Closed TMTYD closed 2 years ago
Is this your first time using Easy-RSA3 or have upgraded to version 3.0.8 from an earlier release ?
It's my first time using easy-rsa
How did you install Easy-RSA ?
i got the easy-rsa 3.0.8 via wget and then unzipped the tgz file
I found this, can I use this? https://github.com/OpenVPN/easy-rsa/issues/363#issuecomment-614223703
Now I have installed easy-rsa via apt install, there is a safessl-easyrsa.cnf file in the directory, the version number is 3.0.6-1
Did you run ./easyrsa init-pki
first ?
yes of course
i found my mistake, i have this in the vars set_var EASYRSA_SSL_CONF "$ EASYRSA / openssl-easyrsa.cnf" not commented out, after commenting out it works
Finding the cause is great.
Now I am curious why the default for EASYRSA_SSL_CONF
does not work if specified in vars
?
I can't tell you that, in any case, I've now commented out and it works
I also had the same issue, I edited vars and commented out "set_var EASYRSA_SSL_CONF" per TMTYD comment and am no longer receiving that error.
Now I am curious why the default for
EASYRSA_SSL_CONF
does not work if specified invars
?
The easyrsa script checks whether the file pointed to by the variable does not exist and only creates a safessl-easyrsa.cnf in that case.
Specifically, if you point the EASYRSA_SSL_CONF
variable to the location of the config at $EASYRSA/openssl-easyrsa.cnf
this:
if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "$EASYRSA/openssl-easyrsa.cnf" ];
will always evaluate to false and not create a safessl file.
Not sure if this behavior matches up with the comment in the vars.example. In any case, the default value does not make sense to me. But since this option is in the advanced options section, you are probably better off leaving it alone anyways ^^
@Prouflon If you have analysed the problem and can see a solution then could you provide a patch/PR ?
The solution is to leave the advanced options alone, if you don't understand them.
Obviously the documentation in the vars.example is misleading to some (including me), but I wouldn't know how to rewrite it, because I don't know what that variable is actually for.
If I change vars
:
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
to a valid setting and then easyrsa
borks, who is at fault ?
Am I at fault for setting an alternate but yet valid setting or is easyrsa
at fault for allowing me to change something which the script cannot handle correctly ?
For The Record:
There are numerous circumstances where EASYRSA_SSL_CONF
simply does not work as intended.
The example above by @Prouflon is only one in a variety of others..
I just found out, that the default value in the easyrsa script is actually different. So fixing the vars.example to reflect that should protect future users from uncommenting this wrong default value. Then easyrsa works as expected.
So what is the work around here? I had a working ovpn setup, allowed the server to apply security patches, and now I get this trying to generate new profiles:
Can't open ....../pki/safessl-easyrsa.cnf for reading, No such file or directory
I have a completely default vars file with EASYRSA_SSL_CONF commented out:
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
But I'm not clear at all how to get rid of that error. openssl-easyrsa.cnf
does exist, but not safessl-easyrsa.cnf
- I'm not clear if they're even supposed to be the same file or not.
The safessl-easyrsa.cnf
is created from the openssl-easyrsa.cnf
, but the bash variables are replaced with their actual values.
You could try to create the file by copying and filling them in. If you know sed
, you can have a look at this command, where the easyrsa script generates the safessl-easyrsa.cnf
.
The easyrsa script checks whether the file pointed to by the variable does not exist and only creates a safessl-easyrsa.cnf in that case.
Trying to track this down, I think the problem is: https://github.com/OpenVPN/easy-rsa/blob/381fda9a934ec32547d6548489482a5d1068df32/easyrsa3/easyrsa#L561-L566
This needs improvement.
Yeah, this block is very problematic.
If openssl-easyrsa.cnf
is not in the directory $EASYRSA
, the directory of the script, then nothing happens.
When installing easyrsa with a package manager, $EASYRSA
is probably /usr/bin
.
Either by symlink, or the easyrsa script is just there.
The openssl-easyrsa.cnf
usually lands in /etc/easyrsa
or something similar.
This block can only work, if the script and the config are in the same directory (and will never work if the current line in vars.example is not commented out, because both if statements are mutually exclusive).
Without changing much, I would propose something like:
[ -f "$EASYRSA_SSL_CONF" ] && easyrsa_openssl makesafeconf || die "$EASYRSA_SSL_CONF does not exist!"
This requires the openssl-easyrsa.cnf
to be present in the $EASYRSA_PKI
directory though...
@gatos-cc A solution to try is to download openssl-easyrsa.cnf to your EasyRSA-PKI folder. Then try building a test client.
It might be desirable to copy the default config into newly generated $PKI
directories.
As before, try to copy from the $EASYRSA
base directory, but additionally search common global configuration directories (if easyrsa was not cloned directly from github, but rather installed via package manager).
I implemented the changes I would make in #502 Do you think something like this is the way to go, or do you want to make other changes to how configuration files are handled?
Linking: #499
Please try again with git/master
.
Closed via https://github.com/OpenVPN/easy-rsa/pull/528
Or please re-open.
Hi
when I run this ./easyrsa sign-req server, the following error message appears.
The entire directory does not contain a safessl-easyrsa.cnf file, where can I find it?
The only * .cnf file is openssl-easyrsa.cnf