[Top posting, to follow convention]
The "new" EasyRSA 3.x code/tool doesn't appear to have the problem you're
talking about. [I've recently tested with it, and revoking certs works fine -
at least with the options I'm using - there are obviously other code paths, and
perhaps they would produce the same errors.]
So, it might be worth downloading the most recent EasyRSA tool and see if that
fixes it.
On that note, however, there are substantial problems, IMO, with the EasyRSA
tools in how they produce and encrypt private keys.
EasyRSA uses the old PBKDF1 [vs PBKDF2] format, and 3DES instead of much
stronger options (read AES256). While 3DES may be good enough, at least for
right this second, the PBKDF1 format dramatically weakens even 3DES encrypted
keys, from what I've been told on the OpenSSL mailing list.
I've submitted some code suggestions to fix some of these issues, but I haven't
heard any feedback from the maintainer. However, these aren't
super-straight-forward fixes, since the old code and my new proposed code call
the OpenSSL tools differently, and will require more re-coding and testing
time. [And I feel unskilled/ill-equipped in producing the entire patch myself,
along with quite limited time.]
-Greg
BB> The mail below was written A LOOONG time ago, that is how often I
BB> have to revoke a VPN certificate. ;-)
BB> Today I had to do it again and once again ran into that error 23
BB> line which got me confused whether I did something wrong or right?
BB> Is there any way to get rid of that error msg and report success
BB> in stead of an error when indeed it has successfully revoke the certificate?
BB> Met vriendelijke groet,
BB> Bonno Bloksma
BB> senior systeembeheerder
BB> tio
BB> university of applied sciences
BB> begijnenhof 8-12 / 5611 el eindhoven
BB> t +31 (0)40-296 28 28
BB> b.blok...@tio.nl / www.tio.nl
BB> Volg ons op Twitter / Facebook / LinkedIn / YouTube
BB> -----Oorspronkelijk bericht-----
BB> Van: Bonno Bloksma [mailto:b.blok...@tio.nl]
BB> Verzonden: vrijdag 22 april 2011 9:02
BB> Aan: openvpn-users@lists.sourceforge.net
BB> Onderwerp: Re: [Openvpn-users] revoke-full gives error
BB> Hi Yevgeny,
>>Bonno Bloksma wrote:
>>> Did it revoke the certificate? If I look at the crl.pem file it seems
>>> it did.
>>> What is that "error 23 at 0 depth lookup:certificate revoked"?
>>Yes it did. Error 23 refers to revocation test and means it was really
>>revoked.
BB> That's funny, to report success on a test as an error.
BB> Or is that just a message string that never got properly inserted in the
BB> (error) message database?
BB> Bonno
BB>
------------------------------------------------------------------------------
BB> Fulfilling the Lean Software Promise
BB> Lean software platforms are now widely adopted and the benefits
BB> have been demonstrated beyond question. Learn why your peers are
BB> replacing JEE containers with lightweight application servers -
BB> and what you can gain from the move.
BB> http://p.sf.net/sfu/vmware-sfemails
BB> _______________________________________________
BB> Openvpn-users mailing list
BB> Openvpn-users@lists.sourceforge.net
BB> https://lists.sourceforge.net/lists/listinfo/openvpn-users
BB>
------------------------------------------------------------------------------
BB> Comprehensive Server Monitoring with Site24x7.
BB> Monitor 10 servers for $9/Month.
BB> Get alerted through email, SMS, voice calls or mobile push notifications.
BB> Take corrective actions from your mobile device.
BB> http://p.sf.net/sfu/Zoho
BB> _______________________________________________
BB> Openvpn-users mailing list
BB> Openvpn-users@lists.sourceforge.net
BB> https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
