OpenVPN OpenSSL produced an error: 256

whaskes · 29 April 2024 15:53

Hello!

I removed OpenVPN X509.
I wanted to do it all over again.
When I click on Generate root/host certificates and fill in the data, it says the following errors:
“OpenSSL produced an error: 256 ovpn”
“A valid root certificate already exists. ovpn”

I have attached images and log files. How can I get OpenVPN working?

> [root@wrouter ipfire]# grep error /var/log/httpd/error_log
> 40A7E45092740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40A7E45092740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40A7E45092740000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40A7E45092740000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 409760A26A7A0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 409760A26A7A0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 409760A26A7A0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 409760A26A7A0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40B7C170C7790000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40B7C170C7790000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40B7C170C7790000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40B7C170C7790000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 403774C659780000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 403774C659780000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 403774C659780000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 403774C659780000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40D7914D827D0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40D7914D827D0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40D7914D827D0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40D7914D827D0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40E73307027A0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40E73307027A0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40E73307027A0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40E73307027A0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 405724AC37750000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 405724AC37750000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 405724AC37750000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 405724AC37750000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 4087FDF090700000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 4087FDF090700000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 4087FDF090700000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 4087FDF090700000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40F7B8BE357D0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40F7B8BE357D0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40F7B8BE357D0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40F7B8BE357D0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 4037D51D64790000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 4037D51D64790000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 4037D51D64790000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 4037D51D64790000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40D77E3985740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40D77E3985740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40D77E3985740000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40D77E3985740000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40276B776F730000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40276B776F730000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40276B776F730000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40276B776F730000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always
> 40F7E6D7F77E0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40F7E6D7F77E0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
> 40F7E6D7F77E0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
> 40F7E6D7F77E0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always

log1.pdf (134.4 KB)

bonnietwin · 29 April 2024 16:37

There is a bug related to this issue which should have been fixed in CU185 but unfortunately the updated ovpn.cnf file did not get shipped with the update, although it was specified to be shipped.

It looks like the location that the file is stored in can end up not being correctly shipped even though it has been specified.

A change of location of the file is being looked at and will be implemented into CU186.

https://bugzilla.ipfire.org/show_bug.cgi?id=13595

In the meantime it is possible to implement the changes in ovpn.cnf manually as per this post

https://community.ipfire.org/t/still-openssl-produced-an-error-256-while-generating-ovpn-root-certificates/11490/7

whaskes · 29 April 2024 17:07

Yes, that worked. Thanks.
But it doesn’t do this:

Diffie-Hellman parameter: Not present

bonnietwin · 29 April 2024 18:31

After you edited the ovpn.cnf file did you press the Remove x509 button again.

The last situation you had was with the root certificate created but no host certificate which is a half way house.

Best option is to remove the x509 again and start from fresh but now with the corrected ovpn.cnf.

When I do that then I get the following screen and your should be similar.

whaskes · 30 April 2024 10:42

Does not work. It says this no matter what I do:
Diffie-Hellman-Parameter: Not present

If I do it like this: " openssl dhparam -out ffdhe4096.pem 4096"
I will copy it to the /etc/ssl/ folder, can it work?

bonnietwin · 30 April 2024 11:04

Can you confirm that ffdhe4096.pem is not present in the /etc/ssl/ directory.

If not then somehow it has been deleted.

Just creating any 4096 dh parameter is not the correct approach. It is not just the length that is important but also that it is audited for a secure standardised approach. Just creating a random dh parameter can be abused to give a weak result.

Bug 12632

RFC 7919, section A.3

The standardised file was implemented in Core Update 172.

If that file has been deleted then we cannot be certain that other files have also been deleted and will create other problems later on.

If I had that situation I would do a fresh install, make the modifications to ovpn.cnf and then start with the OpenVPN setup again.

If you really want to just add the proper dh file into your system and hope that nothing else goes wrong then you could copy the ffdhe4096.pem file from the IPFire git repository.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/ssl/ffdhe4096.pem;h=3cf0fcbc011fa0a04c3f55d446916e169d40f52f;hb=refs/heads/next