Error Loading extension section usr_cert

Question

I am running openvpn on an Ubuntu 14.04 box. The setup was fine until an OpenSSL upgrade, then when I try to create new client cert with easy-rsa, I got this message:

root@:easy-rsa# ./pkitool onokun
Using Common Name: onokun
Generating a 2048 bit RSA private key
.+++
........+++
writing new private key to 'onokun.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Error Loading extension section usr_cert
3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
3074119356:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537:
3074119356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=onokun

This problem is different from a reported bug that the which opensslcnf script can not find an matching version of openssl.cnf to use (above message shows openssl-1.0.0.cnf). I performed a Google search but did not find an answer.

Here are some environment information:

## openvpn
OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Originally developed by James Yonan

## openssl
OpenSSL 1.0.1f 6 Jan 2014

## dpkg --get-selections | grep ssl
libgnutls-openssl27:i386                        install
libio-socket-ssl-perl                           install
libnet-smtp-ssl-perl                            install
libnet-ssleay-perl                              install
libssl-dev:i386                                 install
libssl-doc                                      install
libssl0.9.8:i386                                install
libssl1.0.0:i386                                install
openssl                                         install
ssl-cert                                        install

What should I look at to solve this? Thanks,

Answer 1

I finally got his working (on my machine) Firstly my setup is a little different, I'm on Windows10, running OpenSSL 1.0.2h. I'm trying to generate multiple certificates, CAs and other things for tests, I am getting the error:

configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:324:group=CA_default name=email_in_dn

To fix it I found placing the entry email_in_dn = no in CA_Default openssl.cfg section as bellow

####################################################################
[ CA_default ]
dir     = ./demoCA              # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl          # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir   = $dir/newcerts # default place for new certs.

certificate = $dir/ca.crt       # The CA certificate
serial      = $dir/serial       # The current serial number
crl     = $dir/crl.pem          # The current CRL
private_key = $dir/private/caprivkey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file
x509_extensions = usr_cert      # The extentions to add to the cert
email_in_dn = no                # <-- fixes CONF_get_string:no value

I hope this helps someone else.