Differences

This shows you the differences between two versions of the page.

--- informatica:linux:openvpn [2015/02/02 13:43] – [Procedimiento generico] javi
+++ informatica:linux:openvpn [2018/01/05 10:05] – [Migracion a openvpn >=2.3] javi
@@ Line 22: / Line 22: @@
 <code>
-cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
+cd /usr/share/easy-rsa
 sudo su
 vim vars
@@ Line 44: / Line 44: @@
 ./clean-all
 ./build-ca
+</code>
+Error:
+<code>
+grep: /usr/share/easy-rsa/openssl.cnf: No such file or directory
+pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
+version of openssl.cnf: /usr/share/easy-rsa/openssl.cnf
+The correct version should have a comment that says: easy-rsa version 2.x
+</code>
+Solución:
+  ln -s openssl-1.0.0.cnf openssl.cnf
+Y volver a intentar:
+  ./build-ca
+Error:
+<code>
+unable to find 'distinguished_name' in config
+problems making Certificate Request
+1995425184:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:../crypto/conf/conf_lib.c:272:
+</code>
+Desconozco el motivo, pero se resuleve editando las lineas en las que se le asigna un valor a la variable "subjectAltName", en mi caso 2 veces:
+  vim openssl.cnf
+Y cambio los valores:
+<code>
+# anyadido
+#subjectAltName=$ENV::KEY_ALTNAMES
+subjectAltName=email:copy
+</code>
+Y volver a intentar:
+  ./build-ca
+Ahora a contestar las preguntas y pulsar "enter" al final de cada una:
+<code>
+Country Name (2 letter code) [US]:ES
+State or Province Name (full name) [BC]:
+Locality Name (eg, city) [Barcelona]:
+Organization Name (eg, company) [Contrabanda FM]:
+Organizational Unit Name (eg, section) [Tècnica]:
+Common Name (eg, your name or your server's hostname) [ContrabandaFM]:
+Name [EasyRSA]:
+Email Address [admin@example.com]:
 </code>
@@ Line 51: / Line 105: @@
   ./build-key-server server
+Ahora a contestar las preguntas y pulsar "enter" al final de cada una:
+<code>
+Country Name (2 letter code) [US]:ES
+State or Province Name (full name) [BC]:
+Locality Name (eg, city) [Barcelona]:
+Organization Name (eg, company) [Contrabanda FM]:
+Organizational Unit Name (eg, section) [Tècnica]:
+Common Name (eg, your name or your server's hostname) [ContrabandaFM]:
+Name [EasyRSA]:
+Email Address [admin@example.com]:
+</code>
+Las contraseñas las dejo en blanco:
+  A challenge password []:
+  An optional company name []:
+Y aquí hay que pulsar "y" más "enter":
+  Sign the certificate? [y/n]:
+out of 1 certificate requests certified, commit? [y/n]
 .2. Generate Diffie Hellman parameters
+**OJO**: puede llevar mucho tiempo, unos 15 minutos:
   ./build-dh
-.3. Mover llaves
+.3. Mover llaves (revisar, no estoy seguro de que haya que mover en lugar de copiar nada):
   mkdir -p /etc/openvpn/keys/server
@@ Line 79: / Line 158: @@
 cert /etc/openvpn/keys/server/server.crt
 key /etc/openvpn/keys/server/server.key
-dh /etc/openvpn/keys/server/dh1024.pem
+dh /etc/openvpn/keys/server/dh2048.pem
 server 172.16.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
@@ Line 104: / Line 183: @@
 ===== Generar claves de los clientes =====
-==== Migracion a openvpn >=2.3 ====
-**IMPORTANTE**: realizar los siguientes pasos **UNA** sola vez, en caso de migrar a openvpn >=2.3
-. Instalar paquete, ahora ya NO es parte de openvpn
-  sudo aptitude install easy-rsa
-. **IMPORTANTE**: mover certificados de la CA, lista de revocados, etc... a nueva ubicacion:
-  cd /usr/share/easy-rs
-  mv keys keys.old
-  sudo mv /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ /usr/share/easy-rsa
 ==== Procedimiento generico ====
@@ Line 770: / Line 837: @@
   Please enter the following 'extra' attributes
   to be sent with your certificate request
-  A challenge password []:fermin99
+  A challenge password []:mysecretpassword
   An optional company name []:
   Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf