Hi Johan,
Johan Vermeulen wrote:
hello All,
thanks again for helping me out, this is great.
So getting a ca.pem from a backup, and a client certificate that was
made before the trouble, I get:
[root@caw-server1 keys]# openssl verify -CAfile ca.pem elien-crt.pem
/etc/pki/tls/certs/servercert.pem
elien-crt.pem: OK
/etc/pki/tls/certs/servercert.pem: OK
Any other combination would give me EM:
error 20 at 0 depth lookup:unable to get local issuer certificate
Does this mean I have the right ca.crt ( ca.pem)?
usually no, but it's not uncommon for this to happen. It depends on your
setup
Can I look for the right ca.key the same way?
again, it depends. I'm a little worried about the way your PKI (Private
Key Infrastructure) is set up. Can you post (or directly email me) the
output of
openssl x509 -subject -issuer -noout -in ca.pem
openssl x509 -subject -issuer -noout -in elien-crt.pem
and
openssl x509 -subject -issuer -noout -in non-working-cert.pem
HTH,
JJK
op 21-01-14 11:43, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
Dear All,
since a long time we have an Openvpn-server, now on Centos6,
originaly setup on OpenSuse
[root@caw-server1 2.0]# rpm -qa openvpn
openvpn-2.3.1-3.el6.x86_64
It is very reliable, and my only activity on it, is generate new
client keys.
Not sure what happened -- a ./clean-all could have been run on it --
but since last week, I'm unable to generate new client keys.
[root@caw-server1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/usr/share/openvpn/easy-rsa/2.0/keys
[root@caw-server1 2.0]# ./build-key testjohan
pkitool: Need a readable ca.crt and ca.key in
/usr/share/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
look inside the directory
/usr/share/openvpn/easy-rsa/2.0/keys
and see if you can find a ca.crt and ca.key file there; you can post
an 'ls -l' if you like.
If they are not there then a './clean-all' was run most likely. I
hope you have a backup somewhere :)
The EM is straightforward enough, but I'm unsure on how to proceed.
As far as I can tell the important files are in /etc/pki/tls/certs/ :
[root@caw-server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt ca.pem make-dummy-cert
Makefile servercert.pem serverkey.pem slapd.pem
as is reflected in /etc/openvpn/server.conf :
ca /etc/pki/tls/certs/ca.pem
cert /etc/pki/tls/certs/servercert.pem
key /etc/pki/tls/certs/serverkey.pem
These are the keys used for openvpn ; key management (generation) is
separated from key usage by OpenVPN; the ca.pem and
servercert+serverkey are not sufficient to generated new client keys.
You will need a ca.crt (or ca.pem) and ca.key file for that.
HTH,
JJK
PS The openssl version does not matter in this case, as CentOS 6 is
new enough; you could/should consider upgrading to 6.5 , however.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
