The included easy-rsa scripts provide a convenient way running your own CA for authentication to the open-vpn server. Some updates to default config and scripts are incompatible to former package versions 2.0.7-r2 / 2.0.6 and cause the revoke-full script to fail. Since this is highly nontransparent for users leaving easy-rsa in the install path which is not config protected (/usr/share/openvpn/easy-rsa), silently overwritten by new package, I recommend reverting the changes to a working default config, see attached patch for details. Its up to the judgement of the maintainer to improve the situation by moving the easy-rsa path, issue a big fat warning on package update or whatever... Reproducible: Always Steps to Reproduce: 1. generate a CA and client cert via easy-rsa in default location 2. revoke client cert via revoke-full script 3. watch script fail Actual Results: non working default config Expected Results: working default config --- easy-rsa-209/openssl.cnf 2009-06-08 16:06:48.000000000 +0200 +++ easy-rsa-209.new/openssl.cnf 2009-06-10 17:39:46.000000000 +0200 @@ -276,10 +276,10 @@ # #pkcs11 = pkcs11_section -[ pkcs11_section ] -engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so -MODULE_PATH = $ENV::PKCS11_MODULE_PATH -PIN = $ENV::PKCS11_PIN -init = 0 +#[ pkcs11_section ] +#engine_id = pkcs11 +#dynamic_path = /usr/lib/engines/engine_pkcs11.so +#MODULE_PATH = $ENV::PKCS11_MODULE_PATH +#PIN = $ENV::PKCS11_PIN +#init = 0 --- easy-rsa-209/vars 2009-06-08 16:06:48.000000000 +0200 +++ easy-rsa-209.new/vars 2009-06-10 17:39:13.000000000 +0200 @@ -26,7 +26,7 @@ # This variable should point to # the openssl.cnf file included # with easy-rsa. -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` +export KEY_CONFIG="$EASY_RSA/openssl.cnf" # Edit this variable to point to # your soon-to-be-created key
The real problem in this case is that the ebuild "forgets" to copy one file in the easy-rsa directory. The file in question is easy-rsa/whichopensslcnf which is used to select the openssl configuration between current and openssl-0.9.6. Another (small) mistake in the ebuild is that openssl-0.9.6.cnf is made executable by the 'doexe *-* pkitool' command in the src_install section of the ebuild. The attached patch should (hopefully) fix both issues, please apply, check and report your findings.
Created attachment 195073 [details, diff] Patch to fix the easy-rsa directory
Applied in CVS Thanks
Sorry for the late reply/testing... (In reply to comment #1) > The real problem in this case is that the ebuild "forgets" to copy one file in > the easy-rsa directory. The file in question is easy-rsa/whichopensslcnf which > is used to select the openssl configuration between current and openssl-0.9.6. I must admit I haven´t looked into the ebuilds... > Another (small) mistake in the ebuild is that openssl-0.9.6.cnf is made > executable by the 'doexe *-* pkitool' command in the src_install section of the > ebuild. > > The attached patch should (hopefully) fix both issues, please apply, check and > report your findings. Still not fixed, the revoke script still fails because of the pkcs11 section in the active conf: # ./revoke-full client2 --> Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf error on line 282 of config file '/usr/share/openvpn/easy-rsa/openssl.cnf' 26484:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf error on line 282 of config file '/usr/share/openvpn/easy-rsa/openssl.cnf' 26485:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 cat: crl.pem: Datei oder Verzeichnis nicht gefunden Error opening certificate file client2.crt 26487:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('client2.crt','r') 26487:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358: unable to load certificate Whoever utilizes pkcs11 cryptographic tokens needs to modify his setup beyond this simple preconfiguration so I see no reason for having this section uncommented... Last one, would it not make much more sense to also increase the default_crl_days to 3650 days? My proposed patch: --- openssl.cnf.orig 2009-06-22 00:35:27.000000000 +0200 +++ openssl.cnf 2009-06-22 00:58:25.000000000 +0200 @@ -58,7 +58,7 @@ # crl_extensions = crl_ext default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL +default_crl_days= 3650 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering @@ -277,9 +277,9 @@ #pkcs11 = pkcs11_section [ pkcs11_section ] -engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so -MODULE_PATH = $ENV::PKCS11_MODULE_PATH -PIN = $ENV::PKCS11_PIN -init = 0 +#engine_id = pkcs11 +#dynamic_path = /usr/lib/engines/engine_pkcs11.so +#MODULE_PATH = $ENV::PKCS11_MODULE_PATH +#PIN = $ENV::PKCS11_PIN +#init = 0
Fix in openvpn-2.1_rc20