`build-ca`, password cannot use `$` character

[PWnet]

Hi,

I'm trying to create new certificates for my openvpn installation, because my actual certificates (successfully created with easy-rsa 2 and before with easy-rsa 1) are expired.

I'm using the latest version of easy-rsa (3.1.7) on ubuntu and with the same results on windows.

If I create a CA with a simple password (eg: asdfg) I have no problem.

the command

openssl rsa -in pki/private/ca.key -modulus -noout

return me the modulus of my ca.key when I insert the correct password.

If I create a CA with a more complex password (eg: as8Fgh$624351) the problem begins.

The command to check the modulus return:

# openssl rsa -in pki/private/ca.key -modulus -noout
Enter pass phrase for pki/private/ca.key:
Could not read private key from pki/private/ca.key
A8370000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
A8370000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:124:
A8370000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:86:maybe wrong password

The problem is rather sly because easy-rsa let me continue to create server and client certificates with my CA (and I suppose all works in openvpn) but the new certificates created cannot uploaded on mikrotik devices (which supports openvpn client connectivity) because the password doesn't work.

The problem is quite strange because this tools is based on openssl and the same openssl cannot open the key it generates.

I'm doing something wrong?

Regards

Roberto

PS: I apologize for my english ...

(tincantech: Edited formatting)

[TinCanTech]

@PWnet Thank you for this issue - ~I confirm this is a bug~.

Investigating ..

For testing purposes, can you try the command:

easyrsa --raw-ca build-ca

with your long password, which appears to work for me.

Also, which version of openssl are you using ?

[TinCanTech]

@PWnet You must escape the $ character when inputting the password, to use the standard easyrsa method to build-ca.

[TinCanTech]

This could probably be done without the need to escape a $ sign.

[TinCanTech]

Easy-RSA v3.2.0 is not effected by this issue.

[PWnet]

@PWnet Thank you for this issue - ~I confirm this is a bug~.

Investigating ..

For testing purposes, can you try the command:

easyrsa --raw-ca build-ca

with your long password, which appears to work for me.

Also, which version of openssl are you using ?

I'm using openssl 3.0.2 on ubuntu 22.04, but I have the same issue with easy-rsa 3.1.7 for windows that uses the recommended version.

IMHO a password input field should accept special characters without escaping (like openssl or easy-rsa 2.x I used to create my old certificates).

Anyway I tried with escaped character and It works (at least with the ca).

I give a try with version 3.2.0.

Regards

[TinCanTech]

You can also try the --raw-ca option with v3.1.7, as above, which does not require $ sign to be escaped.

[TinCanTech]

FTR: Easy-RSA v3 has never supported $ sign in the CA password. build-ca This is due to shell expansion.

Since v3.1.7, that is resolved, only for build-ca Using raw exposure to the SSL executable. Easy-RSA option --raw-ca mode for command build-ca only.

Otherwise, passing options to easyrsa is still subject to shell expansion, which still requires some escaping and some more escaping (due to easyrsa extra expansion via set_var()) for org-field options, such as --req-ou which want to use $.

And on top of that, there is the shell expansion for use of $ in the vars file ... and backward compatibility ... and sufficient testing.

Thanks for helping by testing.

[PWnet]

Hi,

I created my ca and certificates succesfully following your tips (raw-ca and escaping $ char).

Thank you very much for your support

Roberto

[TinCanTech]

Thank you for testing and feeding back your results.

Closing this now because, even though this could be called a bug, it has always been that way and there is a work around for v3.1.7, --raw-ca option.