Johan Vermeulen wrote:
hello,
no, I did not set this up. I cannot contact the person who did.
Indeed, it would be better to start over from scratch.
Still, I would like to understand what went wrong.
It do see in the Openvpn docs the advise to copy easy-rsa away from
/usr/local/openvpn so not to be
overwritten by updates.
So maybe that's what happened.
that should not happen - the files in the
/usr/share/openvpn/easy-rsa/*/keys are not part of any package and hence
will not be overwritten during an upgrade.
It **IS** advisable to do this, however. You might be able to find out
more by checking the history of the root user (just type 'history') ;
that might give some clues, but most likely you will not find out
exactly where and how things went wrong.
HTH,
JJK
op 21-01-14 15:02, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
yes. against better judgment, I'm trying everything that has " key"
written in it, e.g.
/data0/etc/ssl/servercerts/serverkey.pem
did you set this up originally? if not, perhaps you can ask the
person who did? there is an off-chance that the original ca.key was
included in the ca.pem file (which is **extremely** bad, BTW).
Also, you could consider scratching the current setup and starting
fresh - your existing clients will still be able to connect (if you
do this right) and you could then replace certificates with certs
signed using the new CA. This might be easier&quicker than trying to
hunt down the original ca.key file.
HTH,
JJK
op 21-01-14 14:23, Joe Patterson schreef:
The directory listing you sent me earlier had
/usr/share/openvpn/easy-rsa/2.0/keys/ca.key and ca.key.orig.
-Joe
On Tue, Jan 21, 2014 at 8:22 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>> wrote:
hello,
I'm unable to find the key.pem or the *.key
What I don't understand is: I do have a backup.
And the setup on the original Opensuse-server is still there,
from different versions of Openvpn
I just can't find the keys.
I don't understand it.
minas:~ # locate easy-rsa
/data0/usr/share/openvpn/easy-rsa
/data0/usr/share/openvpn/easy-rsa/2.0
/data0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data0/usr/share/openvpn/easy-rsa/2.0/build-key
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data0/usr/share/openvpn/easy-rsa/2.0/build-req
/data0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data0/usr/share/openvpn/easy-rsa/2.0/README
/data0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data0/usr/share/openvpn/easy-rsa/2.0/vars
/data0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data0/usr/share/openvpn/easy-rsa/build-ca
/data0/usr/share/openvpn/easy-rsa/build-dh
/data0/usr/share/openvpn/easy-rsa/build-inter
/data0/usr/share/openvpn/easy-rsa/build-key
/data0/usr/share/openvpn/easy-rsa/build-key-pass
/data0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data0/usr/share/openvpn/easy-rsa/build-key-server
/data0/usr/share/openvpn/easy-rsa/build-req
/data0/usr/share/openvpn/easy-rsa/build-req-pass
/data0/usr/share/openvpn/easy-rsa/clean-all
/data0/usr/share/openvpn/easy-rsa/list-crl
/data0/usr/share/openvpn/easy-rsa/make-crl
/data0/usr/share/openvpn/easy-rsa/openssl.cnf
/data0/usr/share/openvpn/easy-rsa/README
/data0/usr/share/openvpn/easy-rsa/revoke-crt
/data0/usr/share/openvpn/easy-rsa/revoke-full
/data0/usr/share/openvpn/easy-rsa/sign-req
/data0/usr/share/openvpn/easy-rsa/vars
/data0/usr/share/openvpn/easy-rsa/Windows
/data0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/data/md0/usr/share/openvpn/easy-rsa
/data/md0/usr/share/openvpn/easy-rsa/2.0
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-ca
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-dh
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/2.0/clean-all
/data/md0/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/data/md0/usr/share/openvpn/easy-rsa/2.0/list-crl
/data/md0/usr/share/openvpn/easy-rsa/2.0/Makefile
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/2.0/pkitool
/data/md0/usr/share/openvpn/easy-rsa/2.0/README
/data/md0/usr/share/openvpn/easy-rsa/2.0/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/2.0/sign-req
