Re: [Openvpn-users] Openvpn -- unable to generate keys

Tue, 21 Jan 2014 05:19:20 -0800 

hello,

I'm unable to find the key.pem or the *.key

What I don't understand is: I do have a backup.
And the setup on the original Opensuse-server is still there, from different versions of Openvpn 
 I just can't find the keys.

I don't understand it.

minas:~ # locate easy-rsa
/data0/usr/share/openvpn/easy-rsa
/data0/usr/share/openvpn/easy-rsa/2.0
/data0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data0/usr/share/openvpn/easy-rsa/2.0/build-key
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data0/usr/share/openvpn/easy-rsa/2.0/build-req
/data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data0/usr/share/openvpn/easy-rsa/2.0/README
/data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data0/usr/share/openvpn/easy-rsa/2.0/vars
/data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data0/usr/share/openvpn/easy-rsa/build-ca
/data0/usr/share/openvpn/easy-rsa/build-dh
/data0/usr/share/openvpn/easy-rsa/build-inter
/data0/usr/share/openvpn/easy-rsa/build-key
/data0/usr/share/openvpn/easy-rsa/build-key-pass
/data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/build-key-server
/data0/usr/share/openvpn/easy-rsa/build-req
/data0/usr/share/openvpn/easy-rsa/build-req-pass
/data0/usr/share/openvpn/easy-rsa/clean-all
/data0/usr/share/openvpn/easy-rsa/list-crl
/data0/usr/share/openvpn/easy-rsa/make-crl
/data0/usr/share/openvpn/easy-rsa/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/README
/data0/usr/share/openvpn/easy-rsa/revoke-crt
/data0/usr/share/openvpn/easy-rsa/revoke-full
/data0/usr/share/openvpn/easy-rsa/sign-req
/data0/usr/share/openvpn/easy-rsa/vars
/data0/usr/share/openvpn/easy-rsa/Windows
/data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/data/md0/usr/share/openvpn/easy-rsa
/data/md0/usr/share/openvpn/easy-rsa/2.0
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data/md0/usr/share/openvpn/easy-rsa/2.0/README
/data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/vars
/data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data/md0/usr/share/openvpn/easy-rsa/build-ca
/data/md0/usr/share/openvpn/easy-rsa/build-dh
/data/md0/usr/share/openvpn/easy-rsa/build-inter
/data/md0/usr/share/openvpn/easy-rsa/build-key
/data/md0/usr/share/openvpn/easy-rsa/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/build-req
/data/md0/usr/share/openvpn/easy-rsa/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/clean-all
/data/md0/usr/share/openvpn/easy-rsa/list-crl
/data/md0/usr/share/openvpn/easy-rsa/make-crl
/data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/README
/data/md0/usr/share/openvpn/easy-rsa/revoke-crt
/data/md0/usr/share/openvpn/easy-rsa/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/sign-req
/data/md0/usr/share/openvpn/easy-rsa/vars
/data/md0/usr/share/openvpn/easy-rsa/Windows
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf

op 21-01-14 13:08, Joe Patterson schreef:

openssl x509 -noout -modulus -in ca.pem

then look for a key where the output of:

openssl rsa -noout -modulus -in file.key

matches.

-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen <jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>> wrote: 

    hello All,

    thanks again for helping me out, this is great.

    So getting a ca.pem from a backup, and a client certificate that
    was made before the trouble, I get:

    [root@caw-server1 keys]# openssl verify -CAfile ca.pem
    elien-crt.pem /etc/pki/tls/certs/servercert.pem
    elien-crt.pem: OK
    /etc/pki/tls/certs/servercert.pem: OK

    Any other combination would give me EM:

    error 20 at 0 depth lookup:unable to get local issuer certificate

    Does this mean I have the right ca.crt ( ca.pem)?

    Can I look for the right ca.key the same way?

    greetings, J.


    op 21-01-14 11:43, Jan Just Keijser schreef:

    Hi Johan,

    Johan Vermeulen wrote:

    Dear All,

    since a long time we have an Openvpn-server, now on Centos6,
    originaly setup on OpenSuse

    [root@caw-server1 2.0]# rpm -qa openvpn
    openvpn-2.3.1-3.el6.x86_64

    It is very reliable, and my only activity on it, is generate new
    client keys.

    Not sure what happened -- a ./clean-all could have been run on
    it -- but since last week, I'm unable to generate new client keys.

    [root@caw-server1 2.0]# source ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on
    /usr/share/openvpn/easy-rsa/2.0/keys
    [root@caw-server1 2.0]# ./build-key testjohan
    pkitool: Need a readable ca.crt and ca.key in
    /usr/share/openvpn/easy-rsa/2.0/keys
    Try pkitool --initca to build a root certificate/key.


    look inside the directory
    /usr/share/openvpn/easy-rsa/2.0/keys
    and see if you can find a ca.crt and ca.key file there; you can
    post an 'ls -l' if you like.
    If they are not there then a './clean-all' was run most likely. I
    hope you have a backup somewhere :)


    The EM is straightforward enough, but I'm unsure on how to proceed.

    As far as I can tell the important files are in
    /etc/pki/tls/certs/ :
    [root@caw-server1 certs]# ls
    ca-bundle.crt  ca-bundle.trust.crt  ca.pem make-dummy-cert
    Makefile  servercert.pem serverkey.pem  slapd.pem

    as is reflected in /etc/openvpn/server.conf :

    ca /etc/pki/tls/certs/ca.pem
    cert /etc/pki/tls/certs/servercert.pem
    key /etc/pki/tls/certs/serverkey.pem


    These are the keys used for openvpn ; key management (generation)
    is separated from key usage by OpenVPN; the ca.pem and
    servercert+serverkey are not sufficient to generated new client
    keys. You will need a ca.crt (or ca.pem) and ca.key file for that.

    HTH,

    JJK

    PS The openssl version does not matter in this case, as CentOS 6
    is new enough; you could/should consider upgrading to 6.5 , however.





    
------------------------------------------------------------------------------
    CenturyLink Cloud: The Leader in Enterprise Cloud Services.
    Learn Why More Businesses Are Choosing CenturyLink Cloud For
    Critical Workloads, Development Environments & Everything In Between.
    Get a Quote or Start a Free Trial Today.
    http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
    _______________________________________________
    Openvpn-users mailing list
    Openvpn-users@lists.sourceforge.net
    <mailto:Openvpn-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/openvpn-users





------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to