Topic: Problem OpenVPN Bridge Contrib (Exiting due to fatal error)

[ReetP]

OK, if you want to then try this.

Note. To upgrade the encryption strength you have to create a new CA, and then all new certificates. There is no easy way to convert existing certificates.

So be prepared before you embark on this.

First, uninstall old version. This new version will try and backup your certificates if they exist.

If you want to keep them then you can also do this manually first:

Code: [Select]

cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
Now:

Code: [Select]

yum remove phpki
You may need a reboot to clear up.

Add my testing repo.

BEWARE. Do NOT try and do a general 'upgrade' from this repo. It may break your machine!!!!

Just install as we instruct. If this tests OK it will go into smecontribs fairly soon.

You can manually grab a copy for a local install if you want:
https://www.reetspetit.com/smetest/6/repoview/phpki.html

Then something like this:

Code: [Select]

yum --enablerepo=epel, smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
Otherwise use my test repo:

Code: [Select]

db yum_repositories set reetpTest repository \
BaseURL https://www.reetspetit.com/smetest/\$releasever \
EnableGroups no \
GPGCheck no \
Name "ReetP Repo" \
GPGKey https://www.reetspetit.com/RPM-GPG-KEY \
Visible yes \
status disabled

Code: [Select]

signal-event yum-modify
config set UnsavedChanges no

Now install:

Code: [Select]

yum --enablerepo=reetpTest,smecontribs,epel install phpki

You may see a warning about unable to write 'random state' but you can ignore it.

Code: [Select]

signal-event post-upgrade; signal-event reboot

Go to Server-manager

Create your CA certificate with a password.

Get your DH key, and generate your certificates.

The DH key will now be 2048 bits.

Really we should set everything to default to 4096 - at least make the CA and certs 4096

Let us know how you get along.

[globalsi]

Hi,
mmm...
Here are my commands :

Code: [Select]

yum --enablerepo=smecontribs install smeserver-bridge-interface
yum --enablerepo=smecontribs install smeserver-phpki
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/pki-conf/httpd.conf
sv t /service/httpd-e-smith
sv u /service/httpd-pki
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
signal-event post-upgrade; signal-event reboot
cp -r /opt/phpki/phpki-store /opt/phpki/phpki-store.backup
yum remove phpki
wget https://www.reetspetit.com/smetest/6/noarch/phpki-0.83-9.el6.sme.noarch.rpm
yum --enablerepo=epel,smecontribs localinstall phpki-0.83-9.el6.sme.noarch.rpm
signal-event post-upgrade; signal-event reboot
After, i create the root certificate (with password).
Then I want the server certificate. A password is asked. If I try to create with or without password, i've got an  error :

Signing vpn_server certificate request.
Using configuration from /tmp/cnf-7QjxPJ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'PACA'
localityName          :PRINTABLE:'MYTOWN'
organizationName      :PRINTABLE:'MYCOMPANY'
organizationName      :PRINTABLE:'xxxxxxxxxx111111222222333333333'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'openvpn-bridge'
emailAddress          :IA5STRING:'contact@mycompany.fr'
Certificate is to be certified until Mar 26 16:15:14 2025 GMT (1826 days)
failed to update database
TXT_DB error number 2
Click on the "Help" link above for information on how to report this problem.

can you help me ?
bg

[ReetP]

can you help me ?

Only if you follow what we said...


If you are intending to run openvpn-bridge I would

Install smeserver-phpki + phpki

If you are going to use my test version it is better not to install the original 0.82 version. My version *should* move the original certificate directory out of the way.

Note - we are probably going to rename this to phpki-ng shortly because we want avoid breaking older installs.

Note - we have have tested successful openvpn-routed connections with the new version so we know it works.

We have not tested bridge or 2to2 yet - they should work but need testing.

Reboot

Create create your CA and server/client certificates to complete the install

Now install the smeserver-bridge-interface and smeserver-openvpn-bridge rpms.

Reboot and finish your bridge setup

failed to update database
TXT_DB error number 2

Terry noticed it once when creating a couple of certs - I haven't had a chance to look at it as I have been too busy shutting down our company. I don't think it was serious. Phpki stores a counter in a text file so it can number the certificates and I think it may be this.

Check the certificates in the /opt/phpki-store