Ssl 加载扩展节usr\U证书时出错
我在Ubuntu 14.04上运行openvpn。在OpenSSL升级之前,安装是正常的,然后当我尝试使用easy rsa创建新的客户端证书时,我收到以下消息:Ssl 加载扩展节usr\U证书时出错,ssl,openssl,openvpn,Ssl,Openssl,Openvpn,我在Ubuntu 14.04上运行openvpn。在OpenSSL升级之前,安装是正常的,然后当我尝试使用easy rsa创建新的客户端证书时,我收到以下消息: root@:easy-rsa# ./pkitool onokun Using Common Name: onokun Generating a 2048 bit RSA private key .+++ ........+++ writing new private key to 'onokun.key' ----- Using con
root@:easy-rsa# ./pkitool onokun
Using Common Name: onokun
Generating a 2048 bit RSA private key
.+++
........+++
writing new private key to 'onokun.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Error Loading extension section usr_cert
3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
3074119356:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537:
3074119356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=onokun
openssl.cnfopenssl-1.0.0.cnf## openvpn
OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Originally developed by James Yonan
## openssl
OpenSSL 1.0.1f 6 Jan 2014
## dpkg --get-selections | grep ssl
libgnutls-openssl27:i386 install
libio-socket-ssl-perl install
libnet-smtp-ssl-perl install
libnet-ssleay-perl install
libssl-dev:i386 install
libssl-doc install
libssl0.9.8:i386 install
libssl1.0.0:i386 install
openssl install
ssl-cert install
/etc/openvpn/easy rsa/openssl-1.0.0.cnfopensslconf.hopenssl-1.0.1h$ grep -R usr_cert *
apps/openssl-vms.cnf:x509_extensions = usr_cert # The extensions to add to the cert
apps/openssl-vms.cnf:[ usr_cert ]
apps/openssl.cnf:x509_extensions = usr_cert # The extensions to add to the cert
apps/openssl.cnf:[ usr_cert ]
/etc/openvpn/easy rsa/openssl-1.0.0.cnfapps/openssl.cnf[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
通过比较一个没有这个问题的早期Ubuntu 14.04安装,似乎具体问题在于“subjectAltName”。我没有读过它的作用,但下面的命令将修复您的“openssl-1.0.0.cnf”文件:
我可能应该提交一份bug报告。这是Ubuntu中的bug。看 Yuriy描述的解决方案似乎有效(从launchpad复制): 在文件/usr/share/easy rsa/pkitol中 只需替换表达式: KEY\u ALTNAMES=“$KEY\u CN” 致: KEY\u ALTNAMES=“DNS:${KEY\u CN}” 在我的文件版本中,这是第284行,在字符串“Using Common Name”之后,我终于让他(在我的机器上)工作了。首先,我的设置有点不同,我在Windows10上,运行OpenSSL 1.0.2h。我正在尝试为测试生成多个证书、CA和其他内容,但出现错误:
配置文件例程:NCONF\u get\u字符串:无值:。\crypto\conf\conf\u lib.c:324:group=CA\u默认名称=email\u in\u dn####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/caprivkey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
email_in_dn = no # <-- fixes CONF_get_string:no value
####################################################################
[CA_默认值]
迪尔=/德莫卡#所有东西都放在那里
certs=$dir/certs#保存已颁发证书的位置
crl_dir=$dir/crl#保存已发布crl的位置
数据库=$dir/index.txt#数据库索引文件。
new_certs_dir=$dir/newcerts#新证书的默认位置。
证书=$dir/ca.crt#ca证书
serial=$dir/serial#当前序列号
crl=$dir/crl.pem#当前crl
私钥=$dir/private/caprivkey.pem#私钥
RANDFILE=$dir/private/.rand#private随机数文件
x509_extensions=usr_cert#要添加到证书的扩展
通过电子邮件_in_dn=no#消除此错误:
3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
使用
在openssl命令中
例如:
$ openssl ca -batch -config openssl.cnf -extensions usr_cert -noemailDN -days 375 -notext -md sha256 -in csr/www.example8.com.csr.pem -out certs/www.example8.com.cert.pem -verbose -passin pass:changeit
谢谢,我复制了你的usr_证书部分,一切正常。我的openssl-1.0.0.cnf来自新安装的版本:2.2.2-1(Ubuntu14.04),作为记录,我在这里区分了它们,并且仍然试图找出错误。这似乎破坏了文件,我得到了这个错误:错误在/usr/share/easy rsa/openssl-1.0.0的第222行。cnfI评论了“subjectAltName=”在`/usr/share/easy rsa/openssl-1.0.0.cnf`中的行,而不是运行这一行。一切正常。有相同的问题,正在使用此指南,这解决了问题(步骤7)
3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
-noemailDN
$ openssl ca -batch -config openssl.cnf -extensions usr_cert -noemailDN -days 375 -notext -md sha256 -in csr/www.example8.com.csr.pem -out certs/www.example8.com.cert.pem -verbose -passin pass:changeit