Regenerate Certificates without using MD5
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Regenerate Certificates without using MD5
Hi,
Is there a guide I can follow to either upgrade or completely regenerate my OpenVPN certificates so that I address the warning related to MD5.
Thanks
Is there a guide I can follow to either upgrade or completely regenerate my OpenVPN certificates so that I address the warning related to MD5.
Thanks
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: Regenerate Certificates without using MD5
if you recreate your PKI using the latest easyrsa on a recent system it will automatically use sha1 or sha256.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Thanks.
I'll update OpenVPN to the latest version then.
I'll update OpenVPN to the latest version then.
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: Regenerate Certificates without using MD5
that is surely important, however EasyRSA is the tool people normally use to create a PKI for OpenVPN (I guessed you also used it in the past?). Its last release is available on GitHub and it is independent from OpenVPN itself.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Thanks for the link.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Hello,
I (think) I followed the instructions in easyrsa and created the server and client certificates. I also generated a 2048 bit Diffie-Hellman file. The only "code" I did not replace from the original ovpn files is the <tls-auth> (-----BEGIN OpenVPN Static key V1-----) files.
My original ovpn file had the various certificates embedded within them. I retained this. I changed no other setting.
Below is the log on the client when I try to connect.
Thanks for any help to sort out the problem.
Regards,
Al
I (think) I followed the instructions in easyrsa and created the server and client certificates. I also generated a 2048 bit Diffie-Hellman file. The only "code" I did not replace from the original ovpn files is the <tls-auth> (-----BEGIN OpenVPN Static key V1-----) files.
My original ovpn file had the various certificates embedded within them. I retained this. I changed no other setting.
Below is the log on the client when I try to connect.
Code: Select all
Fri Jan 05 21:10:05 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Jan 05 21:10:05 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Jan 05 21:10:05 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Jan 05 21:10:05 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Jan 05 21:10:05 2018 Need hold release from management interface, waiting...
Fri Jan 05 21:10:05 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'state on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'log all on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'echo all on'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'hold off'
Fri Jan 05 21:10:05 2018 MANAGEMENT: CMD 'hold release'
Fri Jan 05 21:10:10 2018 MANAGEMENT: CMD 'password [...]'
Fri Jan 05 21:10:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jan 05 21:10:10 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 05 21:10:10 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 05 21:10:10 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:10:10 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jan 05 21:10:10 2018 UDP link local: (not bound)
Fri Jan 05 21:10:10 2018 UDP link remote: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:10:10 2018 MANAGEMENT: >STATE:1515183010,WAIT,,,,,,
Fri Jan 05 21:11:11 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 05 21:11:11 2018 TLS Error: TLS handshake failed
Fri Jan 05 21:11:11 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 05 21:11:11 2018 MANAGEMENT: >STATE:1515183071,RECONNECTING,tls-error,,,,,
Fri Jan 05 21:11:11 2018 Restart pause, 5 second(s)
Fri Jan 05 21:11:16 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:11:16 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jan 05 21:11:16 2018 UDP link local: (not bound)
Fri Jan 05 21:11:16 2018 UDP link remote: [AF_INET]21x.xxx.xxx.x80:1175
Fri Jan 05 21:11:16 2018 MANAGEMENT: >STATE:1515183076,WAIT,,,,,,
Fri Jan 05 21:11:18 2018 SIGTERM[hard,] received, process exiting
Fri Jan 05 21:11:18 2018 MANAGEMENT: >STATE:1515183078,EXITING,SIGTERM,,,,,
Regards,
Al
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: Regenerate Certificates without using MD5
Did you also update the server configuration file with the new server certificate and with the new CA?
However, the server log with verb 4 should give you a better understanding about what is failing.
However, the server log with verb 4 should give you a better understanding about what is failing.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Hello,
Attached is the content of the server log. I can't help noticing that the last entry is a request for a password. I was prompted for a password on the client which I entered.
