Remove x509 certificate

On cu167, I removed x509 certificates, then created a new root/host combo with 2048, it complains it already exists. I thought removing x509 would wipe the /var/ipfire/ovpn/certs/ dir so I can start from scratch. Can I safely remove that dir and start again? thanks.

Can you check if this also applies to your case:

Thanks but I dont use n2n, I use roadwarrior.

I looked at /var/log/http/error_log it tells me it exists but does not tell me which file …

The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'az'
localityName          :PRINTABLE:'phoenix'
organizationName      :PRINTABLE:'ipfire'
organizationalUnitName:PRINTABLE:'it'
commonName            :PRINTABLE:'zotac.lan'
ERROR:There is already a certificate for /C=US/ST=az/O=ipfire/OU=it/CN=zotac.lan

I meant for you to analyse this post:

ok, I will … sorry I misunderstood.

Is your error:

OpenSSL produced an error: 256

obraz

yes, and I will try to paste the index.txt from the other network … hold on

[root@zotac ~]# cat /var/ipfire/ovpn/certs/index.txt
V	47600406155754Z		01	unknown	/C=US/ST=az/O=ipfire/OU=it/CN=zotac.lan
V	240510160102Z		02	unknown	/C=US/ST=az/O=ipfire/OU=it/CN=bob

Should the Common Name (CN=) be the destination ip (zotac.lan) or the user’s name (bob)?

Also, /var/ipfire/ovpn/certs/serial has 03

obraz

That is correct if you currently have two listed in index.txt as 03 is the next one to be created, irrespective of hex or decimal at this level of number.
Mine is 27 (hex) or 39 (decimal) and I have 38 (decimal) entries listed in my index.txt, most of which have been revoked.

The CN should be what you entered into the first box when you created the certificate for the connection in question.
The box is labelled
User's full name or system hostname:

Your 01 entry is for the host entry in your OpenVPN setup so 02 is the connection that you have defined where you set the “User’s full name or system hostname:” to bob. It can effectively be anything you want but will then be the Common Name for that connection from then on and cannot be changed without re-creating a new certificate.

I stop openVPN, I click remove x509 certificates. Indeed, root/host certs are gone from the WUI.

I expect /var/ipfire/ovpn/certs/index.txt to be null and serial to be 01 so that I can create a new combo root/host cert with DH, then index.txt will have the host cert and serial increment to 02.

I will zap them again and verify. Appreciate the help.

The contents of the /var/ipfire/openvpn/certs/ folder
Left before x509 removal and right after removal

I think it was about zotac.lan
When you try to add a connection with the same User's full name or system hostname: you get an error


The page in the below link may explain a lot

edit:

Below are the test results

After removing the connection, you can add another one with the same User's full name or system hostname:

2 Likes

Thank you, @tphz Tom, this is good info, I appreciate it.

BTW, midnight Commander, still good after almost 30 years :slight_smile:

1 Like

Yes, MC is in my “must have” group. :wink::smiley: From the time it was created.
If I remember correctly. :wink: