one? I have googled and found something
>> about CRL has expired error. Is it related with the upgrade of the
>> openvpn package? we use one from the epel repository.
> 
> You know a CRL is a certificate revocation list right.
> 
> Being a layman for the rest of it, it means that your configuration uses
> a CRL to begin with. A CRL is supposed to regularly issued and
> containing a list of certificates that are no longer deemed trustworthy;
> ie. client certificates that have been compromised.
> 
> So you can do two things: renew your CRL, or remove it from the
> configuration.
> 
> I will let someone answer now who actually has something useful to say ;-).

That was quite useful, and accurate too.  Of course, regularly
refreshing the CRL is more elegant than just removing it from the config.

Some context:  as of openvpn 2.4, the CRL checking logic of the crypto
library is used, instead of our own implementation.  That logic is more
strict than openvpn 2.3 was, and now rejects CRLs that have a nextUpdate
value that lies in the past.  So this is indeed related to upgrading
from openvpn 2.3.x to 2.4.x.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Leonardo Rodrigues


You very likely created your certificated with MD5 hashing, which 
was disabled on newer OpenSSL versions of CentOS.


Try:

export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1

before starting your OpenVPN daemon and watch if that make clients 
connect again ...




Em 08/08/17 14:59, Mio Vlahović escreveu:

Hi all,

We have a problem with the clients after the server reboot.




--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Gert Doering
Hi,

On Tue, Aug 08, 2017 at 08:34:25PM +0200, Xen wrote:
> So you can do two things: renew your CRL, or remove it from the 
> configuration.
> 
> I will let someone answer now who actually has something useful to say 
> ;-).

Well, that's about the message :-) - a CRL has a lifetime, which can
be arbitrarily high (like, 10 years), but if the CRL is rolled with a
short lifetime, it needs to be refreshed regularily.

OpenVPN 2.3 did not respect the lifetime of the CRL, while 2.4 does - so
a setup that worked "just fine" with a long-expired CRL will break
after upgrading to 2.4.  Sorry for the annoyance, but this is the correct
way to handle CRLs.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Xen

Mio Vlahović schreef op 08-08-2017 19:59:


Can anyone assist us on this one? I have googled and found something
about CRL has expired error. Is it related with the upgrade of the
openvpn package? we use one from the epel repository.


You know a CRL is a certificate revocation list right.

Being a layman for the rest of it, it means that your configuration uses 
a CRL to begin with. A CRL is supposed to regularly issued and 
containing a list of certificates that are no longer deemed trustworthy; 
ie. client certificates that have been compromised.


So you can do two things: renew your CRL, or remove it from the 
configuration.


I will let someone answer now who actually has something useful to say 
;-).


Regards.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-08 Thread Mio Vlahović
On 08.08.2017 19:59, Mio Vlahović wrote:
> Hi all,
> 
> We have a problem with the clients after the server reboot.
> 
 > [CUT]

One update... I can no longer generate new certificates. It seemse that 
whichopensslcnf scripts can't find openssl.cnf (which is there in the 
same directory...)

[root@vpn 2.0]# pwd
/etc/openvpn/easy-rsa/2.0
[root@vpn 2.0]# ls -la
drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
drwx--. 3 nobody nobody33 Feb  6  2016 ..
-rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
-rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
-rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
-rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
-rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
-rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
-rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
-rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
-rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
-rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
-rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
-rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
-rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
-rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
-rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
-rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
-rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
-rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
-rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
-rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
-rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
-rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf

root@vpn 2.0]# ./build-key xxx
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0: 
No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf 
/etc/openvpn/easy-rsa/2.0
The correct version should have a comment that says: easy-rsa version 2.x

Regards!


-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users