I am running openvpn on an Ubuntu 14.04 box. The setup was fine until an OpenSSL upgrade, then when I try to create new client cert with easy-rsa, I got this message:
root@:easy-rsa# ./pkitool onokun
Using Common Name: onokun
Generating a 2048 bit RSA private key
.+++
........+++
writing new private key to 'onokun.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Error Loading extension section usr_cert
3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
3074119356:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537:
3074119356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=onokun
This problem is different from a reported bug that the which opensslcnf
script can not find an matching version of openssl.cnf
to use (above message shows openssl-1.0.0.cnf
). I performed a Google search but did not find an answer.
Here are some environment information:
## openvpn
OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Originally developed by James Yonan
## openssl
OpenSSL 1.0.1f 6 Jan 2014
## dpkg --get-selections | grep ssl
libgnutls-openssl27:i386 install
libio-socket-ssl-perl install
libnet-smtp-ssl-perl install
libnet-ssleay-perl install
libssl-dev:i386 install
libssl-doc install
libssl0.9.8:i386 install
libssl1.0.0:i386 install
openssl install
ssl-cert install
What should I look at to solve this? Thanks,
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Error Loading extension section usr_cert
I don't have a /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
, so take this with a grain of salt...
opensslconf.h
from OpenSSL's distribution does include that section:
openssl-1.0.1h$ grep -R usr_cert *
apps/openssl-vms.cnf:x509_extensions = usr_cert # The extensions to add to the cert
apps/openssl-vms.cnf:[ usr_cert ]
apps/openssl.cnf:x509_extensions = usr_cert # The extensions to add to the cert
apps/openssl.cnf:[ usr_cert ]
Can you restore an old version of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
?
Here's the section from apps/openssl.cnf
. You might consider adding it to Easy RSA's configuration file if its missing. First, try an empty section. Then try adding the original code back.
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping