search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.03k stars 1.19k forks source link

safessl-easyrsa.cnf not found #429

Closed TMTYD closed 2 years ago

TMTYD commented 3 years ago

Hi

when I run this ./easyrsa sign-req server, the following error message appears.

Can't open /xxx/xxx/EasyRSA-3.0.8/pki/safessl-easyrsa.cnf for reading, No such file or directory
140245874099392:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/xxx/xxx/EasyRSA-3.0.8/pki/safessl-easyrsa.cnf','r')
140245874099392:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Can't open /xxx/xxx/EasyRSA-3.0.8/pki/safessl-easyrsa.cnf for reading, No such file or directory
140044129301696:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/xxx/xxx/EasyRSA-3.0.8/pki/safessl-easyrsa.cnf','r')
140044129301696:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:

The entire directory does not contain a safessl-easyrsa.cnf file, where can I find it?

The only * .cnf file is openssl-easyrsa.cnf

TinCanTech commented 3 years ago

Is this your first time using Easy-RSA3 or have upgraded to version 3.0.8 from an earlier release ?

TMTYD commented 3 years ago

It's my first time using easy-rsa

TinCanTech commented 3 years ago

How did you install Easy-RSA ?

TMTYD commented 3 years ago

i got the easy-rsa 3.0.8 via wget and then unzipped the tgz file

TMTYD commented 3 years ago

I found this, can I use this? https://github.com/OpenVPN/easy-rsa/issues/363#issuecomment-614223703

Now I have installed easy-rsa via apt install, there is a safessl-easyrsa.cnf file in the directory, the version number is 3.0.6-1

TinCanTech commented 3 years ago

Did you run ./easyrsa init-pki first ?

TMTYD commented 3 years ago

yes of course

TMTYD commented 3 years ago

i found my mistake, i have this in the vars set_var EASYRSA_SSL_CONF "$ EASYRSA / openssl-easyrsa.cnf" not commented out, after commenting out it works

TinCanTech commented 3 years ago

Finding the cause is great.

Now I am curious why the default for EASYRSA_SSL_CONF does not work if specified in vars ?

TMTYD commented 3 years ago

I can't tell you that, in any case, I've now commented out and it works

x1hash commented 3 years ago

I also had the same issue, I edited vars and commented out "set_var EASYRSA_SSL_CONF" per TMTYD comment and am no longer receiving that error.

Prouflon commented 3 years ago

Now I am curious why the default for EASYRSA_SSL_CONF does not work if specified in vars ?

The easyrsa script checks whether the file pointed to by the variable does not exist and only creates a safessl-easyrsa.cnf in that case.

Specifically, if you point the EASYRSA_SSL_CONF variable to the location of the config at $EASYRSA/openssl-easyrsa.cnf this: if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "$EASYRSA/openssl-easyrsa.cnf" ]; will always evaluate to false and not create a safessl file.

Not sure if this behavior matches up with the comment in the vars.example. In any case, the default value does not make sense to me. But since this option is in the advanced options section, you are probably better off leaving it alone anyways ^^

TinCanTech commented 3 years ago

@Prouflon If you have analysed the problem and can see a solution then could you provide a patch/PR ?

Prouflon commented 3 years ago

The solution is to leave the advanced options alone, if you don't understand them.

Obviously the documentation in the vars.example is misleading to some (including me), but I wouldn't know how to rewrite it, because I don't know what that variable is actually for.

TinCanTech commented 3 years ago

If I change vars: set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" to a valid setting and then easyrsa borks, who is at fault ?

Am I at fault for setting an alternate but yet valid setting or is easyrsa at fault for allowing me to change something which the script cannot handle correctly ?

TinCanTech commented 3 years ago

For The Record:

There are numerous circumstances where EASYRSA_SSL_CONF simply does not work as intended. The example above by @Prouflon is only one in a variety of others..

Prouflon commented 3 years ago

I just found out, that the default value in the easyrsa script is actually different. So fixing the vars.example to reflect that should protect future users from uncommenting this wrong default value. Then easyrsa works as expected.

gatos-cc commented 3 years ago

So what is the work around here? I had a working ovpn setup, allowed the server to apply security patches, and now I get this trying to generate new profiles:

Can't open ....../pki/safessl-easyrsa.cnf for reading, No such file or directory

I have a completely default vars file with EASYRSA_SSL_CONF commented out:

#set_var EASYRSA_SSL_CONF       "$EASYRSA/openssl-easyrsa.cnf"

But I'm not clear at all how to get rid of that error. openssl-easyrsa.cnf does exist, but not safessl-easyrsa.cnf - I'm not clear if they're even supposed to be the same file or not.

Prouflon commented 3 years ago

The safessl-easyrsa.cnf is created from the openssl-easyrsa.cnf, but the bash variables are replaced with their actual values.

You could try to create the file by copying and filling them in. If you know sed, you can have a look at this command, where the easyrsa script generates the safessl-easyrsa.cnf.

TinCanTech commented 2 years ago

The easyrsa script checks whether the file pointed to by the variable does not exist and only creates a safessl-easyrsa.cnf in that case.

Trying to track this down, I think the problem is: https://github.com/OpenVPN/easy-rsa/blob/381fda9a934ec32547d6548489482a5d1068df32/easyrsa3/easyrsa#L561-L566

This needs improvement.

Prouflon commented 2 years ago

Yeah, this block is very problematic. If openssl-easyrsa.cnf is not in the directory $EASYRSA, the directory of the script, then nothing happens. When installing easyrsa with a package manager, $EASYRSA is probably /usr/bin. Either by symlink, or the easyrsa script is just there. The openssl-easyrsa.cnf usually lands in /etc/easyrsa or something similar.

This block can only work, if the script and the config are in the same directory (and will never work if the current line in vars.example is not commented out, because both if statements are mutually exclusive).

Without changing much, I would propose something like:

[ -f "$EASYRSA_SSL_CONF" ] && easyrsa_openssl makesafeconf  || die "$EASYRSA_SSL_CONF does not exist!"

This requires the openssl-easyrsa.cnf to be present in the $EASYRSA_PKI directory though...

TinCanTech commented 2 years ago

@gatos-cc A solution to try is to download openssl-easyrsa.cnf to your EasyRSA-PKI folder. Then try building a test client.

Prouflon commented 2 years ago

It might be desirable to copy the default config into newly generated $PKI directories. As before, try to copy from the $EASYRSA base directory, but additionally search common global configuration directories (if easyrsa was not cloned directly from github, but rather installed via package manager).

I implemented the changes I would make in #502 Do you think something like this is the way to go, or do you want to make other changes to how configuration files are handled?

Snippet: https://github.com/OpenVPN/easy-rsa/blob/9936ef00800a08951ea9f9611fae3b98ed886ced/easyrsa3/easyrsa#L563-L570

TinCanTech commented 2 years ago

Linking: #499

TinCanTech commented 2 years ago

Please try again with git/master.

TinCanTech commented 2 years ago

Closed via https://github.com/OpenVPN/easy-rsa/pull/528

Or please re-open.