The server certificate has a password. The certificates I generated with the downloaded version of OpenVPN did not ask for a password. It would not be a problem to remove the client / server password it if this solves the issue.
Thanks
Attached is the content of the server log. I can't help noticing that the last entry is a request for a password. I was prompted for a password on the client which I entered.
The server certificate has a password. The certificates I generated with the downloaded version of OpenVPN did not ask for a password. It would not be a problem to remove the client / server password it if this solves the issue.
Thanks
Code: Select all
Sat Jan 06 19:44:41 2018 us=6119 Current Parameter Settings:
Sat Jan 06 19:44:41 2018 us=6119 config = 'C:\Program Files\OpenVPN\config\server\server.ovpn'
Sat Jan 06 19:44:41 2018 us=6119 mode = 1
Sat Jan 06 19:44:41 2018 us=6119 show_ciphers = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 show_digests = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 show_engines = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 genkey = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 key_pass_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 show_tls_ciphers = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 connect_retry_max = 0
Sat Jan 06 19:44:41 2018 us=6119 Connection profiles [0]:
Sat Jan 06 19:44:41 2018 us=6119 proto = udp
Sat Jan 06 19:44:41 2018 us=6119 local = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 local_port = '1175'
Sat Jan 06 19:44:41 2018 us=6119 remote = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 remote_port = '1175'
Sat Jan 06 19:44:41 2018 us=6119 remote_float = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 bind_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 bind_local = ENABLED
Sat Jan 06 19:44:41 2018 us=6119 bind_ipv6_only = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 connect_retry_seconds = 5
Sat Jan 06 19:44:41 2018 us=6119 connect_timeout = 120
Sat Jan 06 19:44:41 2018 us=6119 socks_proxy_server = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 socks_proxy_port = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 tun_mtu = 1500
Sat Jan 06 19:44:41 2018 us=6119 tun_mtu_defined = ENABLED
Sat Jan 06 19:44:41 2018 us=6119 link_mtu = 1500
Sat Jan 06 19:44:41 2018 us=6119 link_mtu_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 tun_mtu_extra = 0
Sat Jan 06 19:44:41 2018 us=6119 tun_mtu_extra_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 mtu_discover_type = -1
Sat Jan 06 19:44:41 2018 us=6119 fragment = 0
Sat Jan 06 19:44:41 2018 us=6119 mssfix = 1450
Sat Jan 06 19:44:41 2018 us=6119 explicit_exit_notification = 1
Sat Jan 06 19:44:41 2018 us=6119 Connection profiles END
Sat Jan 06 19:44:41 2018 us=6119 remote_random = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 ipchange = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 dev = 'tun'
Sat Jan 06 19:44:41 2018 us=6119 dev_type = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 dev_node = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 lladdr = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 topology = 1
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_local = '10.8.0.1'
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_remote_netmask = '10.8.0.2'
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_noexec = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_nowarn = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_ipv6_local = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_ipv6_netbits = 0
Sat Jan 06 19:44:41 2018 us=6119 ifconfig_ipv6_remote = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=6119 shaper = 0
Sat Jan 06 19:44:41 2018 us=6119 mtu_test = 0
Sat Jan 06 19:44:41 2018 us=6119 mlock = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 keepalive_ping = 10
Sat Jan 06 19:44:41 2018 us=6119 keepalive_timeout = 120
Sat Jan 06 19:44:41 2018 us=6119 inactivity_timeout = 0
Sat Jan 06 19:44:41 2018 us=6119 ping_send_timeout = 10
Sat Jan 06 19:44:41 2018 us=6119 ping_rec_timeout = 240
Sat Jan 06 19:44:41 2018 us=6119 ping_rec_timeout_action = 2
Sat Jan 06 19:44:41 2018 us=6119 ping_timer_remote = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 remap_sigusr1 = 0
Sat Jan 06 19:44:41 2018 us=6119 persist_tun = ENABLED
Sat Jan 06 19:44:41 2018 us=6119 persist_local_ip = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 persist_remote_ip = DISABLED
Sat Jan 06 19:44:41 2018 us=6119 persist_key = ENABLED
Sat Jan 06 19:44:41 2018 us=6119 passtos = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 resolve_retry_seconds = 1000000000
