Is it a bug openvpn allows two same certification existed?

[zzwindtree]

Whether it is a bug that openvpn server allowed two same certifications existed at the same time.
Now when I tried to revoke a certification, though I revoked the certification successfully,but the certification still can connect. Then I found out the problem, there are two same certifications existed in my openvpn server, so I can just revoke the later one,but there is a same certifications existed.

I don't whether it is a bug of openvpn. And I want to know how to revoke all these certifications ,how to avoid this problem happening again. TKS!

[janjust]

what is "the same certificate" ? a certificate is identified by a Distinguished Name (DN) and serial number; if you revoke a certificate only the combination of DN+serial is revoked; all other certificates with the exact same DN can still connect.

Check the 'keys' directory, there should be an 'index.txt' file there; make sure the same DN is not listed twice. If it is and you need to revoke both, edit that file and change the first column from 'V' to 'R' . Then rerun

Code: Select all

openssl ca -gencrl -out crl.pem

Also make sure that you've added

Code: Select all

crl-verify crl.pem

to the openvpn server config.

[zzwindtree]

when i tried to run the command you gave,there is error

[root@vpnsrv ~]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
31303:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
31303:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key


And I can not find the cakey.pem. Pls help me solve the problem ,tks a lot!

[janjust]

ah , forgot about the special config. Run

Code: Select all

. ./vars
openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"

[zzwindtree]

I tried to run the command ,but still failed. the error is as following.
[root@vpnsrv 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@vpnsrv 2.0]# openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
Using configuration from
error loading the config file ''
26253:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('','rb')
26253:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
26253:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:


It seems some config files can't be found when running the command.

[janjust]

what does

Code: Select all

echo $KEY_CONFIG

give before running the 'openssl ca' command? does it point to an existing openssl.cnf file?