openvpn生成key出問題了? 是什麼原因呢??
我已經照著說明書做了,最後把生成的server.*去啟動VPN,有報錯,不知道什麼原因。。。。。
望高手指正,謝謝!!!
C:\Program Files\OpenVPN\easy-rsa>dir
驅動器 C 中的卷沒有標籤。
卷的序列號是 ACDD-1734
C:\Program Files\OpenVPN\easy-rsa 的目錄
2007-05-13 00:19 <DIR> .
2007-05-13 00:19 <DIR> ..
2007-05-13 00:18 1,024 .rnd
2007-05-12 23:56 <DIR> bak
2007-04-22 13:10 194 build-ca.bat
2007-04-22 13:10 123 build-dh.bat
2007-04-22 13:10 642 build-key-pkcs12.bat
2007-04-22 13:10 475 build-key-server.bat
2007-04-22 13:10 456 build-key.bat
2007-04-22 13:10 440 clean-all.bat
2007-04-22 13:10 0 index.txt.start
2007-04-22 13:10 68 init-config.bat
2007-05-13 00:19 <DIR> keys
2007-04-26 07:53 7,742 openssl.cnf
2007-04-26 07:53 7,742 openssl.cnf.sample
2007-04-22 13:10 1,165 README.txt
2007-04-22 13:10 517 revoke-full.bat
2007-04-22 13:10 4 serial.start
2007-04-22 13:10 890 vars.bat
2007-04-22 13:10 890 vars.bat.sample
16 個文件 22,372 位元組
4 個目錄 296,886,272 可用位元組
C:\Program Files\OpenVPN\easy-rsa>vars.bat
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............+.................................+.................+............
...................+............................+...............................
....................................................................+.++*++*++*
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................................................................................
.........++++++
..................................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [
[email protected]]:
C:\Program Files\OpenVPN\easy-rsa>build-key.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.++++++
.........++++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [
[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'FortFunston'
emailAddress :IA5STRING:'
[email protected]'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old
C:\Program Files\OpenVPN\easy-rsa>build-key server
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
......++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [
[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'FortFunston'
emailAddress :IA5STRING:'
[email protected]'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old
C:\Program Files\OpenVPN\easy-rsa>build-key client
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..........++++++
...................................++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [
[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'FortFunston'
emailAddress :IA5STRING:'
[email protected]'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old
C:\Program Files\OpenVPN>cd sample-config
C:\Program Files\OpenVPN\sample-config>
C:\Program Files\OpenVPN\sample-config>
C:\Program Files\OpenVPN\sample-config>openvpn --config server.ovpn
Sun May 13 00:23:59 2007 OpenVPN 2.1_rc4 Win32-MinGW built on Apr 2
5 2007
Sun May 13 00:23:59 2007 Diffie-Hellman initialized with 1024 bit key
Sun May 13 00:23:59 2007 Cannot load certificate file server.crt: error:0906D06C
:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_us
e_certificate_file:PEM lib
Sun May 13 00:23:59 2007 Exiting
C:\Program Files\OpenVPN\sample-config>
《解決方案》
重新剖析了所有.bat文件,自己手動每句來弄:
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl.cnf
set KEY_DIR=keys
set KEY_SIZE=1024
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=Guangzhou
set KEY_ORG=Fly
set
[email protected] copy openssl.cnf.sample openssl.cnf
copy index.txt.start keys\index.txt
copy serial.start keys\serial
openssl req -days 3650 -nodes -new -x509 -keyout keys\ca.key -out keys\ca.crt -config openssl.cnf
openssl dhparam -out keys\dh1024.pem 1024
openssl req -days 3650 -nodes -new -keyout keys\server.key -out keys\server.csr -config openssl.cnf
openssl ca -days 3650 -out keys\server.crt -in keys\server.csr -extensions server -config openssl.cnf
openssl req -days 3650 -nodes -new -keyout keys\client.key -out keys\client.csr -config openssl.cnf
openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl.cnf
openvpn --genkey --secret keys/ta.key
在創建client的證書時,提示:
C:\Program Files\OpenVPN\easy-rsa>openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl.cnf
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'Quangzhou'
organizationName :PRINTABLE:'Fly'
organizationalUnitName:PRINTABLE:'Apple'
commonName :PRINTABLE:'abc'
emailAddress :IA5STRING:'
[email protected]'
Certificate is to be certified until May 10 09:42:33 2017 GMT (3650 days)
Sign the certificate? :y
failed to update database
TXT_DB error number 2
C:\Program Files\OpenVPN\easy-rsa>
這裡就出錯了,但是創建server證書就很成功,不知道為什麼。。。。。。
最後:
openvpn --genkey --secret keys/ta.key
這個一點問題也沒有,ta.key照樣出來。。。。。暈。。。
《解決方案》
問題解決,原因是common name不能重複,繼續研究