Sat Jan 06 19:44:41 2018 us=8119 resolve_in_advance = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 username = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 groupname = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 chroot_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 cd_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 writepid = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 up_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 down_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 down_pre = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 up_restart = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 up_delay = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 daemon = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 inetd = 0
Sat Jan 06 19:44:41 2018 us=8119 log = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 suppress_timestamps = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 machine_readable_output = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 nice = 0
Sat Jan 06 19:44:41 2018 us=8119 verbosity = 4
Sat Jan 06 19:44:41 2018 us=8119 mute = 0
Sat Jan 06 19:44:41 2018 us=8119 gremlin = 0
Sat Jan 06 19:44:41 2018 us=8119 status_file = 'openvpn-status.log'
Sat Jan 06 19:44:41 2018 us=8119 status_file_version = 1
Sat Jan 06 19:44:41 2018 us=8119 status_file_update_freq = 60
Sat Jan 06 19:44:41 2018 us=8119 occ = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 rcvbuf = 0
Sat Jan 06 19:44:41 2018 us=8119 sndbuf = 0
Sat Jan 06 19:44:41 2018 us=8119 sockflags = 0
Sat Jan 06 19:44:41 2018 us=8119 fast_io = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 comp.alg = 0
Sat Jan 06 19:44:41 2018 us=8119 comp.flags = 0
Sat Jan 06 19:44:41 2018 us=8119 route_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 route_default_gateway = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 route_default_metric = 0
Sat Jan 06 19:44:41 2018 us=8119 route_noexec = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 route_delay = 0
Sat Jan 06 19:44:41 2018 us=8119 route_delay_window = 30
Sat Jan 06 19:44:41 2018 us=8119 route_delay_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 route_nopull = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 route_gateway_via_dhcp = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 allow_pull_fqdn = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Sat Jan 06 19:44:41 2018 us=8119 management_addr = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_port = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_user_pass = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_log_history_cache = 250
Sat Jan 06 19:44:41 2018 us=8119 management_echo_buffer_size = 100
Sat Jan 06 19:44:41 2018 us=8119 management_write_peer_info_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_client_user = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_client_group = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 management_flags = 0
Sat Jan 06 19:44:41 2018 us=8119 shared_secret_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 key_direction = 1
Sat Jan 06 19:44:41 2018 us=8119 ciphername = 'AES-256-CBC'
Sat Jan 06 19:44:41 2018 us=8119 ncp_enabled = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Jan 06 19:44:41 2018 us=8119 authname = 'SHA1'
Sat Jan 06 19:44:41 2018 us=8119 prng_hash = 'SHA1'
Sat Jan 06 19:44:41 2018 us=8119 prng_nonce_secret_len = 16
Sat Jan 06 19:44:41 2018 us=8119 keysize = 0
Sat Jan 06 19:44:41 2018 us=8119 engine = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 replay = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 mute_replay_warnings = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 replay_window = 64
Sat Jan 06 19:44:41 2018 us=8119 replay_time = 15
Sat Jan 06 19:44:41 2018 us=8119 packet_id_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 use_iv = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 test_crypto = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 tls_server = ENABLED
Sat Jan 06 19:44:41 2018 us=8119 tls_client = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 key_method = 2
Sat Jan 06 19:44:41 2018 us=8119 ca_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119 ca_path = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 dh_file = 'C:\Program Files\OpenVPN\config\dh.pem'
Sat Jan 06 19:44:41 2018 us=8119 cert_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119 extra_certs_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 priv_key_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119 pkcs12_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 cryptoapi_cert = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 cipher_list = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 tls_verify = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 tls_export_cert = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 verify_x509_type = 0
Sat Jan 06 19:44:41 2018 us=8119 verify_x509_name = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 crl_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 ns_cert_type = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_ku[i] = 0
Sat Jan 06 19:44:41 2018 us=8119 remote_cert_eku = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 ssl_flags = 0
Sat Jan 06 19:44:41 2018 us=8119 tls_timeout = 2
Sat Jan 06 19:44:41 2018 us=8119 renegotiate_bytes = -1
Sat Jan 06 19:44:41 2018 us=8119 renegotiate_packets = 0
Sat Jan 06 19:44:41 2018 us=8119 renegotiate_seconds = 3600
Sat Jan 06 19:44:41 2018 us=8119 handshake_window = 60
Sat Jan 06 19:44:41 2018 us=8119 transition_window = 3600
Sat Jan 06 19:44:41 2018 us=8119 single_session = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 push_peer_info = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 tls_exit = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 tls_auth_file = '[[INLINE]]'
Sat Jan 06 19:44:41 2018 us=8119 tls_crypt_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_protected_authentication = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_private_mode = 00000000
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_cert_private = DISABLED
Sat Jan 06 19:44:41 2018 us=8119 pkcs11_pin_cache_period = -1
Sat Jan 06 19:44:41 2018 us=10120 pkcs11_id = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 pkcs11_id_management = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 server_network = 10.8.0.0
Sat Jan 06 19:44:41 2018 us=10120 server_netmask = 255.255.255.0
Sat Jan 06 19:44:41 2018 us=10120 server_network_ipv6 = ::
Sat Jan 06 19:44:41 2018 us=10120 server_netbits_ipv6 = 0
Sat Jan 06 19:44:41 2018 us=10120 server_bridge_ip = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 server_bridge_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 server_bridge_pool_start = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 server_bridge_pool_end = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 push_entry = 'route 10.8.0.1'
Sat Jan 06 19:44:41 2018 us=10120 push_entry = 'topology net30'
Sat Jan 06 19:44:41 2018 us=10120 push_entry = 'ping 10'
Sat Jan 06 19:44:41 2018 us=10120 push_entry = 'ping-restart 120'
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_defined = ENABLED
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_start = 10.8.0.4
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_end = 10.8.0.251
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_persist_filename = 'ipp.txt'
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_pool_persist_refresh_freq = 600
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_ipv6_pool_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_ipv6_pool_base = ::
Sat Jan 06 19:44:41 2018 us=10120 ifconfig_ipv6_pool_netbits = 0
Sat Jan 06 19:44:41 2018 us=10120 n_bcast_buf = 256
Sat Jan 06 19:44:41 2018 us=10120 tcp_queue_limit = 64
Sat Jan 06 19:44:41 2018 us=10120 real_hash_size = 256
Sat Jan 06 19:44:41 2018 us=10120 virtual_hash_size = 256
Sat Jan 06 19:44:41 2018 us=10120 client_connect_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 learn_address_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 client_disconnect_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 client_config_dir = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 ccd_exclusive = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 tmp_dir = 'C:\Windows\TEMP\'
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_local = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_remote_netmask = 0.0.0.0
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_ipv6_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_ipv6_local = ::/0
Sat Jan 06 19:44:41 2018 us=10120 push_ifconfig_ipv6_remote = ::
Sat Jan 06 19:44:41 2018 us=10120 enable_c2c = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 duplicate_cn = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 cf_max = 0
Sat Jan 06 19:44:41 2018 us=10120 cf_per = 0
Sat Jan 06 19:44:41 2018 us=10120 max_clients = 1024
Sat Jan 06 19:44:41 2018 us=10120 max_routes_per_client = 256
Sat Jan 06 19:44:41 2018 us=10120 auth_user_pass_verify_script = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 auth_user_pass_verify_script_via_file = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 auth_token_generate = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 auth_token_lifetime = 0
