Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I am configuring openvpn-2.0.8.I generated the ca,key and cert for both the server and the client.The client.crt for all clients is 0 bytes.Contains nothing.
My worry is,is this how it is suppose to be?because when i start the openvpn client,the config file is unable to open the certificate.
Some help please!
The OpenVPN documentation on their website is very good indeed so if you follow their steps exactly to generate keys it should work. The steps involve building your own CA, the server keys and the client keys. I'd follow their procedure exactly again which will delete existing keys and create new ones under the easy-rsa/keys directory. One possibility is that when you create the keys you MUST enter a unique common name. I use server for the server key and client1, client2 etcetera for the client keys. If you don't enter a common name it will give an error message and not generate the key. If it all works as planned you should get confirmation messages that the keys are genereated.
I generate all keys on the server as root and then securely copy the client keys to the correct clients.
Thanks Andrew.
Actually,I had generated the keys again.I also use unique common names as advised by the openvpn documents.But still,i get client certificates that are 0 bytes large.I wonder what the prob is!
Haven't got access to my linux server at the moment so working from memory.
Have you made sure that all the required parameters in the vars script have something in them? If the vars script has been run, did the CA and server key generate okay? Does it go through the client build script prompts okay and then asks for "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]" ? If so then it should generate the cert. If it does this but the cert is still 0 bytes then the only thing I can think of is file permissions.
Unfortunately apart from not completing all the necessary fields in the vars script and forgetting to put a common name in I've never had any issues with generating keys - I do them all on the server in the easy-rsa directory.
Have another go from scratch, record the output of each stage and if it still won't work post the output to see if we can spot anything.
Yes.Actaually,i've done all that and it confirms each step as you list them.Also,the ca and server keys are ok.The problem is just with the client keys,which are 0bytes.
Maybe i should try from scratch again.
Thanks though
I want to know the answer for this also. If I find a solution soon I'll reply here with it.
You have re-opened a thread which was last active more than 10 years ago.
Beginning your own thread with a clear description of your specific problem will give your question better visibility and be more likely to attract current, useful answers.
Please see the Site FAQ for guidance on how to write an effective problem description.
If you get a "zero-length key," here's the answer:
At one point you got a message: failed to update database - error number 2.
"easy-rsa" maintains a database (actually just a text file, keys/index.txt) of keys that it has issued, by common name. If it finds an entry already in this file, it will generate this error, and(!) create a zero-length key file.
Locate the file and remove the entry. (It's just a text file ...) Then retry the entire procedure.
If it worked, you should see data base updated. The file will now have real contents.
... and how do I know this? ...
Last edited by sundialsvcs; 12-16-2016 at 10:18 AM.
Well, of course you can "just detonate a small thermonuclear bomb under easy-rsa and reinstall it," but you don't need to go to such draconian measures to fix a simple (but not at all obvious ...) problem.
Look carefully and you'll see the error message, I think in the certificate-signing step. It's terribly easy to overlook, especially since it does create a (zero length ...) file. (I'm sure that's a bug, but it'll probably never be fixed.)
Last edited by sundialsvcs; 12-17-2016 at 08:34 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.