Error using --startdate/--enddate

Thank you for Easy-RSA, it's a real time saver!

That said, I ran into a problem creating a client cert/key pair when explicitly specifying the Start and End dates, that I wanted to make you aware of.

When I entered:

easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass

I received this error:

req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf" 00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31

Easy-RSA error:

easyrsa_openssl - Command has failed:

openssl req -utf8 -new -newkey rsa:2048 -keyout /root/test/pki/6f16c7b1/temp.1.1 -out /root/test/pki/6f16c7b1/temp.2.1 -noenc -batch

Work Around

I investigated the error and found that the problem seems to be caused by line 31 of pki/openssl-easyrsa.cnf, and I could get thing to work by changing line 31 from:

default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for

to:

default_days = 1 # how long to certify for

Sample Run

I am including the following sample run to provide context regarding what exactly I did to cause this error (I appologise if this is too long, I'm just trying to be helpful)...

Script started on Fri Apr  5 14:21:40 2024

root@hostname: # which easy-rsa
/usr/local/bin/easy-rsa

root@hostname: # easy-rsa --version
EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa

root@hostname: # easy-rsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /root/test/pki

Using Easy-RSA configuration:
* undefined

root@hostname: # easy-rsa make-vars > pki/vars
root@hostname: # easy-rsa --days=365 build-ca
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Enter New CA Key Passphrase: 

Confirm New CA Key Passphrase: 
.+....+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+.....+......+.+........+......+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+........+.........+......+.........+......+.+...........+......................+..+......+.........+...+.+.....+.......+...+.....+....+............+........+.+..+...+.+...+..+.+..+...+.............+............+.......................+.+......+..+...+....+.........+............+.....+...............+.......+..+......+.........+......+..................+..........+..+...+....+..+.+........+.........+.+..+...+......+...+..........+..+....+............+..+...+....+...+.....+.+..+...+.+.....................+...+.....+.+........+.......+...+.....+...+...+.......+...+.....+....+..+.+.........+...+..+.............+...+...+.....+....+......+.....+......+.+.....+.........+..............................+...+.+..+.......+.....+...+............+.+..+..........+..+.......+.....+.+...+..+...+......+.+..+......+..........+..............+............+......+....+........+............................+........................+......+...............+..+...+.........+..........+...+...+.....+.........+.+...+.....+.+...........+...+.+.....+.............+......+..............+...+....+........+..........+.....+......+.+...+...+..+.+......+......+............+..+.........+.......+.....+.........+...+............+...+...+............+...+....+........+......+..........+.....+.+...+.......................+...+..........+..+.......+......+......+...+...+...+......+....................+.+...+......+..............+.....................+......+....+.....+...+.+.....+....+......+..+....+...+..+..................+.......+...+..+......+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:test

Notice
------
CA creation complete. Your new CA certificate is at:
* /root/test/pki/ca.crt

root@hostname: # echo Now attempt to build-client-full with specified start and end dates
Now attempt to build-client-full with specified start and end dates

root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf"
00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31

Easy-RSA error:

easyrsa_openssl - Command has failed:
* openssl req -utf8 -new -newkey rsa:2048 -keyout /root/test/pki/6f16c7b1/temp.1.1 -out /root/test/pki/6f16c7b1/temp.2.1 -noenc -batch

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | FreeBSD | /bin/tcsh

root@hostname: # echo Change line 31 of pki/openssl-easyrsa.cnf
Change line 31 of pki/openssl-easyrsa.cnf
root@hostname: # vi pki/openssl-easyrsa.cnf
~~~ snipped ~~~
Changed line 31 of pki/openssl-easyrsa.cnf...
From:
default_days    = $ENV::EASYRSA_CERT_EXPIRE     # how long to certify for
To:
default_days    = 1     # how long to certify for
~~~ snipped ~~~

root@hostname: # echo Now Try Again
Now Try Again

root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
.......+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+........+......+......+.......+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...........+.......+......+...........+...+.+......+.....+...+.......+.........+..+...+....+......+.................+...+.........+...+..........+...+.....+.+......+...+......+.....+......+.........+.+........+............+.............+......+...+........+............+......+.+.....+.........................+.....+...............+.+...+......+...+.....+.+..+...+.......+...+..............+.+.....+......+......+....+........+...+.......+........+............+...+.......+.....+................+...........+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+..+...+..........+..+.+...+.....+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+......+.....+...+...+.........+.+.....+.......+..+......+....+...+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /root/test/pki/reqs/testcrt.req
* key: /root/test/pki/private/testcrt.key 

You are about to sign the following certificate:
Request subject, to be signed as a client certificate 
until date '20240411000000Z':

subject=
    commonName                = testcrt

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /root/test/pki/openssl-easyrsa.cnf
Enter pass phrase for /root/test/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testcrt'
Certificate is to be certified until Apr 11 00:00:00 2024 GMT (5 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /root/test/pki/issued/testcrt.crt

Notice
------
Inline file created:
* /root/test/pki/inline/testcrt.inline

root@hostname: # easy-rsa show-cert testcrt
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Notice
------
Showing 'cert' details for: 'testcrt'

This file is stored at:
* /root/test/pki/issued/testcrt.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:ec:a0:ed:57:03:6c:d2:f9:53:d6:f0:88:f4:5f:93
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = test
        Validity
            Not Before: Apr 10 00:00:00 2024 GMT
            Not After : Apr 11 00:00:00 2024 GMT
        Subject:
            commonName                = testcrt
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F2:8B:FD:69:23:10:90:08:B4:27:1C:2C:A3:CB:D8:20:B4:65:98:03
            X509v3 Authority Key Identifier: 
                keyid:C1:33:5F:CB:1B:52:48:1B:FC:C9:6F:3E:85:51:A4:F0:A3:5C:D1:4D
                DirName:/CN=test
                serial:0B:6F:86:CF:64:32:AE:27:B6:71:E8:4C:E9:E0:F8:9F:5A:24:BF:76
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

root@hostname: # exit
exit

Script done on Fri Apr  5 14:26:15 2024

OpenVPN / easy-rsa

Error using --startdate/--enddate #1110

Work Around

Sample Run