/data/md0/usr/share/openvpn/easy-rsa/2.0/vars
/data/md0/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/data/md0/usr/share/openvpn/easy-rsa/build-ca
/data/md0/usr/share/openvpn/easy-rsa/build-dh
/data/md0/usr/share/openvpn/easy-rsa/build-inter
/data/md0/usr/share/openvpn/easy-rsa/build-key
/data/md0/usr/share/openvpn/easy-rsa/build-key-pass
/data/md0/usr/share/openvpn/easy-rsa/build-key-pkcs12
/data/md0/usr/share/openvpn/easy-rsa/build-key-server
/data/md0/usr/share/openvpn/easy-rsa/build-req
/data/md0/usr/share/openvpn/easy-rsa/build-req-pass
/data/md0/usr/share/openvpn/easy-rsa/clean-all
/data/md0/usr/share/openvpn/easy-rsa/list-crl
/data/md0/usr/share/openvpn/easy-rsa/make-crl
/data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
/data/md0/usr/share/openvpn/easy-rsa/README
/data/md0/usr/share/openvpn/easy-rsa/revoke-crt
/data/md0/usr/share/openvpn/easy-rsa/revoke-full
/data/md0/usr/share/openvpn/easy-rsa/sign-req
/data/md0/usr/share/openvpn/easy-rsa/vars
/data/md0/usr/share/openvpn/easy-rsa/Windows
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
/data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
/data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
/data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
op 21-01-14 13:08, Joe Patterson schreef:
openssl x509 -noout -modulus -in ca.pem
then look for a key where the output of:
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen
<jvermeu...@cawdekempen.be <mailto:jvermeu...@cawdekempen.be>>
wrote:
hello All,
thanks again for helping me out, this is great.
So getting a ca.pem from a backup, and a client
certificate that was made before the trouble, I get:
[root@caw-server1 keys]# openssl verify -CAfile ca.pem
elien-crt.pem /etc/pki/tls/certs/servercert.pem
elien-crt.pem: OK
/etc/pki/tls/certs/servercert.pem: OK
Any other combination would give me EM:
error 20 at 0 depth lookup:unable to get local issuer
certificate
Does this mean I have the right ca.crt ( ca.pem)?
Can I look for the right ca.key the same way?
greetings, J.
op 21-01-14 11:43, Jan Just Keijser schreef:
Hi Johan,
Johan Vermeulen wrote:
Dear All,
since a long time we have an Openvpn-server, now on
Centos6,
originaly setup on OpenSuse
[root@caw-server1 2.0]# rpm -qa openvpn
openvpn-2.3.1-3.el6.x86_64
It is very reliable, and my only activity on it, is
generate new client keys.
Not sure what happened -- a ./clean-all could have been
run on it -- but since last week, I'm unable to generate
new client keys.
[root@caw-server1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf
on /usr/share/openvpn/easy-rsa/2.0/keys
[root@caw-server1 2.0]# ./build-key testjohan
pkitool: Need a readable ca.crt and ca.key in
/usr/share/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
look inside the directory
/usr/share/openvpn/easy-rsa/2.0/keys
and see if you can find a ca.crt and ca.key file there;
you can post an 'ls -l' if you like.
If they are not there then a './clean-all' was run most
likely. I hope you have a backup somewhere :)
The EM is straightforward enough, but I'm unsure on how
to proceed.
As far as I can tell the important files are in
/etc/pki/tls/certs/ :
[root@caw-server1 certs]# ls
ca-bundle.crt ca-bundle.trust.crt ca.pem
make-dummy-cert Makefile servercert.pem serverkey.pem
slapd.pem
as is reflected in /etc/openvpn/server.conf :
ca /etc/pki/tls/certs/ca.pem
cert /etc/pki/tls/certs/servercert.pem
key /etc/pki/tls/certs/serverkey.pem
These are the keys used for openvpn ; key management
(generation) is separated from key usage by OpenVPN; the
ca.pem and servercert+serverkey are not sufficient to
generated new client keys. You will need a ca.crt (or
ca.pem) and ca.key file for that.
HTH,
JJK
PS The openssl version does not matter in this case, as
CentOS 6 is new enough; you could/should consider
upgrading to 6.5 , however.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything
In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
<http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk>
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
<mailto:Openvpn-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
