run generate pki ca install InterCity # Follow the instructions to generate CA cert.
set pki ca InterCity certificate ‘generated_cert_string’
set pki ca InterCity private key ‘generated_private_key’
run generate pki certificate sign InterCity install brn.ru # Follow the instructions to generate server cert.
Configure mode commands to install:
set pki certificate brn.ru certificate ‘generated_server_cert’
set pki certificate brn.ru private key ‘generated_private_key’
run generate pki dh install InterCity-DH # Follow the instructions to generate set of
Diffie-Hellman parameters.
Generating parameters…
Configure mode commands to install DH parameters:
set pki dh InterCity-DH parameters ‘generated_dh_params_set’
set interfaces openvpn vtun10 tls ca-certificate InterCity
set interfaces openvpn vtun10 tls certificate brn.ru
set interfaces openvpn vtun10 tls crypt-key brn.ru
set interfaces openvpn vtun10 tls dh-params InterCity-DH
And i got:
vyos@r1-brn# commit
There are no openvpn shared-secrets in PKI configuration
[[interfaces openvpn vtun80]] failed
Hi @hexes , you need to commit after adding each of generated cert to enable them under the system, and after that add OVPN config with separate commit. It’s quite annoying but mandatory in 1.4.x for now
@hexes I’ve rechecked your first post and it seems that there is a small mistake in the instruction. Try to remove crypt-key brn.ru statement and everything should work fine. We’ll correct this in documentation and remove unnecessary command. Hope this will help.
yes correct, that one is not required in the current configuration and if you’ll try to autocomplete the command it will not show you any available completetion
glad to hear that corrections for the configuration procedure also applied and pending for commit. Thanks for sharing your issue and helping to identify the problem. Have a nice day!
yes, you need to manually create that files and paste the information in case if you’re generating certs on VyOS. Note that there is a specific file format such as the beginning of cert, lines length and end of cert. You can open one of the existing certs on the old-style system to ensure that the custom files have the same format.