Regenerate Certificates without using MD5

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Regenerate Certificates without using MD5

Post by chribonn » Thu Jan 04, 2018 7:40 am

Hi,

Is there a guide I can follow to either upgrade or completely regenerate my OpenVPN certificates so that I address the warning related to MD5.

Thanks

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Regenerate Certificates without using MD5

Post by ordex » Thu Jan 04, 2018 9:23 am

if you recreate your PKI using the latest easyrsa on a recent system it will automatically use sha1 or sha256.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Thu Jan 04, 2018 2:06 pm

Thanks.

I'll update OpenVPN to the latest version then.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Regenerate Certificates without using MD5

Post by ordex » Thu Jan 04, 2018 3:25 pm

chribonn wrote:
Thu Jan 04, 2018 2:06 pm
I'll update OpenVPN to the latest version then.
that is surely important, however EasyRSA is the tool people normally use to create a PKI for OpenVPN (I guessed you also used it in the past?). Its last release is available on GitHub and it is independent from OpenVPN itself.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Regenerate Certificates without using MD5

Post by TinCanTech » Thu Jan 04, 2018 3:37 pm


chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Thu Jan 04, 2018 3:44 pm

TinCanTech wrote:
Thu Jan 04, 2018 3:37 pm
See:
https://github.com/OpenVPN/easy-rsa/releases
Thanks for the link.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Fri Jan 05, 2018 8:28 pm

Hello,

I (think) I followed the instructions in easyrsa and created the server and client certificates. I also generated a 2048 bit Diffie-Hellman file. The only "code" I did not replace from the original ovpn files is the <tls-auth> (-----BEGIN OpenVPN Static key V1-----) files.

My original ovpn file had the various certificates embedded within them. I retained this. I changed no other setting.

Below is the log on the client when I try to connect.

Code: Select all

Fri Jan 05 21:10:05 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Jan 05 21:10:05 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Jan 05 21:10:05 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Fri Jan 05 21:10:05 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Jan 05 21:10:05 2018 Need hold release from management interface, waiting...
Fri Jan 05 21:10:05 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'state on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'log all on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'echo all on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'hold off'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'hold release'
Fri Jan 05 21:10:10 2018 MANAGEMENT: CMD 'password [...]'
Fri Jan 05 21:10:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jan 05 21:10:10 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 05 21:10:10 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 05 21:10:10 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:10:10 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jan 05 21:10:10 2018 UDP link local: (not bound)
Fri Jan 05 21:10:10 2018 UDP link remote: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:10:10 2018 MANAGEMENT: >STATE:1515183010,WAIT,,,,,,

Fri Jan 05 21:11:11 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 05 21:11:11 2018 TLS Error: TLS handshake failed

Fri Jan 05 21:11:11 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 05 21:11:11 2018 MANAGEMENT: >STATE:1515183071,RECONNECTING,tls-error,,,,,
Fri Jan 05 21:11:11 2018 Restart pause, 5 second(s)
Fri Jan 05 21:11:16 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:11:16 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jan 05 21:11:16 2018 UDP link local: (not bound)
Fri Jan 05 21:11:16 2018 UDP link remote: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:11:16 2018 MANAGEMENT: >STATE:1515183076,WAIT,,,,,,
Fri Jan 05 21:11:18 2018 SIGTERM[hard,] received, process exiting
Fri Jan 05 21:11:18 2018 MANAGEMENT: >STATE:1515183078,EXITING,SIGTERM,,,,,
Thanks for any help to sort out the problem.

Regards,
Al

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Regenerate Certificates without using MD5

Post by ordex » Fri Jan 05, 2018 9:33 pm

Did you also update the server configuration file with the new server certificate and with the new CA?

However, the server log with verb 4 should give you a better understanding about what is failing.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Sat Jan 06, 2018 7:56 pm

Hello,

Attached is the content of the server log. I can't help noticing that the last entry is a request for a password. I was prompted for a password on the client which I entered.

The server certificate has a password. The certificates I generated with the downloaded version of OpenVPN did not ask for a password. It would not be a problem to remove the client / server password it if this solves the issue.

