OpenVPN Zertificate auf Macosx Server mit EasyRSA erstellen!?

[pfannkuchen2001]

Hi,

ich habe schon des öfteren (auf linux kisten) mit Easy-RSA Zertifikate für OpenVPN erstellt. Nun wollte ich das ganze auf einem Macosx Server machen. Leider läuft da immer etwas schief - hier das was ich gemacht hab:

t64:Easy-Rsa ich$ . ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/Easy-Rsa/keys
t64:Easy-Rsa ich$ ./clean-all 
t64:Easy-Rsa ich$ ./build-ca
Generating a 1024 bit RSA private key
...............++++++
.....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [TH]:
Locality Name (eg, city) [meineStadt]:
Organization Name (eg, company) [T64]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [T64 CA]:
Name []:
Email Address [me@myhost.mydomain]:
t64:Easy-Rsa ich$ ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................+.................................................................................+..........+............+.............................................................+......................+.....................................+.........+.................+.......................+..............................+.........................+..............................................+.....................+.....................+.......................+.................................+......+....................................................+.................................................+.........................................................+.............................................................+.......................................................................................+.................................+............+................................+.+......................................+.............+...........................................................................................+...................................................+........................+............................................................+...................................................+..........................................+..........................................+.............+.........................................................+.......+.........................................+....++*++*++*
t64:Easy-Rsa ich$ ./build-key-server OpenVPN_server01
Generating a 1024 bit RSA private key
...++++++
.......................................++++++
writing new private key to 'OpenVPN_server01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [TH]:
Locality Name (eg, city) [meineStadt]:
Organization Name (eg, company) [T64]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [OpenVPN_server01]:
Name []:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/Easy-Rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'TH'
localityName          :PRINTABLE:'meineStadt'
organizationName      :PRINTABLE:'T64'
commonName            :T61STRING:'OpenVPN_server01'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Oct 10 14:29:15 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
t64:Easy-Rsa ich$ ./build-key-pass testuser
Generating a 1024 bit RSA private key
..........++++++
.....++++++
writing new private key to 'testuser.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [TH]:
Locality Name (eg, city) [meineStadt]:
Organization Name (eg, company) [T64]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [testuser]:
Name []:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/Easy-Rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'TH'
localityName          :PRINTABLE:'meineStadt'
organizationName      :PRINTABLE:'T64'
commonName            :PRINTABLE:'testuser'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Oct 10 14:30:34 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
t64:Easy-Rsa ich$ sudo /usr/local/Cellar/openvpn/2.1.1/sbin/openvpn --config /usr/local/etc/openvpn/server.conf
Password:
Wed Oct 13 16:30:49 2010 OpenVPN 2.1.1 i386-apple-darwin10.4.0 [SSL] [LZO2] built on Oct 11 2010
Wed Oct 13 16:30:49 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Wed Oct 13 16:30:49 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Oct 13 16:30:49 2010 Diffie-Hellman initialized with 1024 bit key
Wed Oct 13 16:30:49 2010 Cannot load certificate file /usr/local/etc/openvpn/Easy-Rsa/keys/server01.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Oct 13 16:30:49 2010 Exiting
t64:Easy-Rsa ich$

Irgendeine Idee, was ich da falsch mache? oder wo der Feler liegen könnte?


Vielen Dank schonmal im Vorraus!

Grüße,

Pfannkuchen

 

[promille]

Vielleicht hat Homebrew bei der Installation was durcheinander gebracht.
Openvpn ist aber auch nicht schwer manuell zu installieren (./configure, make, sudo make install). Vielleicht hilf das was.

 

[pfannkuchen2001]

Hmm ich habe jetzt noch 2 varianten ausprobiert: Kompilieren von der source aus - ohne brew/macports. und eben mit Macports. Jedes Mal bekomme ich die gleichen Errors....

Ideen?

Grüße,
Pfannkuchen

 

[pfannkuchen2001]

Hmm also ich bin langsam am verzweifeln - immer der gleiche Fehler!

Kann es mit den Zertifikaten die mit MacOSX Server erstellt wurden zu tun haben? - Also das da irgendwie zum beispiel die CAs zusamenspielen?

Grüße

Pfannkuchen

 

[promille]

Zumindest öffentliche/private Schlüssel für OpenVPN hatte ich auf dem Mac ohne derlei Probleme erstellt.
Wenn Du 'otool -L /pfad/zu/openvpn-binary' eingibst, werden da Pfade aus /usr/local ausgegeben? Wenn ja, könnte es vielleicht sein, dass Homebrew Libs fehlerhaft installiert hat und in Deinem LIBRARY_PATH /usr/local/lib vor /usr/lib steht. Somit bringt die händische Installation dann auch nichts, weil evtl. gegen die "falschen" libraries gelinkt wird.

 

[trispace]

... Cannot load certificate file /usr/local/etc/openvpn/Easy-Rsa/keys/server01.crt ... No such file or directory

bist Du Dir sicher, dass die Datei /usr/local/etc/openvpn/Easy-Rsa/keys/server01.crt existiert? Laut Deinem Log müsste das Server-Zertifikat in der Datei /usr/local/etc/openvpn/Easy-Rsa/keys/OpenVPN_server01.crt liegen.

 

[DrunkenFreak]

Irgendeine Datei wird nicht gefunden. Sollte es nicht die oben genannte sein, dann mal mit strace drüber und gucken, welche es ist.

 

[pfannkuchen2001]

Hi,

das problem ist immernoch da. die Ausgabe ist die hier:

sh-3.2# openvpn server.conf
Sat Oct 16 18:43:09 2010 OpenVPN 2.1.1 i386-apple-darwin10.4.0 [SSL] [LZO2] built on Oct 14 2010
Sat Oct 16 18:43:09 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Oct 16 18:43:09 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 16 18:43:10 2010 Diffie-Hellman initialized with 2048 bit key
Sat Oct 16 18:43:10 2010 Cannot load private key file /usr/local/etc/openvpn/keys/ca.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Sat Oct 16 18:43:10 2010 Error: private key password verification failed
Sat Oct 16 18:43:10 2010 Exiting

Das Problem mit dem

No such file or directory

ist behoben... :S

Gruß

Pfannkuchen

 

[trispace]

Sat Oct 16 18:43:10 2010 Cannot load private key file /usr/local/etc/openvpn/keys/ca.key: error:0B080074:x509 certificate

Der OpenVPN-Server darf nicht den CA-Key laden, sondern den Key, welcher zum Server-Zertifikat passt. In Deinem Fall also OpenVPN_server01.key