search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.71k stars 2.39k forks source link

Easy-RSA error: signing failed #437

Open lattice0 opened 5 years ago

lattice0 commented 5 years ago 
writing new private key to '/etc/openvpn/pki/private/cilinho.dyndns.org.key.XXXXhMhCkM'
-----
Using configuration from /usr/share/easy-rsa/openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
unable to load CA private key
1995662544:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:
1995662544:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
1995662544:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
1995662544:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:

Easy-RSA error:

signing failed (openssl output above may have more detail)

I'm pretty sure I'm using the same password I've inputted before. What could be happening?

amateusz commented 5 years ago

Same here. I cannot generate client certs anymore

bash-4.4# easyrsa build-client-full xxxxxx nopass
Can't load /etc/openvpn/pki/.rnd into RNG
3069318312:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:88:Filename=/etc/openvpn/pki/.rnd
Generating a RSA private key
.+++++
..+++++
writing new private key to '/etc/openvpn/pki/private/xxxxxx.key.XXXXacfgIp'
-----
Using configuration from /usr/share/easy-rsa/openssl-easyrsa.cnf
Can't load /etc/openvpn/pki/.rnd into RNG
3069359272:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:88:Filename=/etc/openvpn/pki/.rnd
dortonway commented 5 years ago

The same :( I enter the same pass 3 times, but at the end I get the same error

mishannn commented 5 years ago

The same

amateusz commented 5 years ago

Ok, so I'd tried commenting a line in /usr/share/easy-rsa/openssl-easyrsa.cnf as suggested here https://github.com/OpenVPN/easy-rsa/issues/261#issuecomment-444408090, but then another error appears:

Enter pass phrase for /etc/openvpn/pki/private/ca.key:
unable to load CA private key
3069711528:error:0607606B:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported cipher:crypto/evp/p5_crpt2.c:169:
3069711528:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:crypto/evp/evp_pbe.c:130:
3069711528:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:crypto/pkcs12/p12_decr.c:41:
3069711528:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
3069711528:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:

Easy-RSA error:

signing failed (openssl output above may have more detail)

~~It leaves me assuming that packages in alpine linux have broken their dependencies. But strange enough I don't remember rebuilding the image.. (only then it downloads packages) Ok!~~

EDIT: I tried my skills in fixing this by changing the base image to debian and then looking at the dependencies. I have a working Dockerfile if anyone's interested btw. But then I wanted to find the actual reason for the error in the existing configuration. So have been playing with dependencies of Alpine version yesterday, but suddenly the problem has disappeared. I cannot reproduce the error. It works for me now.

tldr;

Try rebuilding your image (with git clone, cd into it and docker build --no-cache -t kylemanna/openvpn .)

kkleidal commented 5 years ago

I was having the same issue, even when rebuilding from master like @amateusz suggested, but then I tried using a stronger password and it worked. