Still OpenSSL produced an error: 256 while generating OVPN root certificates

Dear all

I am running with the newest core 185
Was this bug here not fixed with the latest update?

Just for reference httpd log

Country Name (2 letter code) [GB]:State or Province Name (full name) :Locality Name (eg, city) :Organization Name (eg, company) [My Company Ltd]:Organizational Unit Name (eg, section) :Common>
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :An optional company name :Error adding request extensions from section server
4047AD44D7740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
4047AD44D7740000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:426:
4047AD44D7740000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
4047AD44D7740000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server, name=authorityKeyIdentifier, value=keyid,issuer:always

Thanks for any hint and help.

Kind regards, Beat

A fix was merged and I tested it with CU185 Testing and the root/host certificate set was created without any issues.

I have just updated my vm systems to CU185 so I will create a clone and test out clearing the x509 certificates and creating a new set and let you know what I find.

I have the same problem as you found.

Checking the ovpn.cnf file it does not have the changes.

However the changes are in the ovpn.cnf file in the IPFire repo for CU185.

Also the shipment of ovpn.cnf was also listed in the update so it should have been changed and as I say, when I tested it with the CU185 Testing, on a clone of the same vm the update occurred without any issues.

I will have to look further into this to understand what is happening.

Many thanks for your info. Very helpful! As I am somehow new to IpFire I did not know if the error is on my side. Just let me know once you know how I can fix the issue.

Kind regards, Beat

Having checked the exclude file it looks like all modifications to /var/ipfire/ovpn are excluded from being carried out during an update. Checking the CU185 upgrade log file confirmed that ovpn.cnf was not modified during the upgrade.

However that does not explain why the change worked for me when I tested it out in CU185 Testing.

If you are willing to edit files from the console command line I can give you instructions on which two lines need to be removed from the ovpn.cnf file.

Sure… not issue with that… Pls advise. Much appreciated!

Okay, here are the steps.

  1. Run the command cp /var/ipfire/ovpn/openssl/ovpn.cnf /var/ipfire/ovpn/openssl/ovpn.cnf.orig. This creates a backup copy.

  2. Run the command chown nobody:nobody /var/ipfire/ovpn/openssl/ovpn.cnf.orig. This changes the owner from root to nobody, in case you need to use this backup file.

  3. Run the command nano -l /var/ipfire/ovpn/openssl/ovpn.cnf. This will open the nano editor with line numbers shown. Remove the lines 88 & 87 and exit from editor saving the changes.
    These lines should have the contents

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always

  1. Run the Generate root/host certificates command on the OpenVPN WUI page. It should work successfully now.

  2. If the changes work then you can delete the ovpn.cnf.orig file.

4 Likes

Dear Adolf…

This worked like a charm. Many thx for your support! Had to take some server options out of the config file of the downloaded packege for my Android mobile. But now it connects and its all well!

Glad it worked for you.

Sorry that it did not get properly into CU185.

Thank you, Adolf.

However we followed the steps and still got the 256 error. Do I need to restart IPfire before re-Generate the root/host certificates?

We are on IPFire 2.29 (x86_64) - Core-Update 185.

After you got the openssl error did you remove the x509 certificate set again. When you have the error the root certificate has been created but the host certificate failed to be created. That created root certificate needs to be removed before trying to create a new set after the ovpn.cnf file has been edited.

Yes, your instruction worked. Thank you Adolf!