Keep getting permission denied from easyrsa init-pki

[jepaquette]

My basic problem is what looks like a Windows files permission problem but which I cannot fix by changing Windows permissions with which I'm quite familiar. If I run EasyRSA-Start.bat bundled with the current version (3.1.6) EasyRSA, I get a “permission denied” error which I don't seem to be able to eliminate with Windows permissions on my PKI folder.

I get back the following from easyrsa init-pki:

rm: c:/program files/openvpn/2023/easyrsa-3.1.6/pki: Permission denied

Easy-RSA error:

init-pki hard reset failed.

EasyRSA Version Information Version: 3.1.6 Generated: Fri Aug 18 09:28:26 CDT 2023 SSL Lib: OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023) Git Commit: 9850ced8bec5e0a065d9c576f59c3f372f82f4a9 Source Repo: https://github.com/OpenVPN/easy-rsa Host: 3.1.6 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

Can someone please explain what is going on here and how I can fix it — if I can!

[TinCanTech]

@jepaquette You are the first and only person to ever report this problem.

If you want to use EasyRSA in Program Files (NOT Recommended) then you must use Windows elevated privileges.

[jepaquette]

Okay--I always leave elevated privileges off because I use Dragon for all my writing and it requires elevated privileges to be off. So, should I move the whole EasyRSA operation to as separate folder somewhere else on the C: drive???

Thanks for the quick reply!!!

[TinCanTech]

EasyRSA recommends that you copy \easy-rsa to your \Users\<USER> directory and run it from there.

FYI: Your Private CA key is World readable when it is kept in \Program Files and you do not want that. EasyRSA will also warn you about this.

Also, for v3.1.6 please read #1009

[jepaquette]

Thank you--most helpful!

[jepaquette]

So I successfully built my server crt, my client crts, my private keys, and DH PEM but was disappointed to find that on the first client I have tested, after rechecking files several times, that TLS is not "shaking hands."

Fri Sep 08 13:56:50 2023 us=540874 UDPv4 READ [0] from [AF_UNSPEC]: DATA UNDEF len=-1 Fri Sep 08 13:57:06 2023 us=561003 UDPv4 WRITE [14] to [AF_INET]192.168.0.1:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Fri Sep 08 13:57:06 2023 us=561003 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Fri Sep 08 13:57:06 2023 us=561003 UDPv4 READ [0] from [AF_UNSPEC]: DATA UNDEF len=-1 Fri Sep 08 13:57:36 2023 us=138342 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Sep 08 13:57:36 2023 us=138342 TLS Error: TLS handshake failed

Network is fine.

I'm still keeping my old OpenVPN GUIs but I don't think that should matter.

Any thoughts on troubleshooting???

[TinCanTech]

Sorry, we do not debug OpenVPN connection problems here.

[jepaquette]

Hello again TinCanTech--after a couple of days of digging on OpenVPN and related sites, I am back with what I believe is a legitimate EasyRSA question.

StackExchange at https://security.stackexchange.com/questions/211795/openvpn-error-unsupported-certificate-purpose says:

"Under EasyRSA 3, what controls this parameter is the use of build-client-full or build-server-full command line depending on whether you want to generate the server side certificate or client certificates."

That post says this is necessary to enable TLS Web Server Authentication on the server key and avoid the "unsuitable certificate purpose" error I am getting on my new OpenVPN GUI client. However the newest version of EasyRSA does not accept "build-server-full server," so how do I make sure that the server key knows that it is a server?

Thank you for any clarification you can provide on the syntax to get the current version of EasyRSA to generate appropriate server-side key and crts.

[jepaquette]

Discovered this most helpful page immediately after I sent my last message and my TLS error is now gone. I have one other error but it is purely OpenVPN.