Thanks

Code: Select all

Sat Jan 06 19:44:41 2018 us=6119 Current Parameter Settings:
Sat Jan 06 19:44:41 2018 us=6119   config = 'C:\Program Files\OpenVPN\config\server\server.ovpn'
Sat Jan 06 19:44:41 2018 us=6119   mode = 1
Sat Jan 06 19:44:41 2018 us=6119   show_ciphers = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   show_digests = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   show_engines = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   genkey = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   key_pass_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   show_tls_ciphers = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   connect_retry_max = 0
Sat Jan 06 19:44:41 2018 us=6119 Connection profiles [0]:
Sat Jan 06 19:44:41 2018 us=6119   proto = udp
Sat Jan 06 19:44:41 2018 us=6119   local = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   local_port = '1175'
Sat Jan 06 19:44:41 2018 us=6119   remote = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   remote_port = '1175'
Sat Jan 06 19:44:41 2018 us=6119   remote_float = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   bind_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   bind_local = ENABLED
Sat Jan 06 19:44:41 2018 us=6119   bind_ipv6_only = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   connect_retry_seconds = 5
Sat Jan 06 19:44:41 2018 us=6119   connect_timeout = 120
Sat Jan 06 19:44:41 2018 us=6119   socks_proxy_server = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   socks_proxy_port = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   tun_mtu = 1500
Sat Jan 06 19:44:41 2018 us=6119   tun_mtu_defined = ENABLED
Sat Jan 06 19:44:41 2018 us=6119   link_mtu = 1500
Sat Jan 06 19:44:41 2018 us=6119   link_mtu_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   tun_mtu_extra = 0
Sat Jan 06 19:44:41 2018 us=6119   tun_mtu_extra_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   mtu_discover_type = -1
Sat Jan 06 19:44:41 2018 us=6119   fragment = 0
Sat Jan 06 19:44:41 2018 us=6119   mssfix = 1450
Sat Jan 06 19:44:41 2018 us=6119   explicit_exit_notification = 1
Sat Jan 06 19:44:41 2018 us=6119 Connection profiles END
Sat Jan 06 19:44:41 2018 us=6119   remote_random = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   ipchange = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   dev = 'tun'
Sat Jan 06 19:44:41 2018 us=6119   dev_type = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   dev_node = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   lladdr = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   topology = 1
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_local = '10.8.0.1'
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_remote_netmask = '10.8.0.2'
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_noexec = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_nowarn = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_ipv6_local = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_ipv6_netbits = 0
Sat Jan 06 19:44:41 2018 us=6119   ifconfig_ipv6_remote = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119   shaper = 0
Sat Jan 06 19:44:41 2018 us=6119   mtu_test = 0
Sat Jan 06 19:44:41 2018 us=6119   mlock = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   keepalive_ping = 10
Sat Jan 06 19:44:41 2018 us=6119   keepalive_timeout = 120
Sat Jan 06 19:44:41 2018 us=6119   inactivity_timeout = 0
Sat Jan 06 19:44:41 2018 us=6119   ping_send_timeout = 10
Sat Jan 06 19:44:41 2018 us=6119   ping_rec_timeout = 240
Sat Jan 06 19:44:41 2018 us=6119   ping_rec_timeout_action = 2
Sat Jan 06 19:44:41 2018 us=6119   ping_timer_remote = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   remap_sigusr1 = 0
Sat Jan 06 19:44:41 2018 us=6119   persist_tun = ENABLED
Sat Jan 06 19:44:41 2018 us=6119   persist_local_ip = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   persist_remote_ip = DISABLED
Sat Jan 06 19:44:41 2018 us=6119   persist_key = ENABLED
Sat Jan 06 19:44:41 2018 us=6119   passtos = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   resolve_retry_seconds = 1000000000
Sat Jan 06 19:44:41 2018 us=8119   resolve_in_advance = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   username = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   groupname = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   chroot_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   cd_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   writepid = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   up_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   down_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   down_pre = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   up_restart = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   up_delay = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   daemon = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   inetd = 0
Sat Jan 06 19:44:41 2018 us=8119   log = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   suppress_timestamps = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   machine_readable_output = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   nice = 0
Sat Jan 06 19:44:41 2018 us=8119   verbosity = 4
Sat Jan 06 19:44:41 2018 us=8119   mute = 0
Sat Jan 06 19:44:41 2018 us=8119   gremlin = 0
Sat Jan 06 19:44:41 2018 us=8119   status_file = 'openvpn-status.log'
Sat Jan 06 19:44:41 2018 us=8119   status_file_version = 1
Sat Jan 06 19:44:41 2018 us=8119   status_file_update_freq = 60
Sat Jan 06 19:44:41 2018 us=8119   occ = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   rcvbuf = 0
Sat Jan 06 19:44:41 2018 us=8119   sndbuf = 0
Sat Jan 06 19:44:41 2018 us=8119   sockflags = 0
Sat Jan 06 19:44:41 2018 us=8119   fast_io = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   comp.alg = 0
Sat Jan 06 19:44:41 2018 us=8119   comp.flags = 0
Sat Jan 06 19:44:41 2018 us=8119   route_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   route_default_gateway = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   route_default_metric = 0
Sat Jan 06 19:44:41 2018 us=8119   route_noexec = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   route_delay = 0
Sat Jan 06 19:44:41 2018 us=8119   route_delay_window = 30
Sat Jan 06 19:44:41 2018 us=8119   route_delay_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   route_nopull = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   route_gateway_via_dhcp = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   allow_pull_fqdn = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Sat Jan 06 19:44:41 2018 us=8119   management_addr = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_port = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_user_pass = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_log_history_cache = 250
Sat Jan 06 19:44:41 2018 us=8119   management_echo_buffer_size = 100
Sat Jan 06 19:44:41 2018 us=8119   management_write_peer_info_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_client_user = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_client_group = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   management_flags = 0
Sat Jan 06 19:44:41 2018 us=8119   shared_secret_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   key_direction = 1
Sat Jan 06 19:44:41 2018 us=8119   ciphername = 'AES-256-CBC'
Sat Jan 06 19:44:41 2018 us=8119   ncp_enabled = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Jan 06 19:44:41 2018 us=8119   authname = 'SHA1'
