Error loading extension section usr_cert

Question

Error loading extension section usr_cert

I run openvpn in a Ubuntu 14.04 window. The setup was fine before updating OpenSSL, and then when I try to create a new client certificate with easy-rsa, I received this message:

root@ :easy-rsa# ./pkitool onokun Using Common Name: onokun Generating a 2048 bit RSA private key .+++ ........+++ writing new private key to 'onokun.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Error Loading extension section usr_cert 3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn 3074119356:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537: 3074119356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=onokun

This problem is different from the reported error that which opensslcnf script cannot find a suitable version of openssl.cnf to use (the above message shows openssl-1.0.0.cnf ). I did a google search but couldn't find an answer.

Here is the environment information:

 ## openvpn OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Originally developed by James Yonan ## openssl OpenSSL 1.0.1f 6 Jan 2014 ## dpkg --get-selections | grep ssl libgnutls-openssl27:i386 install libio-socket-ssl-perl install libnet-smtp-ssl-perl install libnet-ssleay-perl install libssl-dev:i386 install libssl-doc install libssl0.9.8:i386 install libssl1.0.0:i386 install openssl install ssl-cert install

What should I look at to solve this? Thanks,

+6

ssl openssl openvpn

eN_Joy Jun 17 '14 at 3:18

source share

5 answers

Comparing an earlier installation of Ubuntu 14.04 that did not have this problem, it seems that the problem is related to "subjectAltName". I have not read what this does, but the command below will fix your file "openssl-1.0.0.cnf":

 perl -p -i -e 's|^(subjectAltName=)|#$1|;' /etc/openvpn/easy-rsa/openssl-1.0.0.cnf

I should probably write a bug report.

+5

expebition Sep 27 '14 at 19:41

source share

I finally got my job (on my machine). At first, my setup is a little different, I'm on Windows10 by running OpenSSL 1.0.2h. I try to create several certificates, certificate authorities and other things for tests, I get an error message:

configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:324:group=CA_default name=email_in_dn

To fix this, I found the email_in_dn = no location in the CA_Default openssl.cfg section below:

 #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/caprivkey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert email_in_dn = no # <-- fixes CONF_get_string:no value

I hope this helps someone else.

+3

Dai bok Aug 25 '16 at 9:17

source share

This is reported as a bug in Ubuntu. See SSL certificate creation fails without subjectAltName .

The work described by Yuri seems to work (copied from the launchpad):

in the file / usr / share / easy -rsa / pkitool
just replace the expressions:
KEY_ALTNAMES = "$ KEY_CN"
in
KEY_ALTNAMES = "DNS: $ {KEY_CN}"

In my version of the file, this is line 284, immediately after the line "Use a common name"

+1

David Feb 17 '16 at 11:47

source share

To get rid of this error:

 3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn

use

 -noemailDN

in the openssl team.

For instance:

 $ openssl ca -batch -config openssl.cnf -extensions usr_cert -noemailDN -days 375 -notext -md sha256 -in csr/www.example8.com.csr.pem -out certs/www.example8.com.cert.pem -verbose -passin pass:changeit

0

user674669 Oct 31 '17 at 19:56

source share

jww · Accepted Answer · 2014-06-17T07:26:19+0000

 Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Error Loading extension section usr_cert

I don't have /etc/openvpn/easy-rsa/openssl-1.0.0.cnf , so take this with a piece of salt ...

opensslconf.h from the OpenSSL distribution includes this section:

 openssl-1.0.1h$ grep -R usr_cert * apps/openssl-vms.cnf:x509_extensions = usr_cert # The extensions to add to the cert apps/openssl-vms.cnf:[ usr_cert ] apps/openssl.cnf:x509_extensions = usr_cert # The extensions to add to the cert apps/openssl.cnf:[ usr_cert ]

Is it possible to restore the old version of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf ?

Here is a section from apps/openssl.cnf . You might want to add it to the Easy RSA configuration file if it is missing. First try an empty section. Then try adding the source code back.

 [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping

Error loading extension section usr_cert

More articles: