OpenVPN setup using OpenSSL, problem with generating CA CRL, "unable to open '.\index'

Hi all

I haven't been able to find a lot of resource on setting up an OpenVPN server. I'm solely relying on this guide here:

At the CA Creation section, on step #2 of the Commands tab, Generate CA CRL, I'm supposed to run the following command:
openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf

However, when I do so, I get the following error:

.\index: No such file or directory
unable to open '.\index'

Can anyone shine some light on this issue? Thank you so much.

Have read the current user guides

The OpenVPN (Server Setup) wiki from the link @mbo2o provided works for me on 18.06.0.

Besides the above suggestions, the root cause of your issue is either a missing (or placed in the wrong directory) index file.
The index file contains just a single number which indicates which certificate number is next to be issued.
This number is relied upon by several scripts when setting up or modifying OpenVPN setups.

@rayycy There's a wrap at the top of that wiki, directing users to the new wiki site for a reason.

  • Since you're utilizing an obsolete wiki, I'd recommend starting over, utilizing the current version of that wiki: OpenVPN Server (Comprehensive).

  • The OpenSSL section was split off into it's own wiki: OpenSSL Certificates

    • Please note, OpenSSL moved some of their man pages to a new site, so some of the man page links in the wiki are still broken as I haven't had time to fix them.
      • My next step with both wikis is adding a lite touch script, similar to the ones @stangri utilizes in their OpenVPN (Server Setup) wiki, and I'll fix the man page links at the same time.

Thank you all for your assistance. I apologize for not realizing there's an updated guide for this. In my defense, the old guides are still at the top of google search. But ya, I should have caught the wrapper and moved on to the new document. I will have another go at it. Truly appreciate the inputs.

Another question, what is the difference between these two docs?

OpenVPN (Server Setup)

OpenVPN Server (Comprehensive)

How do I know which one I should be using? Thanks a lot.

OpenVPN (Server Setup) is intended as a quick, get-up-and-running solution without having to have an understanding of the config files or OpenVPN.

OpenVPN Server (Comprehensive) is a comprehensive wiki on configuring an OpenVPN server, intended for users who want a thorough understanding that walks the user through, step-by-step.

  • The next major update will be adding scripts, similar to what @stangri did with the OpenVPN (Server Setup) wiki.

JW0914 Thank you so much for your explanation. I ended up using the quick guide. While it works, it also leaves me wondering how exactly it works. For example, I didn't even get to input any password, which seems a bit like black magic to me. :open_mouth:

I wish I can follow the comprehensive guide instead to get a better understanding of the mechanisms. However I find that I get lost quickly due to the lack of sample codes at creating openssl certificates, eg at this step:

Certificate Authority Clients [Line 195]

  1. Servers
  • Lines: 201 - 218
  1. Clients
  • Lines: 219 - 225

Don't get me wrong though. I'm definitely not complaining, only stating my experience in trying to get it to work. I'm sure a lot of hard work went into these guides already. And I really appreciate it. Thank you again JW0914.

That quoted information is telling the user where they can find the applicable server and client certificate SAN profiles for the CA clients in the openssl.cnf... just as a similar section under Create Certificates: ICA is telling the user where the server and client SAN profiles are for the ICA clients.

  • Nowhere does it state to do anything with 2.a [2.1] or 2.b [2.2] in the wiki

The full quoted info for Create Certificates: CA

Modify SubjectAltName & V3 Profiles

  1. Certificate Authorities [Line 177]
    1. Main
      1. Change Line 183: DNS.1 = OpenWrt-CA

  2. Certificate Authority Clients [Line 195]
    1. Servers
      • Lines: 201 - 218
    2. Clients
      • Lines: 219 - 225
  • The only modification one is told to do is on Line 183, of which is then followed by the applicable code blocks.

  • I'm not sure why users keep thinking they need to edit/modify things they're not being told to edit or modify... especially when it comes to something like an openssl.cnf, which is usually quite foreign to the vast majority of users
    • Due to this complexity, I believe it a good idea to inform a user where CA and/or ICA client SAN and V3 profiles can be found for editing (instructions for their editing would be under the appropriate Server and Client sections).
    • I even highlighted precisely what needed to be modified (Line 183 in the CA creation), as repeatedly stating this answer over and over again to different users has left me with little patience when responding to this precise subject.

Do you have any suggestions on how to word it differently, so as to not cause confusion?

Hi JW0914. Just to offer a bit of my perspective. The quoted instruction has a heading that says "Modify SubjectAltName & V3 Profiles". This leads me into thinking that all the specified lines in that section need to be configured correctly. So for this bits here:

Certificate Authority Clients [Line 195]

  1. Servers
  • Lines: 201 - 218
  1. Clients
  • Lines: 219 - 225

If you are saying that they should not have to be touch, then perhaps a notation saying "optional" might reduce confusion. But if they need to be configured, then perhaps some sample code might help.

Thank you for taking the time to respond to my questions. Cheers.

They will need to be edited... just not at the creation of the CA or ICA.

  • They need to be listed somewhere within the Create Certificates section, as a person utilizing the OpenSSL Certificates wiki will likely have more than 2 certificates they're going to want to create, and they need to know where specifically to look for those SAN profiles in the openssl.cnf.
    • No one can make an openssl.cnf easy to comprehend, but I have made one that's as simple as possible, laid out in the most logical way possible, with multiple dummy SAN & V3 profiles for both CA and ICA client certs.
      • As I stated before, I believe it a good idea to inform users where the CA and ICA client certs SAN and V3 profiles can be found for editing, rather than having them try and figure it out on their own.

  • Placing the two client and server sections under their respective ToC: Servers & ToC: Clients will definitely result in confusion, and is why I didn't put them there. They shouldn't be causing any confusion at all, provided one simply follows the wiki as written.
    • Yes, the box heading says the section is about Modifying SAN Profiles, but the only SAN profile one is told to modify, at that point in the wiki, is for the CA... I really don't know how much clearer I can make that in the wiki, as I added highlight wraps specifically to address this specific issue some are having.

If a user is following a wiki, it's likely because the user is unsure of how to accomplish whatever it is they're trying to accomplish, hence referring to a wiki for help and/or a solution. Perhaps the arbitrary user should trust, until proven otherwise, that all they need to do is follow the wiki as written and not deviate, in order to accomplish whatever it is they're trying to accomplish.

  • It would be one thing if the arbitrary user continued on with the steps in a wiki, even though they may be confused about something, and then discovered what they were confused about is causing a wiki to not work as intended... but this is not the case, nor has it ever been, with this specific issue a handful of users get hung up on.

If someone else believes they have a better solution, then by all means, but my patience regarding this specific issue was exhausted some time ago.

  • @rayycy don't take what I've said personally... I've simply had this same conversation multiple times before with multiple users, and due to this, I have little patience left for this specific issue.

I am late to this topic but I too received this same error while following the wiki. I have figured out the solution by editing my openssl.cnf file. A lot of my confusion initially was in how to edit this file properly, and the errors were due to the commands listed in the wiki somehow not linking up with the file/folder structure as defined by the cnf file. Oddly, this was actually in place properly but still giving the errors. My solution was to directly specify the locations rather than using a ./ for the $dir and to also specifically define the locations of the other items even though logically it was all correct. Another issue I ran into was that my lines for code to edit are not the same numbered lines. Idk if the openssl.cnf file has had more things added to it or what but I just needed to learn a bit more about this subject as a whole to figure this out. Quite the daunting task but it pails in comparison to actually making this wiki, for which i applaud you sir. This subject is quite a lot to grasp let alone create as in-depth a guide as what we have. I am not looking forward to helping someone figure this out myself so I can see why this would be a frustrating thing to come back to time and again

I suggest using a desktop GUI frontend to OpenSSL to generate certificates offline, specifically xca.

If you're doing it CLI that config file has some Microsoft style \ directory separators, you have to change them to forward slash / for Linux.

No, I created a Unix specific config a long time ago and it's that config that's used in the wiki