Sat Jan 06 19:44:41 2018 us=8119   prng_hash = 'SHA1'
Sat Jan 06 19:44:41 2018 us=8119   prng_nonce_secret_len = 16
Sat Jan 06 19:44:41 2018 us=8119   keysize = 0
Sat Jan 06 19:44:41 2018 us=8119   engine = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   replay = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   mute_replay_warnings = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   replay_window = 64
Sat Jan 06 19:44:41 2018 us=8119   replay_time = 15
Sat Jan 06 19:44:41 2018 us=8119   packet_id_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   use_iv = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   test_crypto = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   tls_server = ENABLED
Sat Jan 06 19:44:41 2018 us=8119   tls_client = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   key_method = 2
Sat Jan 06 19:44:41 2018 us=8119   ca_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119   ca_path = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   dh_file = 'C:\Program Files\OpenVPN\config\dh.pem'
Sat Jan 06 19:44:41 2018 us=8119   cert_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119   extra_certs_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   priv_key_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119   pkcs12_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   cryptoapi_cert = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   cipher_list = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   tls_verify = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   tls_export_cert = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   verify_x509_type = 0
Sat Jan 06 19:44:41 2018 us=8119   verify_x509_name = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   crl_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   ns_cert_type = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119   remote_cert_eku = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   ssl_flags = 0
Sat Jan 06 19:44:41 2018 us=8119   tls_timeout = 2
Sat Jan 06 19:44:41 2018 us=8119   renegotiate_bytes = -1
Sat Jan 06 19:44:41 2018 us=8119   renegotiate_packets = 0
Sat Jan 06 19:44:41 2018 us=8119   renegotiate_seconds = 3600
Sat Jan 06 19:44:41 2018 us=8119   handshake_window = 60
Sat Jan 06 19:44:41 2018 us=8119   transition_window = 3600
Sat Jan 06 19:44:41 2018 us=8119   single_session = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   push_peer_info = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   tls_exit = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   tls_auth_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119   tls_crypt_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119   pkcs11_pin_cache_period = -1
Sat Jan 06 19:44:41 2018 us=10120   pkcs11_id = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   pkcs11_id_management = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   server_network = 10.8.0.0
Sat Jan 06 19:44:41 2018 us=10120   server_netmask = 255.255.255.0
Sat Jan 06 19:44:41 2018 us=10120   server_network_ipv6 = ::
Sat Jan 06 19:44:41 2018 us=10120   server_netbits_ipv6 = 0
Sat Jan 06 19:44:41 2018 us=10120   server_bridge_ip = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   server_bridge_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   server_bridge_pool_start = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   server_bridge_pool_end = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   push_entry = 'route 10.8.0.1'
Sat Jan 06 19:44:41 2018 us=10120   push_entry = 'topology net30'
Sat Jan 06 19:44:41 2018 us=10120   push_entry = 'ping 10'
Sat Jan 06 19:44:41 2018 us=10120   push_entry = 'ping-restart 120'
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_defined = ENABLED
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_start = 10.8.0.4
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_end = 10.8.0.251
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_persist_filename = 'ipp.txt'
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_pool_persist_refresh_freq = 600
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_ipv6_pool_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_ipv6_pool_base = ::
Sat Jan 06 19:44:41 2018 us=10120   ifconfig_ipv6_pool_netbits = 0
Sat Jan 06 19:44:41 2018 us=10120   n_bcast_buf = 256
Sat Jan 06 19:44:41 2018 us=10120   tcp_queue_limit = 64
Sat Jan 06 19:44:41 2018 us=10120   real_hash_size = 256
Sat Jan 06 19:44:41 2018 us=10120   virtual_hash_size = 256
Sat Jan 06 19:44:41 2018 us=10120   client_connect_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   learn_address_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   client_disconnect_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   client_config_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   ccd_exclusive = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   tmp_dir = 'C:\Windows\TEMP\'
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_local = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_remote_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_ipv6_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_ipv6_local = ::/0
Sat Jan 06 19:44:41 2018 us=10120   push_ifconfig_ipv6_remote = ::
Sat Jan 06 19:44:41 2018 us=10120   enable_c2c = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   duplicate_cn = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   cf_max = 0
Sat Jan 06 19:44:41 2018 us=10120   cf_per = 0
Sat Jan 06 19:44:41 2018 us=10120   max_clients = 1024
Sat Jan 06 19:44:41 2018 us=10120   max_routes_per_client = 256
Sat Jan 06 19:44:41 2018 us=10120   auth_user_pass_verify_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   auth_user_pass_verify_script_via_file = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   auth_token_generate = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   auth_token_lifetime = 0
Sat Jan 06 19:44:41 2018 us=10120   client = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   pull = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   auth_user_pass_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   show_net_up = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   route_method = 0
Sat Jan 06 19:44:41 2018 us=10120   block_outside_dns = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   ip_win32_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   ip_win32_type = 3
Sat Jan 06 19:44:41 2018 us=10120   dhcp_masq_offset = 0
Sat Jan 06 19:44:41 2018 us=10120   dhcp_lease_time = 31536000
Sat Jan 06 19:44:41 2018 us=10120   tap_sleep = 10
Sat Jan 06 19:44:41 2018 us=10120   dhcp_options = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   dhcp_renew = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   dhcp_pre_release = DISABLED
Sat Jan 06 19:44:41 2018 us=10120   domain = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   netbios_scope = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120   netbios_node_type = 0
Sat Jan 06 19:44:41 2018 us=10120   disable_nbt = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Sat Jan 06 19:44:41 2018 us=10120 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Jan 06 19:44:41 2018 us=10120 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Jan 06 19:44:41 2018 us=28130 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Jan 06 19:44:41 2018 us=164171 Diffie-Hellman initialized with 2048 bit key
Enter Private Key Password:

