We are not using PKCS#11, and the "pkcs11 = pkcs11_section" line in openssl.cnf is properly commented out. The problem is that openssl doesn't just ignore the [ pkcs11_section ]: it still parses its configuration lines and MODULE_PATH = $ENV::PKCS11_MODULE_PATH results in an undefined variable :
----------------
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
We are not using PKCS#11, and the "pkcs11 = pkcs11_section" line in openssl.cnf is properly commented out. The problem is that openssl doesn't just ignore the [ pkcs11_section ]: it still parses its configuration lines and MODULE_PATH = $ENV::PKCS11_ MODULE_ PATH results in an undefined variable :
----------------
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ] engines/ engine_ pkcs11. so MODULE_ PATH ------- ------- -
engine_id = pkcs11
dynamic_path = /usr/lib/
MODULE_PATH = $ENV::PKCS11_
-------
The solution is to comment those lines or implement PKCS#11 support in openvpn and fix those lines accordingly.