6

As I can't get out which file this is being generated from, I have no idea how to grab the variable that isn't set. But the error resembles an old issue where a variable wasn't correctly set in the default config or sourced variables file.

I do have a default config under /etc/ssl/openssl.cnf and it's the default packaged with the openssl package.

Here's the full output:

[Torxed@Daylight ipsec.d]$ sudo openssl pkcs12 -export -inkey private/testKey.pem --in certs/testCert.pem -name "My own VPN client certificate" -certfile cacerts/rootCert.pem -caname "StrongSwan Root CA" -out test.p12

140093433759384:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 167

Normally SSL will throw you the file that generates the error, so I'm kinda lost here.

Torxed
  • 3,637

2 Answers2

8

This is a problem which currently persists in Ubuntu 16.04 and Ubuntu 16.10.

What has happened is that OpenSSL has changed the certificate requirements, but several guides fail out of the box.

The solution is to add the following:

export KEY_ALTNAMES="something"

anywhere the in vars file.

There was already a bug report filed here. And a relevant Ubuntu thread here

94b1
  • 81
3

Quite simple really.

/etc/ssl/openssl.cnf had a minor configuration issue. Apparently openssl had updated requiring additional fields but since the package manager respects personal configurations it had stored another config file as .backup along side of the configuration used.

Replaced my config with a newer default, and works.

Torxed
  • 3,637
  • 1
    Which "minor configuration issue"? – Matthieu Mar 01 '17 at 14:49
  • @Matthieu not to sure. Again, there was a new mandatory field in openssl.conf and the old configuration file didn't have it. The openssl.conf.pacnew contained it (as my package manager pacman honors user changes before system upgrade changes.). Basically I had deferred from the default configuration, so if you're getting this error - I'd suggest starting off with a default configuration and work towards your changes. You'll quickly discover what fields you need and what you can modify/take away. – Torxed Mar 01 '17 at 14:54
  • One year later I won't be mad ;) OpenVPN has the same problem when you try generating the CA certificate, because export KEY_ALTNAMES="somename" is missing from easy-rsa/vars (see https://bugs.launchpad.net/serverguide/+bug/1504676). I thought it could be something equivalent here... – Matthieu Mar 01 '17 at 14:57
  • @Matthieu Glad you understand haha, I actually tried to grab my old configuration from a server I knew I hadn't deleted many files from. But I've modified them enough that it wouldn't be a reliable source of information after all. Yea OpenVPN changed it's easy-rsa structure a bit. And it differs from OpenSSL standard. I think the latest branch I've got has fixed it, but the link is a good source of information. Greatly appreciated! – Torxed Mar 01 '17 at 15:11