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Regenerate Certificates without using MD5

Post by ordex » Sun Jan 07, 2018 8:11 am

if it's asking for a password, then it means you generated encrypted private keys that require a password to be decrypted and used.

Not sure why you keep on mentioning OpenVPN. OpenVPN does *not* generate keys/certificates. You do that with OpenSSL + EasyRSA (the latter is just a set of scripts/wrappers around OpenSSL).

If you check the EasyRSA help text, you will see there is a parameter to not encrypt private keys. It should be "nopass" to be used when creating the server/client key/cert pair.

But again, this purely a EasyRSA usage problem and it's unrelated to OpenVPN Connect for Android (section where you are posting).

Cheers,

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Regenerate Certificates without using MD5

Post by TinCanTech » Sun Jan 07, 2018 1:45 pm

ordex wrote:
Sun Jan 07, 2018 8:11 am
this purely a EasyRSA usage problem and it's unrelated to OpenVPN Connect for Android (section where you are posting).
@ chribonn Please see: HOWTO: Request Help ! {2}

I recommend you start a new thread here and provide the requested documentation for further assistance.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Sun Jan 07, 2018 1:49 pm

TinCanTech wrote:
Sun Jan 07, 2018 1:45 pm
ordex wrote:
Sun Jan 07, 2018 8:11 am
this purely a EasyRSA usage problem and it's unrelated to OpenVPN Connect for Android (section where you are posting).
@ chribonn Please see: HOWTO: Request Help ! {2}

I recommend you start a new thread here and provide the requested documentation for further assistance.
Thanks everyone. I will look up the --nopass option and update the forum you mentioned.

Thank you again.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Sun Jan 07, 2018 6:21 pm

Hello,

I apologise if I'm posting in the wrong thread and would appreciate if an admin could move it to the appropriate thread. The reason for posting here is that I found a solution that has worked for me and feel that it could help others.

In summary I followed the instructions at http://securitronlinux.com/bejiitaswrath/how-to-create-keys-with-easy-rsa-without-a-password-prompt/. I skipped the final step

Code: Select all

./easyrsa set-rsa-pass john-server
Hope this helps others.

chribonn
OpenVpn Newbie
Posts: 13
Joined: Thu Jan 04, 2018 7:30 am

Re: Regenerate Certificates without using MD5

Post by chribonn » Fri Jan 26, 2018 10:25 pm

Hello,

I decided to write a HOWTO on how to generate server and client certificates using EasyRSA. It is at http://www.alanbonnici.com/2018/01/howt ... lient.html.

Hope this helps

Post Reply