OPENVPN - Creating client Keys failed

Original heading was changed from Restoring key & cert after flash upgrade to 17.01.2 As I decided to start openvpn install from scratch and faced new problems. Please see my new question below.

I have TP-Link TL-WDR3600 v1. I made a mistake of upgrading using upgrade image to flash thus erasing my openvpn config, cert, and keys. I did make a backup using web interface before upgrading. Is there any way of restoring the cert without generating it? I had also installed adblock package that requires SSL to download update files.

BTW What is the proper way of upgrading the firmware and packages as this will happen more frequently with LEDE :wink:

The backup is probably just an archive. Open it, find your key/cert/config and replace the same-named files with the ones in the backup.

There are two mechanisms LEDE uses to try to avoid clobbering things during a sysupgrade.

First, there is the /etc/sysupgrade.conf file which allows you to list files that should be restored after a sysupgrade. What happens is an archive of those files/directories is used as the initial overlay filesystem.

However, after the sysupgrade you often need to re-install additional packages. These packages do not seem
to currently read /etc/sysupgrade.conf. Unless they consider a file to be a "config file" they will replace the file as they are installed. (A switch to opkg to tell it to read a list of files to treat as conffiles might be a nice feature.)

Packages determine what files are config files based on the contents of their /usr/lib/opkg/info/package_name.conffiles
file, embedded in the package.

One of two things happened: you chose different names for your files, but did not put them in sysupgrade.conf (there's a LUCI UI element for this someplace.) Or you used the normal names for these files, and they are not marked as config files by the package (and perhaps should be) and they got clobbered.

I could not recover keys, so I started from scratch to setup openvpn with clean-all command. I am using the guide from
Everything worked till following command

openssl rsa -in /etc/easy-rsa/keys/myuser.key -des3 -out /etc/easy-rsa/keys/myuser.3des.key
/* .....
.. Lines snipped by me
..... */
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:
Verifying - Enter Export Password:
Verify failure
Can't read Password

I have not setup a password (pressed enter) while creating the server key. I did enter a challenge password for the client and I tried that too but it does not work here. Where is this password? How do change/delete this? Is this leftover from previous openvpn installation? I had deleted old config using Luci interface before starting.

When I tried without the password again, I get following message.

Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

How I do I revoke this client certificate to start over again?