Sat Jan 06 19:44:41 2018 us=10120 client = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 pull = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 auth_user_pass_file = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 show_net_up = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 route_method = 0
Sat Jan 06 19:44:41 2018 us=10120 block_outside_dns = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 ip_win32_defined = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 ip_win32_type = 3
Sat Jan 06 19:44:41 2018 us=10120 dhcp_masq_offset = 0
Sat Jan 06 19:44:41 2018 us=10120 dhcp_lease_time = 31536000
Sat Jan 06 19:44:41 2018 us=10120 tap_sleep = 10
Sat Jan 06 19:44:41 2018 us=10120 dhcp_options = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 dhcp_renew = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 dhcp_pre_release = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 domain = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 netbios_scope = '[UNDEF]'
Sat Jan 06 19:44:41 2018 us=10120 netbios_node_type = 0
Sat Jan 06 19:44:41 2018 us=10120 disable_nbt = DISABLED
Sat Jan 06 19:44:41 2018 us=10120 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Sat Jan 06 19:44:41 2018 us=10120 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Jan 06 19:44:41 2018 us=10120 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sat Jan 06 19:44:41 2018 us=28130 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Jan 06 19:44:41 2018 us=164171 Diffie-Hellman initialized with 2048 bit key
Enter Private Key Password:
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: Regenerate Certificates without using MD5
if it's asking for a password, then it means you generated encrypted private keys that require a password to be decrypted and used.
Not sure why you keep on mentioning OpenVPN. OpenVPN does *not* generate keys/certificates. You do that with OpenSSL + EasyRSA (the latter is just a set of scripts/wrappers around OpenSSL).
If you check the EasyRSA help text, you will see there is a parameter to not encrypt private keys. It should be "nopass" to be used when creating the server/client key/cert pair.
But again, this purely a EasyRSA usage problem and it's unrelated to OpenVPN Connect for Android (section where you are posting).
Cheers,
Not sure why you keep on mentioning OpenVPN. OpenVPN does *not* generate keys/certificates. You do that with OpenSSL + EasyRSA (the latter is just a set of scripts/wrappers around OpenSSL).
If you check the EasyRSA help text, you will see there is a parameter to not encrypt private keys. It should be "nopass" to be used when creating the server/client key/cert pair.
But again, this purely a EasyRSA usage problem and it's unrelated to OpenVPN Connect for Android (section where you are posting).
Cheers,
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Regenerate Certificates without using MD5
@ chribonn Please see: HOWTO: Request Help ! {2}
I recommend you start a new thread here and provide the requested documentation for further assistance.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Thanks everyone. I will look up the --nopass option and update the forum you mentioned.TinCanTech wrote: ↑Sun Jan 07, 2018 1:45 pm@ chribonn Please see: HOWTO: Request Help ! {2}
I recommend you start a new thread here and provide the requested documentation for further assistance.
Thank you again.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Hello,
I apologise if I'm posting in the wrong thread and would appreciate if an admin could move it to the appropriate thread. The reason for posting here is that I found a solution that has worked for me and feel that it could help others.
In summary I followed the instructions at http://securitronlinux.com/bejiitaswrath/how-to-create-keys-with-easy-rsa-without-a-password-prompt/. I skipped the final step
Hope this helps others.
I apologise if I'm posting in the wrong thread and would appreciate if an admin could move it to the appropriate thread. The reason for posting here is that I found a solution that has worked for me and feel that it could help others.
In summary I followed the instructions at http://securitronlinux.com/bejiitaswrath/how-to-create-keys-with-easy-rsa-without-a-password-prompt/. I skipped the final step
Code: Select all
./easyrsa set-rsa-pass john-server
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jan 04, 2018 7:30 am
Re: Regenerate Certificates without using MD5
Hello,
I decided to write a HOWTO on how to generate server and client certificates using EasyRSA. It is at http://www.alanbonnici.com/2018/01/howt ... lient.html.
Hope this helps
I decided to write a HOWTO on how to generate server and client certificates using EasyRSA. It is at http://www.alanbonnici.com/2018/01/howt ... lient.html.
Hope this helps