openvpn生成key出問題了? 是什麼原因呢??

火星人 @ 2014-03-05 , reply:0


openvpn生成key出問題了? 是什麼原因呢??

我已經照著說明書做了,最後把生成的server.*去啟動VPN,有報錯,不知道什麼原因。。。。。
望高手指正,謝謝!!!


C:\Program Files\OpenVPN\easy-rsa>dir
驅動器 C 中的卷沒有標籤。
卷的序列號是 ACDD-1734

C:\Program Files\OpenVPN\easy-rsa 的目錄

2007-05-13  00:19    <DIR>          .
2007-05-13  00:19    <DIR>          ..
2007-05-13  00:18             1,024 .rnd
2007-05-12  23:56    <DIR>          bak
2007-04-22  13:10               194 build-ca.bat
2007-04-22  13:10               123 build-dh.bat
2007-04-22  13:10               642 build-key-pkcs12.bat
2007-04-22  13:10               475 build-key-server.bat
2007-04-22  13:10               456 build-key.bat
2007-04-22  13:10               440 clean-all.bat
2007-04-22  13:10                 0 index.txt.start
2007-04-22  13:10                68 init-config.bat
2007-05-13  00:19    <DIR>          keys
2007-04-26  07:53             7,742 openssl.cnf
2007-04-26  07:53             7,742 openssl.cnf.sample
2007-04-22  13:10             1,165 README.txt
2007-04-22  13:10               517 revoke-full.bat
2007-04-22  13:10                 4 serial.start
2007-04-22  13:10               890 vars.bat
2007-04-22  13:10               890 vars.bat.sample
              16 個文件         22,372 位元組
               4 個目錄    296,886,272 可用位元組

C:\Program Files\OpenVPN\easy-rsa>vars.bat

C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............+.................................+.................+............
...................+............................+...............................
....................................................................+.++*++*++*





C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................................................................................
.........++++++
..................................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [mail@host.domain]:








C:\Program Files\OpenVPN\easy-rsa>build-key.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.++++++
.........++++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'FortFunston'
emailAddress          :IA5STRING:'mail@host.domain'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old












C:\Program Files\OpenVPN\easy-rsa>build-key server
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
......++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'FortFunston'
emailAddress          :IA5STRING:'mail@host.domain'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old





C:\Program Files\OpenVPN\easy-rsa>build-key client
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..........++++++
...................................++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'FortFunston'
emailAddress          :IA5STRING:'mail@host.domain'
The commonName field needed to be supplied and was missing
找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old


C:\Program Files\OpenVPN>cd sample-config
C:\Program Files\OpenVPN\sample-config>
C:\Program Files\OpenVPN\sample-config>
C:\Program Files\OpenVPN\sample-config>openvpn --config server.ovpn
Sun May 13 00:23:59 2007 OpenVPN 2.1_rc4 Win32-MinGW built on Apr 2
5 2007
Sun May 13 00:23:59 2007 Diffie-Hellman initialized with 1024 bit key
Sun May 13 00:23:59 2007 Cannot load certificate file server.crt: error:0906D06C
:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_us
e_certificate_file:PEM lib
Sun May 13 00:23:59 2007 Exiting

C:\Program Files\OpenVPN\sample-config>
《解決方案》

重新剖析了所有.bat文件,自己手動每句來弄:

set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl.cnf
set KEY_DIR=keys
set KEY_SIZE=1024
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=Guangzhou
set KEY_ORG=Fly
set KEY_EMAIL=llaikevin@163.com

copy openssl.cnf.sample openssl.cnf
copy index.txt.start keys\index.txt
copy serial.start keys\serial

openssl req -days 3650 -nodes -new -x509 -keyout keys\ca.key -out keys\ca.crt -config openssl.cnf
openssl dhparam -out keys\dh1024.pem 1024
openssl req -days 3650 -nodes -new -keyout keys\server.key -out keys\server.csr -config openssl.cnf
openssl ca -days 3650 -out keys\server.crt -in keys\server.csr -extensions server -config openssl.cnf
openssl req -days 3650 -nodes -new -keyout keys\client.key -out keys\client.csr -config openssl.cnf
openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl.cnf
openvpn --genkey --secret keys/ta.key


在創建client的證書時,提示:



C:\Program Files\OpenVPN\easy-rsa>openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl.cnf
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'FJ'
localityName          :PRINTABLE:'Quangzhou'
organizationName      :PRINTABLE:'Fly'
organizationalUnitName:PRINTABLE:'Apple'
commonName            :PRINTABLE:'abc'
emailAddress          :IA5STRING:'abc@163.com'
Certificate is to be certified until May 10 09:42:33 2017 GMT (3650 days)
Sign the certificate? :y
failed to update database
TXT_DB error number 2

C:\Program Files\OpenVPN\easy-rsa>

這裡就出錯了,但是創建server證書就很成功,不知道為什麼。。。。。。

最後:

openvpn --genkey --secret keys/ta.key


這個一點問題也沒有,ta.key照樣出來。。。。。暈。。。
《解決方案》

問題解決,原因是common name不能重複,繼續研究




[火星人 via ] openvpn生成key出問題了? 是什麼原因呢??已經有345次圍觀

http://www.coctec.com/docs/service/show-post-39161.html