Content from 2012-07
As it turns out, openvpn on RHEL6 cannot run just any shell script as an event command despite the script-security 3 option being present in the config file. The event script needs to have the openvpn_etc_t type context set as well if SELinux policies are enforced.
]==> ls -lZ /etc/openvpn/up.sh -rwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/up.sh
This can be done by running the following command.
]==> chcon -v --type=openvpn_etc_t /etc/openvpn/up.sh changing security context of `/etc/openvpn/up.sh'
There are some recipies on the web but none of them seems to work. OpenSSL either complains about missing distinguised_name or generates a key that is too short.
You need a config file like this:
]==> cat openssl.cfg [req] req_extensions = v3_req distinguished_name = req_dn [req_dn] CN=hostname1.yourdomain.com [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = hostname2.yourdomain.com DNS.2 = hostname2.yourdomain.com DNS.3 = hostname4.yourdomain.com
And then run:
openssl req -new -subj /CN=hostname1.yourdomain.com -out newcsr.csr \ -nodes -config openssl.cfg -keyout privkey.pem -newkey rsa:2048