Support forum for Easy-RSA certificate management suite.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
penguinpupil
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Mar 13, 2018 7:30 pm
Post
by penguinpupil » Tue Mar 13, 2018 8:09 pm
Hello,
I am having troubles revoking certificates. I followed the instructions here:
https://openvpn.net/index.php/open-sour ... tml#revoke
Openvpn version: 2.3.10-1ubuntu2.1
Server OS: Ubuntu 16.04.4 LTS
Unfortunately output of
looks like this
Code: Select all
Using configuration from /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf
unable to load certificate
139926510765720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
Using configuration from /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf
unable to load certificate
139667813103256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
I performed the comand in the "easy-rsa" directory and did start with
All certificates where in the specified place.
I checked forums and internet and could not find a solution. Can anybody give me a hint how to solve the issue?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Wed Mar 14, 2018 2:02 pm
penguinpupil wrote: ↑Tue Mar 13, 2018 8:09 pm
Openvpn version:
2.3.10-1ubuntu2.1
You should consider upgrading:
https://community.openvpn.net/openvpn/w ... twareRepos
You are using
Easyrsa2 and should consider upgrading that too:
https://github.com/OpenVPN/easy-rsa/releases
penguinpupil wrote: ↑Tue Mar 13, 2018 8:09 pm
unable to load certificate 139926510765720:error:0906D06C:PEM routines:PEM_read_bio:
no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
Looks like something wrong with your certificate ..
Check it against this:
Code: Select all
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fb:18:65:7e:39:31:e3:b4:aa:9b:f2:42:e9:21:25:2a
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=CORE-CA
Validity
Not Before: Mar 3 18:39:07 2018 GMT
Not After : Feb 29 18:39:07 2028 GMT
Subject: CN=core-cli-a-03
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:49:1e:b9:e5:d4:d0:55:c5:80:5f:ed:87:11:ed:
28:0e:66:0b:82:bb:aa:bc:1d:01:a5:58:fb:eb:ed:
a2:07:57:d5:6b:ad:ff:8f:0c:f8:01:b0:f1:9f:7c:
fe:1d:0d:bd:17:f6:f2:56:ba:98:03:bb:e1:39:8e:
66:e1:61:d6:0c:74:06:70:fb:23:7e:6d:1f:fa:a5:
9e:c8:27:7b:b9:6e:c3:1d:8a:b6:53:4e:4e:86:e8:
71:30:dc:38:e6:eb:d3
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
0D:26:5D:A0:09:BB:57:F3:A9:7B:DF:F6:F2:3E:22:C7:EF:E2:71:1B
X509v3 Authority Key Identifier:
keyid:88:BF:66:17:18:A5:7A:8F:C8:90:31:7C:60:CD:6B:ED:77:D7:A6:21
DirName:/CN=CORE-CA
serial:81:DE:BB:31:E8:52:BD:1F
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ecdsa-with-SHA256
30:66:02:31:00:b9:4f:6d:c9:4e:a1:50:18:50:3e:47:1e:1e:
59:30:e1:58:70:90:5c:4f:7b:c1:e2:23:ba:aa:68:9b:71:5a:
a1:fb:b7:82:50:2e:c8:b3:93:93:e1:b8:01:70:f8:46:88:02:
31:00:a4:86:90:ce:1f:4d:d9:17:a4:92:cf:3f:e5:d3:48:3d:
4f:64:72:d7:6a:33:9d:4e:d7:b9:c0:43:a9:5a:e7:6d:00:ce:
7f:f9:fc:fc:7c:f7:0b:dd:4a:a5:ac:f6:11:7b
-----BEGIN CERTIFICATE-----
< snipped certificate data >
-----END CERTIFICATE-----
-
penguinpupil
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Mar 13, 2018 7:30 pm
Post
by penguinpupil » Wed Mar 14, 2018 8:40 pm
Thanks TinCanTech, you have had the right idea. The client1.crt was totally empty. I have honestly no idea why. But anyhow, I could revoke the certificate as described by copying my backup certificate back. I will consider your update recommendations, as it is probably a good idea to start once again from the green field with the lessons I have learned.
Problem is solved. How do I change the status of this topic?