Howto remove/resolve Openvpn message “KEY_CONFIG pointing to the wrong version of openssl.cnf” on Linux Systems
In this mini post I’ll show you how to solve this Openvpn error message “KEY_CONFIG pointing to the wrong version of openssl.cnf” which may appears when you try to Generate Keys and Certificates which needed in the installation process of OpenVPN server on Debian 9 “stretch” Linux systems.
You can read this article for Installing OpenVPN Server On Debian 9 “Stretch” Linux systems.
I was trying to run this command:
# ./build-ca
But, it failed with this error:
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.xSolution:
This issue because easy-rsa didn’t find openssl.cnf in this path /etc/openvpn/rsa on Debian 9 “Stretch” Linux Systems.
When we list the files in this path, we found
# ls /etc/openvpn/rsa total 116 -rwxr-xr-x 1 root root 119 Sep 7 11:09 build-ca -rwxr-xr-x 1 root root 352 Sep 7 11:09 build-dh -rwxr-xr-x 1 root root 188 Sep 7 11:09 build-inter -rwxr-xr-x 1 root root 163 Sep 7 11:09 build-key -rwxr-xr-x 1 root root 157 Sep 7 11:09 build-key-pass -rwxr-xr-x 1 root root 249 Sep 7 11:09 build-key-pkcs12 -rwxr-xr-x 1 root root 268 Sep 7 11:09 build-key-server -rwxr-xr-x 1 root root 213 Sep 7 11:09 build-req -rwxr-xr-x 1 root root 158 Sep 7 11:09 build-req-pass -rwxr-xr-x 1 root root 449 Sep 7 11:09 clean-all -rwxr-xr-x 1 root root 1471 Sep 7 11:09 inherit-inter drwx—— 2 root root 4096 Dec 18 15:13 keys -rwxr-xr-x 1 root root 302 Sep 7 11:09 list-crl -rw-r–r– 1 root root 7859 Sep 7 11:09 openssl-0.9.6.cnf -rw-r–r– 1 root root 8416 Sep 7 11:09 openssl-0.9.8.cnf -rw-r–r– 1 root root 8313 Sep 7 11:09 openssl-1.0.0.cnf -rwxr-xr-x 1 root root 13246 Sep 7 11:09 pkitool -rwxr-xr-x 1 root root 1035 Sep 7 11:09 revoke-full -rwxr-xr-x 1 root root 178 Sep 7 11:09 sign-req -rw-r–r– 1 root root 2077 Sep 7 11:16 vars -rwxr-xr-x 1 root root 740 Sep 7 11:09 whichopensslcnf
As you see, no openssl.cnf file exists.
Solution is very simple, we make a symbolic link of the latest openssl.cnf file we find, here the latest on is openssl-1.0.0.cnf
Run these commands:
# cd /etc/openvpn/rsa/ # ln -s openssl-1.0.0.cnf openssl.cnf
Now, the issue is solved, If We re-run our commands again, no error appears.
Finally, I list the files again for checking
# ls -l /etc/openvpn/rsa total 116 -rwxr-xr-x 1 root root 119 Sep 7 11:09 build-ca -rwxr-xr-x 1 root root 352 Sep 7 11:09 build-dh -rwxr-xr-x 1 root root 188 Sep 7 11:09 build-inter -rwxr-xr-x 1 root root 163 Sep 7 11:09 build-key -rwxr-xr-x 1 root root 157 Sep 7 11:09 build-key-pass -rwxr-xr-x 1 root root 249 Sep 7 11:09 build-key-pkcs12 -rwxr-xr-x 1 root root 268 Sep 7 11:09 build-key-server -rwxr-xr-x 1 root root 213 Sep 7 11:09 build-req -rwxr-xr-x 1 root root 158 Sep 7 11:09 build-req-pass -rwxr-xr-x 1 root root 449 Sep 7 11:09 clean-all -rwxr-xr-x 1 root root 1471 Sep 7 11:09 inherit-inter drwx—— 2 root root 4096 Dec 18 15:13 keys -rwxr-xr-x 1 root root 302 Sep 7 11:09 list-crl -rw-r–r– 1 root root 7859 Sep 7 11:09 openssl-0.9.6.cnf -rw-r–r– 1 root root 8416 Sep 7 11:09 openssl-0.9.8.cnf -rw-r–r– 1 root root 8313 Sep 7 11:09 openssl-1.0.0.cnf lrwxrwxrwx 1 root root 17 Dec 18 15:01 openssl.cnf -> openssl-1.0.0.cnf -rwxr-xr-x 1 root root 13246 Sep 7 11:09 pkitool -rwxr-xr-x 1 root root 1035 Sep 7 11:09 revoke-full -rwxr-xr-x 1 root root 178 Sep 7 11:09 sign-req -rw-r–r– 1 root root 2077 Sep 7 11:16 vars -rwxr-xr-x 1 root root 740 Sep 7 11:09 whichopensslcnf
Now, Enjoy using OpenVPN server
If You Appreciate What We Do Here On Mimastech, You Should Consider:
- Stay Connected to: Facebook | Twitter | Google+
- Support us via PayPal Donation
- Subscribe to our email newsletters.
- Tell other sysadmins / friends about Us - Share and Like our posts and services
We are thankful for your never ending support.
