Page 1 of 1
Is it a bug openvpn allows two same certification existed?
Posted: Mon May 09, 2011 2:36 am
by zzwindtree
Whether it is a bug that openvpn server allowed two same certifications existed at the same time.
Now when I tried to revoke a certification, though I revoked the certification successfully,but the certification still can connect. Then I found out the problem, there are two same certifications existed in my openvpn server, so I can just revoke the later one,but there is a same certifications existed.
I don't whether it is a bug of openvpn. And I want to know how to revoke all these certifications ,how to avoid this problem happening again. TKS!
Re: Is it a bug openvpn allows two same certification exist
Posted: Mon May 09, 2011 6:11 am
by janjust
what is "the same certificate" ? a certificate is identified by a Distinguished Name (DN) and serial number; if you revoke a certificate only the combination of DN+serial is revoked; all other certificates with the exact same DN can still connect.
Check the 'keys' directory, there should be an 'index.txt' file there; make sure the same DN is not listed twice. If it is and you need to revoke both, edit that file and change the first column from 'V' to 'R' . Then rerun
Also make sure that you've added
to the openvpn server config.
Re: Is it a bug openvpn allows two same certification exist
Posted: Thu May 12, 2011 9:53 am
by zzwindtree
when i tried to run the command you gave,there is error
[root@vpnsrv ~]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
31303:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
31303:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
And I can not find the cakey.pem. Pls help me solve the problem ,tks a lot!
Re: Is it a bug openvpn allows two same certification exist
Posted: Thu May 12, 2011 9:58 am
by janjust
ah , forgot about the special config. Run
Code: Select all
. ./vars
openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
Re: Is it a bug openvpn allows two same certification exist
Posted: Tue May 17, 2011 12:51 am
by zzwindtree
I tried to run the command ,but still failed. the error is as following.
[root@vpnsrv 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@vpnsrv 2.0]# openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
Using configuration from
error loading the config file ''
26253:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('','rb')
26253:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
26253:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
It seems some config files can't be found when running the command.
Re: Is it a bug openvpn allows two same certification exist
Posted: Tue May 17, 2011 10:33 am
by janjust
what does
give before running the 'openssl ca' command? does it point to an existing openssl.cnf file?