Page 1 of 1

openvpn works but I get an alert on ipfire

Posted: June 27th, 2019, 9:19 am
by LouR
Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!

I have rebuilt my certs several time already, ( not with the latest version) and the warning will not go away, should I just blow away my certs again, and give it another shot??

Re: openvpn works but I get an alert on ipfire

Posted: June 27th, 2019, 1:02 pm
by JonM
What version of IPFire?

This might help for an older version. (I experienced a similar error in September 2018)
viewtopic.php?f=27&t=21391&p=118661&hil ... 80#p118661

Re: openvpn works but I get an alert on ipfire

Posted: June 27th, 2019, 1:10 pm
by LouR
its the latest version 133 thanks.

Re: openvpn works but I get an alert on ipfire

Posted: July 22nd, 2019, 3:23 pm
by dragonslayr
Here's what I've done. (On serveral machines) to fix this.

******** Error ********************
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

Replace the contents in /var/ipfire/ovpn/openssl/ovpn.cnf with this:

Code: Select all

HOME				= .
RANDFILE			= /var/ipfire/ovpn/ca/.rnd
oid_section			= new_oids

[ new_oids ]

[ ca ]
default_ca			= openvpn

[ openvpn ]
dir				= /var/ipfire/ovpn
certs				= $dir/certs
crl_dir				= $dir/crl
database			= $dir/certs/index.txt
new_certs_dir			= $dir/certs
certificate			= $dir/ca/cacert.pem
serial				= $dir/certs/serial
crl				= $dir/crl.pem
private_key			= $dir/ca/cakey.pem
RANDFILE			= $dir/ca/.rand
x509_extensions			= usr_cert
default_days			= 999999
default_crl_days		= 30
default_md			= sha256
preserve			= no
policy				= policy_match
email_in_dn			= no

[ policy_match ]
countryName			= optional
stateOrProvinceName		= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional

[ req ]
default_bits			= 2048
default_keyfile 		= privkey.pem
distinguished_name		= req_distinguished_name
attributes			= req_attributes
x509_extensions			= v3_ca
string_mask 			= nombstr

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= GB
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= 

localityName			= Locality Name (eg, city)
#localityName_default		= 

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= My Company Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
unstructuredName		= An optional company name

[ usr_cert ]
basicConstraints		= CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always
extendedKeyUsage               = clientAuth
keyUsage                       = digitalSignature

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints		= CA:FALSE
nsCertType			= server
nsComment			= "OpenSSL Generated Server Certificate"
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always 
extendedKeyUsage               = serverAuth
keyUsage                       = digitalSignature, keyEncipherment

[ v3_req ]
basicConstraints 		= CA:FALSE
keyUsage 			= nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always,issuer:always
basicConstraints 		= CA:true

[ crl_ext ]
authorityKeyIdentifier		= keyid:always,issuer:always

[ engine ]
default 			= openssl




Re: openvpn works but I get an alert on ipfire

Posted: July 23rd, 2019, 1:51 pm
by LouR
Do I have to rebuild and reissue client certs?? After replacing the contents of the folder? Thanks