easy-rsa creates .crl files for each cert that is created, however I
deleted them after all the crts and keys had been created as was the
case in ovpn 2.4.
Does 2.5 use those files and if so, what is the directive that shoud be
used in the server and client conf files??
I created the certs in the following order
df2048, CA. server cert, and then all of the client crt then the crl.pem
I did NOT delete the csr files until ALL the certs had been created.
Hence the ca.crl was there when the server and client cersts were made
The Client certs were signed with the easy-rsa build-key script
[root@narciso easy-rsa]# ./build-key DelMe
Ignoring -days without -x509; not generating a certificate
.+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+....+...+......+..+............+..................+...+.+......+..............+.+.....+...+....+..+.+.....+.............+.....+.+......+.....+............+............+.+..+...+.........+...+...+...+.......+...+..............+................+..+....+......+.....+.......+...+........+.........+.+.........+...+..+.......+...+..+....+..+............+.+..+....+...........+.......+.....+...+....+...+..+.........+......+.........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.......+...+.....+............+...+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+...+............+.....+....+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.+..................+......+...+.....+.+......+......+...+.....+.........+.............+.........+......+........+.+...+..+....+.....+....+........+.........+.........+.+...+.....+.+............+..+...............+..........+..+..........+...+..+.+...+..+.......+.....+...+.............+..+...............+..........+.........+.....+.+.....+..........+........+....+..+.........+.......+..+.......+...+.....+.+....................+.+...+.....+............+................+..+...+...+...............+......+.+...+......+........+...+.......+...+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MX]:
State or Province Name (full name) [Jalisco]:
Locality Name (eg, city) [Tlaquepaque]:
Organization Name (eg, company) [Vame Vehiculos]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [DelMe]:
Name []:
Email Address [salvador.ba...@moov.com.mx]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'MX'
stateOrProvinceName :PRINTABLE:'Jalisco'
localityName :PRINTABLE:'Tlaquepaque'
organizationName :PRINTABLE:'Vame Vehiculos'
commonName :PRINTABLE:'DelMe'
emailAddress :IA5STRING:'salvador.ba...@moov.com.mx'
Certificate is to be certified until Dec 25 21:22:22 2033 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
[root@narciso easy-rsa]# cat keys/DelMe.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=MX, ST=Jalisco, L=Tlaquepaque, O=Vame Vehiculos,
CN=narciso.moov.com.mx/emailAddress=webmas...@moov.com.mx
Validity
Not Before: Dec 28 21:22:22 2023 GMT
Not After : Dec 25 21:22:22 2033 GMT
Subject: C=MX, ST=Jalisco, L=Tlaquepaque, O=Vame Vehiculos,
CN=DelMe/emailAddress=salvador.ba...@moov.com.mx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:5e:9b:d2:55:d5:93:26:24:14:ba:9f:a7:b4:
1a:5b:78:36:66:33:32:8c:7e:84:46:1a:24:2a:18:
5e:1c:38:8e:30:fa:50:4d:83:8b:aa:d2:86:34:57:
bf:1a:f8:a4:90:fd:25:fc:61:92:d2:da:05:a8:d4:
1f:44:92:f1:72:e9:2d:52:9d:dd:f9:2f:10:4d:68:
3b:e3:bb:08:33:60:da:f4:9c:75:6a:c4:93:b2:8e:
06:88:a7:ce:3e:28:0e:ef:95:11:78:e6:18:76:29:
1f:2b:f3:be:f2:ff:30:6f:a2:ed:0a:9b:ce:d6:9b:
22:91:c2:d1:df:e2:4f:d1:3d:44:65:a1:e2:59:d0:
33:8e:28:72:ca:b3:68:73:36:79:b2:9a:26:d4:98:
b7:f5:4f:e4:8b:28:c2:f3:e4:b5:5c:24:5f:81:76:
16:dd:a6:a8:5f:3d:28:43:0b:e8:80:d2:3e:8e:0e:
af:69:a1:02:f7:3c:49:ac:3d:33:e8:a7:2d:6d:8e:
b0:39:d1:b7:15:7d:8b:04:a5:61:48:0b:85:d8:da:
dc:42:df:34:a9:1d:13:59:db:77:e7:65:0f:c2:0b:
a3:f7:33:72:5d:60:ad:c3:b5:44:68:f7:fe:33:8c:
17:51:58:69:7b:88:9e:1b:e9:d5:29:ed:06:de:f5:
ea:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
AD:39:5A:C3:AF:F6:A1:D7:11:90:07:2A:EC:58:87:50:8A:E1:59:74
X509v3 Authority Key Identifier:
keyid:AC:A0:26:F0:28:3E:CE:3D:18:FA:1D:4A:83:37:F0:A1:B2:CA:75:19
DirName:/C=MX/ST=Jalisco/L=Tlaquepaque/O=Vame
Vehiculos/CN=narciso.moov.com.mx/emailAddress=webmas...@moov.com.mx
serial:19:F3:58:A4:51:EC:D0:C4:95:97:B2:B5:34:AA:0B:F1:46:F9:3C:E3
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
78:6d:d9:92:a0:6d:2b:10:36:a3:f7:ac:f8:26:18:22:f6:31:
93:61:93:2a:8f:d3:48:dc:99:b6:11:64:6f:67:d5:5c:91:f6:
e9:47:cc:11:5d:0d:10:82:ab:21:3d:a2:4a:9e:3f:5b:05:b2:
a2:e2:80:fe:23:36:04:49:3a:3a:b6:fd:aa:82:e9:4b:b3:5e:
4c:f7:42:cc:71:71:d9:6a:ac:cf:9c:91:99:0e:83:4b:b9:2e:
7e:a8:bd:20:7a:a3:4b:79:8c:32:53:29:b5:c0:14:c5:7a:96:
f4:6f:a0:99:cf:e1:b6:84:65:00:42:08:78:51:2e:ef:2b:65:
cb:fc:53:85:a5:57:8a:c1:ab:aa:23:f6:49:27:14:38:4d:e8:
f4:79:44:90:34:e8:61:b2:fe:eb:40:4c:0f:89:4c:f5:aa:8b:
85:38:cb:32:e6:a6:20:e9:77:bb:5d:76:11:a1:05:50:57:33:
a2:cb:1b:da:27:c6:a3:c9:b8:2d:d3:d5:be:46:ca:04:35:47:
f8:fa:6e:98:3d:27:ad:de:05:17:6c:45:25:5c:de:6b:dc:33:
e9:8d:61:c6:01:88:a6:a3:19:1e:ea:cb:1b:82:81:1f:d7:c4:
e9:cf:2a:74:c5:fc:1f:b9:36:af:f8:30:01:0b:01:bc:f1:e7:
d1:6f:47:76
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCTVgx
EDAOBgNVBAgTB0phbGlzY28xFDASBgNVBAcTC1RsYXF1ZXBhcXVlMRcwFQYDVQQK
Ew5WYW1lIFZlaGljdWxvczEcMBoGA1UEAxMTbmFyY2lzby5tb292LmNvbS5teDEk
MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQG1vb3YuY29tLm14MB4XDTIzMTIyODIx
MjIyMloXDTMzMTIyNTIxMjIyMlowgYkxCzAJBgNVBAYTAk1YMRAwDgYDVQQIEwdK
YWxpc2NvMRQwEgYDVQQHEwtUbGFxdWVwYXF1ZTEXMBUGA1UEChMOVmFtZSBWZWhp
Y3Vsb3MxDjAMBgNVBAMTBURlbE1lMSkwJwYJKoZIhvcNAQkBFhpzYWx2YWRvci5i
YXJiYUBtb292LmNvbS5teDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL1em9JV1ZMmJBS6n6e0Glt4NmYzMox+hEYaJCoYXhw4jjD6UE2Di6rShjRXvxr4
pJD9JfxhktLaBajUH0SS8XLpLVKd3fkvEE1oO+O7CDNg2vScdWrEk7KOBoinzj4o
Du+VEXjmGHYpHyvzvvL/MG+i7QqbztabIpHC0d/iT9E9RGWh4lnQM44ocsqzaHM2
ebKaJtSYt/VP5IsowvPktVwkX4F2Ft2mqF89KEML6IDSPo4Or2mhAvc8Saw9M+in
LW2OsDnRtxV9iwSlYUgLhdja3ELfNKkdE1nbd+dlD8ILo/czcl1grcO1RGj3/jOM
F1FYaXuInhvp1SntBt716psCAwEAAaOCAVQwggFQMAkGA1UdEwQCMAAwLQYJYIZI
AYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUrTlaw6/2odcRkAcq7FiHUIrhWXQwgdIGA1UdIwSByjCBx4AUrKAm8Cg+zj0Y
+h1KgzfwobLKdRmhgZikgZUwgZIxCzAJBgNVBAYTAk1YMRAwDgYDVQQIEwdKYWxp
c2NvMRQwEgYDVQQHEwtUbGFxdWVwYXF1ZTEXMBUGA1UEChMOVmFtZSBWZWhpY3Vs
b3MxHDAaBgNVBAMTE25hcmNpc28ubW9vdi5jb20ubXgxJDAiBgkqhkiG9w0BCQEW
FXdlYm1hc3RlckBtb292LmNvbS5teIIUGfNYpFHs0MSVl7K1NKoL8Ub5POMwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IB
AQB4bdmSoG0rEDaj96z4Jhgi9jGTYZMqj9NI3Jm2EWRvZ9VckfbpR8wRXQ0Qgqsh
PaJKnj9bBbKi4oD+IzYESTo6tv2qgulLs15M90LMcXHZaqzPnJGZDoNLuS5+qL0g
eqNLeYwyUym1wBTFepb0b6CZz+G2hGUAQgh4US7vK2XL/FOFpVeKwauqI/ZJJxQ4
Tej0eUSQNOhhsv7rQEwPiUz1qouFOMsy5qYg6Xe7XXYRoQVQVzOiyxvaJ8ajybgt
09W+RsoENUf4+m6YPSet3gUXbEUlXN5r3DPpjWHGAYimoxke6ssbgoEf18Tpzyp0
xfwfuTav+DABCwG88efRb0d2
-----END CERTIFICATE-----
Richard
On 12/28/23 15:10, Antonio Quartulli wrote:
Hi,
On 28/12/2023 21:15, Richard Couture wrote:
the following is the actual reason for clients to not be able to connect:
2023-12-28 14:01:01 187.251.133.221:1194 VERIFY ERROR: depth=0,
error=CRL signature failure: C=MX, ST=Jalisco, L=Tlaquepaque, O=Vame
Vehiculos, CN=rrc, emailAddress=salvador.ba...@moov.com.mx, serial=7
2023-12-28 14:01:01 187.251.133.221:1194 OpenSSL: error:0A000086:SSL
routines::certificate verify failed
2023-12-28 14:01:01 187.251.133.221:1194 TLS_ERROR: BIO read
tls_read_plaintext error
2023-12-28 14:01:01 187.251.133.221:1194 TLS Error: TLS object ->
incoming plaintext read error
2023-12-28 14:01:01 187.251.133.221:1194 TLS Error: TLS handshake failed
2023-12-28 14:01:16 187.251.133.221:1194 VERIFY ERROR: depth=0,
error=CRL signature failure: C=MX, ST=Jalisco, L=Tlaquepaque, O=Vame
Vehiculos, CN=rrc, emailAddress=salvador.ba...@moov.com.mx, serial=7
2023-12-28 14:01:16 187.251.133.221:1194 OpenSSL: error:0A000086:SSL
routines::certificate verify failed
did you create a new CRL after having created the new CA?
If the verification is failed, I can imagine two reasons:
1) CRL not signed with the current CA
2) CRL signed with a legacy algorithm which is not accepted by the more
recent OpenSSL.
Regards,
--
LinuxCabal Asociación Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Cel.: (+52) 333 377-7505
Web: http://www.LinuxCabal.org
E-Mail: r...@linuxcabal.org
Hosted en la nube Cloud Sigma - www.CloudSigma.com
AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su
caso, los archivos adjuntos al mismo, pueden contener información de
carácter confidencial y/o privilegiada, y se envían a la atención única
y exclusivamente de la persona y/o entidad a quien va dirigido. La
copia, revisión, uso, revelación y/o distribución de dicha información
confidencial sin la autorización por escrito de LinuxCabal está
prohibida. Si usted no es el destinatario a quien se dirige el presente
correo, favor de contactar al remitente respondiendo al presente correo
y eliminar el correo original incluyendo sus archivos, así como
cualesquiera copia del mismo. Mediante la recepción del presente correo
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de
sus representantes a los términos antes mencionados, LinuxCabal tendrá
derecho a los daños y perjuicios que esto le cause.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
