Whether it is a bug that openvpn server allowed two same certifications existed at the same time.
Now when I tried to revoke a certification, though I revoked the certification successfully,but the certification still can connect. Then I found out the problem, there are two same certifications existed in my openvpn server, so I can just revoke the later one,but there is a same certifications existed.
I don't whether it is a bug of openvpn. And I want to know how to revoke all these certifications ,how to avoid this problem happening again. TKS!
Is it a bug openvpn allows two same certification existed?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 04, 2011 9:46 am
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Is it a bug openvpn allows two same certification exist
what is "the same certificate" ? a certificate is identified by a Distinguished Name (DN) and serial number; if you revoke a certificate only the combination of DN+serial is revoked; all other certificates with the exact same DN can still connect.
Check the 'keys' directory, there should be an 'index.txt' file there; make sure the same DN is not listed twice. If it is and you need to revoke both, edit that file and change the first column from 'V' to 'R' . Then rerun
Also make sure that you've added to the openvpn server config.
Check the 'keys' directory, there should be an 'index.txt' file there; make sure the same DN is not listed twice. If it is and you need to revoke both, edit that file and change the first column from 'V' to 'R' . Then rerun
Code: Select all
openssl ca -gencrl -out crl.pem
Code: Select all
crl-verify crl.pem
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 04, 2011 9:46 am
Re: Is it a bug openvpn allows two same certification exist
when i tried to run the command you gave,there is error
[root@vpnsrv ~]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
31303:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
31303:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
And I can not find the cakey.pem. Pls help me solve the problem ,tks a lot!
[root@vpnsrv ~]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
31303:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
31303:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
And I can not find the cakey.pem. Pls help me solve the problem ,tks a lot!
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Is it a bug openvpn allows two same certification exist
ah , forgot about the special config. Run
Code: Select all
. ./vars
openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 04, 2011 9:46 am
Re: Is it a bug openvpn allows two same certification exist
I tried to run the command ,but still failed. the error is as following.
[root@vpnsrv 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@vpnsrv 2.0]# openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
Using configuration from
error loading the config file ''
26253:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('','rb')
26253:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
26253:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
It seems some config files can't be found when running the command.
[root@vpnsrv 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@vpnsrv 2.0]# openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
Using configuration from
error loading the config file ''
26253:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('','rb')
26253:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
26253:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
It seems some config files can't be found when running the command.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Is it a bug openvpn allows two same certification exist
what does
give before running the 'openssl ca' command? does it point to an existing openssl.cnf file?
Code: Select all
echo $KEY_CONFIG