Closed TinCanTech closed 7 months ago
For the record:
Using a fully authenticated Windows command prompt, easyrsa
works almost perfectly.
Here, testing is aimed at starting Windows menu item Start EasyRSA Shell (Non-admin)
as a Admin user and not being faced with a complete failure.
Currently, init-pki
fails to complete for a Admin user in Non-admin mode.
Windows UAC is the culprit. We do not want to force UAC activation for Non-admin mode but, instead, we switch to the Users home directory.
That is my understanding of the problem.
Fixing the admin user should also fix the standard user case.
Here you go:
Using no-admin mode
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke 'easyrsa' to call the program. Without commands, help is displayed.
Using directory: C:/Users/lev/easy-rsa
EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=
+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [ ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [ = ]
+ is_empty=1
+ [ ]
+ is_empty=1
+ break
+ cmd=
+ [ ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [ ]
+ verify_working_env
+ cmd_help
Easy-RSA 3 usage and overview
Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]
To get detailed usage and help for a command, use:
./easyrsa help COMMAND
For a list of global-options, use:
./easyrsa help options
For a list of utility commands, use:
./easyrsa help util
A list of commands is shown below:
init-pki [ cmd-opts ]
build-ca [ cmd-opts ]
gen-dh
gen-req <file_name_base> [ cmd-opts ]
sign-req <type> <file_name_base> [ cmd-opts ]
build-client-full <file_name_base> [ cmd-opts ]
build-server-full <file_name_base> [ cmd-opts ]
build-serverClient-full <file_name_base> [ cmd-opts ]
inline <file_name_base>
revoke <file_name_base> [ cmd-opts ]
renew <file_name_base>
revoke-renewed <file_name_base> [ cmd-opts ]
gen-crl
update-db
show-req <file_name_base> [ cmd-opts ]
show-cert <file_name_base> [ cmd-opts ]
show-ca [ cmd-opts ]
show-crl
show-expire <file_name_base> (Optional)
show-revoke <file_name_base> (Optional)
show-renew <file_name_base> (Optional)
verify-cert <file_name_base>
import-req <request_file_path> <short_name_base>
export-p1 <file_name_base> [ cmd-opts ]
export-p7 <file_name_base> [ cmd-opts ]
export-p8 <file_name_base> [ cmd-opts ]
export-p12 <file_name_base> [ cmd-opts ]
set-pass <file_name_base> [ cmd-opts ]
write <type> [ cmd-opts ]
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: C:/Users/lev/easy-rsa
PKI: C:/Users/lev/easy-rsa/pki
vars-file: Missing or undefined
x509-types: C:/Program Files/OpenVPN/easy-rsa/x509-types
CA status: CA has not been built
EasyRSA Shell
# easyrsa init-pki
Still hangs.
Can you please open a full administrator command prompt and then start with EasyRSA-Start.bat
(Not no-admin mode) and test again.
Can you please open a full administrator command prompt and then start with
EasyRSA-Start.bat
(Not no-admin mode) and test again.
Yes, in Admin prompt it works:
c:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke 'easyrsa' to call the program. Without commands, help is displayed.
Using directory: c:/Program Files/OpenVPN/easy-rsa
EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=
+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [ ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [ = ]
+ is_empty=1
+ [ ]
+ is_empty=1
+ break
+ cmd=
+ [ ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [ ]
+ verify_working_env
+ cmd_help
Easy-RSA 3 usage and overview
Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]
To get detailed usage and help for a command, use:
./easyrsa help COMMAND
For a list of global-options, use:
./easyrsa help options
For a list of utility commands, use:
./easyrsa help util
A list of commands is shown below:
init-pki [ cmd-opts ]
build-ca [ cmd-opts ]
gen-dh
gen-req <file_name_base> [ cmd-opts ]
sign-req <type> <file_name_base> [ cmd-opts ]
build-client-full <file_name_base> [ cmd-opts ]
build-server-full <file_name_base> [ cmd-opts ]
build-serverClient-full <file_name_base> [ cmd-opts ]
inline <file_name_base>
revoke <file_name_base> [ cmd-opts ]
renew <file_name_base>
revoke-renewed <file_name_base> [ cmd-opts ]
gen-crl
update-db
show-req <file_name_base> [ cmd-opts ]
show-cert <file_name_base> [ cmd-opts ]
show-ca [ cmd-opts ]
show-crl
show-expire <file_name_base> (Optional)
show-revoke <file_name_base> (Optional)
show-renew <file_name_base> (Optional)
verify-cert <file_name_base>
import-req <request_file_path> <short_name_base>
export-p1 <file_name_base> [ cmd-opts ]
export-p7 <file_name_base> [ cmd-opts ]
export-p8 <file_name_base> [ cmd-opts ]
export-p12 <file_name_base> [ cmd-opts ]
set-pass <file_name_base> [ cmd-opts ]
write <type> [ cmd-opts ]
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: c:/Program Files/OpenVPN/easy-rsa
PKI: c:/Program Files/OpenVPN/easy-rsa/pki
vars-file: Missing or undefined
x509-types: c:/Program Files/OpenVPN/easy-rsa/x509-types
CA status: OK
CA subject:
commonName = Easy-RSA CA
EasyRSA Shell
# easyrsa init-pki
+ EASYRSA_version=~VER~
+ NL=
+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [ ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=init-pki
+ val=init-pki
+ [ init-pki = init-pki ]
+ is_empty=1
+ [ init-pki ]
+ break
+ cmd=init-pki
+ [ init-pki ]
+ shift
+ unset -v require_pki require_ca quiet_vars
+ :
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [ ]
+ verify_working_env
+ init_pki
WARNING!!!
You are about to remove the EASYRSA_PKI at:
* c:/Program Files/OpenVPN/easy-rsa/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* c:/Program Files/OpenVPN/easy-rsa/pki
Using Easy-RSA configuration:
* undefined
+ [ 0 = 0 ]
+ cleanup ok
EasyRSA Shell
#
And finally, please, can you copy the \easy-rsa
folder to C:/Users/lev/easy-rsa
and test again, without enabling non-admin mode. Just to be sure that still works.
Copied the content of easy-rsa
folder from OpenVPN installation directory to c:\Users\lev\easy-rsa and ran under Admin command prompt. Got a hang:
C:\Users\lev\easy-rsa>dir
Volume in drive C is Windows
Volume Serial Number is 3CEF-379D
Directory of C:\Users\lev\easy-rsa
07.02.2024 22.08 <DIR> .
07.02.2024 17.04 <DIR> ..
07.02.2024 22.08 <DIR> bin
14.10.2023 00.27 11 430 ChangeLog
14.10.2023 00.27 1 256 COPYING.html
14.10.2023 00.27 1 305 COPYING.md
07.02.2024 22.08 <DIR> doc
07.02.2024 10.13 173 404 easyrsa
02.02.2024 09.34 210 EasyRSA-Start.bat
07.02.2024 22.08 <DIR> Licensing
14.10.2023 00.27 5 145 openssl-easyrsa.cnf
07.02.2024 22.08 <DIR> pki
14.10.2023 00.27 4 256 README-Windows.txt
14.10.2023 00.27 2 464 README.html
14.10.2023 00.27 3 477 README.quickstart.html
14.10.2023 00.27 9 085 vars.example
07.02.2024 22.08 <DIR> x509-types
10 File(s) 212 032 bytes
7 Dir(s) 213 506 449 408 bytes free
C:\Users\lev\easy-rsa>EasyRSA-Start.bat
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke 'easyrsa' to call the program. Without commands, help is displayed.
Using directory: C:/Users/lev/easy-rsa
EasyRSA Shell
# easyrsa init-pki
Thanks for testing.
Looks like it will have to be Admin-Only for Windows..
07.02.2024 10.13 173 404 easyrsa
This appears to be the wrong file.
The byte count for the file I want to be checked is 166,709
. It should have the set -x
in the file.
https://github.com/TinCanTech/easy-rsa/blob/win-write-access/easyrsa3/easyrsa
Please test command easyrsa
and easyrsa init-pki
; in a non-elevated window; in the copy of easy-rsa
that you have made in your user directory.
I fetched the PR. The size difference is due to line endings (0D 0A vs 0A).
Does it work for you? Are you able to reproduce the problem?
I only have Win10 for testing.
mkdir -p
, for non-admin. (Fixed)init-pki
hang, for non-admin.The strange thing about Win11 NOT hanging for easyrsa
but then hanging for easyrsa init-pki
is that, for the latter, the set -x
does not even fire. There is no output from the script what-so-ever.
I cannot explain or reproduce this.
There is one tiny clue of possibility.
@lstipakov In this comment you explain that you run only easyrsa
, which completes. However, while it starts with set -x
enabled, it does not complete the same way. Somehow, set -x
has been disabled.
There is no set +x
within easyrsa
..
This is then followed by you calling easyrsa init-pki
and that does not enable set -x
, even though it should do.
You also run easyrsa init-pki
first and it still hangs.
Probably a dead end..
Something else you could try is:
Line:6479
# Hand off to the function responsible
# ONLY verify_working_env() for valid commands
case "$cmd" in
init-pki|clean-all)
#verify_working_env
init_pki "$@"
;;
Comment out verify_working_env
for init-pki
, clutching at straws now ..
If this is some limitation on the size of the script being loaded then I can make a PR to remove the here-doc expansion for the support files. This would be about 330 lines.
aa22695 deliberately fails UT - So should manually testing easyrsa init-pki
, instead of hanging. Please test with non-admin prompt.
According to @lstipakov , this still hangs for Easy-RSA no-admin mode at init-pki
.
@lstipakov according to this discussion so far, the underlying problem seems to be related to sh:read
, which W11 does not seem to respond to in non-admin mode.
Can you please try once more but delete any existing pki
folder prior to testing init-pki
.
Update: Deleting a pre-existing PKI manually has no effect on W11 behavior, according to @lstipakov
Windows 11 behavior with MKSH:sh.exe
remains, stubbornly, unchanged.
For that reason, I am going to pursue the busybox.exe
solution.
A new PR will follow. #1077 #1078
Use 'set -x'
Expect 'mkdir' to fail for commands 'init-pki' and 'build-ca'