search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4k stars 1.19k forks source link

New branch `win-write-access`: Initial commit #1076

Closed TinCanTech closed 7 months ago

TinCanTech commented 7 months ago

Use 'set -x'

Expect 'mkdir' to fail for commands 'init-pki' and 'build-ca'

TinCanTech commented 7 months ago

For the record: Using a fully authenticated Windows command prompt, easyrsa works almost perfectly.

Here, testing is aimed at starting Windows menu item Start EasyRSA Shell (Non-admin) as a Admin user and not being faced with a complete failure.

Currently, init-pki fails to complete for a Admin user in Non-admin mode.

Windows UAC is the culprit. We do not want to force UAC activation for Non-admin mode but, instead, we switch to the Users home directory.

That is my understanding of the problem.

Fixing the admin user should also fix the standard user case.

lstipakov commented 7 months ago

Here you go:

Using no-admin mode

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa

EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [  =  ]
+ is_empty=1
+ [  ]
+ is_empty=1
+ break
+ cmd=
+ [  ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ cmd_help

Easy-RSA 3 usage and overview

Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

For a list of utility commands, use:
  ./easyrsa help util

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  write <type> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: C:/Users/lev/easy-rsa
         PKI: C:/Users/lev/easy-rsa/pki
   vars-file: Missing or undefined
  x509-types: C:/Program Files/OpenVPN/easy-rsa/x509-types
   CA status: CA has not been built

EasyRSA Shell
# easyrsa init-pki

Still hangs.

TinCanTech commented 7 months ago

Can you please open a full administrator command prompt and then start with EasyRSA-Start.bat (Not no-admin mode) and test again.

lstipakov commented 7 months ago

Can you please open a full administrator command prompt and then start with EasyRSA-Start.bat (Not no-admin mode) and test again.

Yes, in Admin prompt it works:

c:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: c:/Program Files/OpenVPN/easy-rsa

EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [  =  ]
+ is_empty=1
+ [  ]
+ is_empty=1
+ break
+ cmd=
+ [  ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ cmd_help

Easy-RSA 3 usage and overview

Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

For a list of utility commands, use:
  ./easyrsa help util

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  write <type> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: c:/Program Files/OpenVPN/easy-rsa
         PKI: c:/Program Files/OpenVPN/easy-rsa/pki
   vars-file: Missing or undefined
  x509-types: c:/Program Files/OpenVPN/easy-rsa/x509-types
   CA status: OK
  CA subject:
    commonName                = Easy-RSA CA

EasyRSA Shell
# easyrsa init-pki
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=init-pki
+ val=init-pki
+ [ init-pki = init-pki ]
+ is_empty=1
+ [ init-pki ]
+ break
+ cmd=init-pki
+ [ init-pki ]
+ shift
+ unset -v require_pki require_ca quiet_vars
+ :
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ init_pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* c:/Program Files/OpenVPN/easy-rsa/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* c:/Program Files/OpenVPN/easy-rsa/pki

Using Easy-RSA configuration:
* undefined
+ [ 0 = 0 ]
+ cleanup ok

EasyRSA Shell
#
TinCanTech commented 7 months ago

And finally, please, can you copy the \easy-rsa folder to C:/Users/lev/easy-rsa and test again, without enabling non-admin mode. Just to be sure that still works.

lstipakov commented 7 months ago

Copied the content of easy-rsa folder from OpenVPN installation directory to c:\Users\lev\easy-rsa and ran under Admin command prompt. Got a hang:

C:\Users\lev\easy-rsa>dir
 Volume in drive C is Windows
 Volume Serial Number is 3CEF-379D

 Directory of C:\Users\lev\easy-rsa

07.02.2024  22.08    <DIR>          .
07.02.2024  17.04    <DIR>          ..
07.02.2024  22.08    <DIR>          bin
14.10.2023  00.27            11 430 ChangeLog
14.10.2023  00.27             1 256 COPYING.html
14.10.2023  00.27             1 305 COPYING.md
07.02.2024  22.08    <DIR>          doc
07.02.2024  10.13           173 404 easyrsa
02.02.2024  09.34               210 EasyRSA-Start.bat
07.02.2024  22.08    <DIR>          Licensing
14.10.2023  00.27             5 145 openssl-easyrsa.cnf
07.02.2024  22.08    <DIR>          pki
14.10.2023  00.27             4 256 README-Windows.txt
14.10.2023  00.27             2 464 README.html
14.10.2023  00.27             3 477 README.quickstart.html
14.10.2023  00.27             9 085 vars.example
07.02.2024  22.08    <DIR>          x509-types
              10 File(s)        212 032 bytes
               7 Dir(s)  213 506 449 408 bytes free

C:\Users\lev\easy-rsa>EasyRSA-Start.bat

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa

EasyRSA Shell
# easyrsa init-pki
TinCanTech commented 7 months ago

Thanks for testing.

Looks like it will have to be Admin-Only for Windows..

TinCanTech commented 7 months ago

07.02.2024 10.13 173 404 easyrsa

This appears to be the wrong file.

The byte count for the file I want to be checked is 166,709. It should have the set -x in the file.

https://github.com/TinCanTech/easy-rsa/blob/win-write-access/easyrsa3/easyrsa

Please test command easyrsa and easyrsa init-pki; in a non-elevated window; in the copy of easy-rsa that you have made in your user directory.

lstipakov commented 7 months ago

I fetched the PR. The size difference is due to line endings (0D 0A vs 0A).

lstipakov commented 7 months ago

Does it work for you? Are you able to reproduce the problem?

TinCanTech commented 7 months ago

I only have Win10 for testing.

The strange thing about Win11 NOT hanging for easyrsa but then hanging for easyrsa init-pki is that, for the latter, the set -x does not even fire. There is no output from the script what-so-ever.

I cannot explain or reproduce this.

TinCanTech commented 7 months ago

There is one tiny clue of possibility.

@lstipakov In this comment you explain that you run only easyrsa, which completes. However, while it starts with set -x enabled, it does not complete the same way. Somehow, set -x has been disabled.

There is no set +x within easyrsa ..

This is then followed by you calling easyrsa init-pki and that does not enable set -x, even though it should do.

You also run easyrsa init-pki first and it still hangs.

Probably a dead end..

TinCanTech commented 7 months ago

Something else you could try is:

Line:6479

# Hand off to the function responsible
# ONLY verify_working_env() for valid commands
case "$cmd" in
    init-pki|clean-all)
        #verify_working_env
        init_pki "$@"
        ;;

Comment out verify_working_env for init-pki, clutching at straws now ..

TinCanTech commented 7 months ago

If this is some limitation on the size of the script being loaded then I can make a PR to remove the here-doc expansion for the support files. This would be about 330 lines.

TinCanTech commented 7 months ago

aa22695 deliberately fails UT - So should manually testing easyrsa init-pki, instead of hanging. Please test with non-admin prompt.

TinCanTech commented 7 months ago

According to @lstipakov , this still hangs for Easy-RSA no-admin mode at init-pki.

TinCanTech commented 7 months ago

@lstipakov according to this discussion so far, the underlying problem seems to be related to sh:read, which W11 does not seem to respond to in non-admin mode.

Can you please try once more but delete any existing pki folder prior to testing init-pki.

Update: Deleting a pre-existing PKI manually has no effect on W11 behavior, according to @lstipakov

TinCanTech commented 7 months ago

Windows 11 behavior with MKSH:sh.exe remains, stubbornly, unchanged. For that reason, I am going to pursue the busybox.exe solution.

A new PR will follow. #1077 #1078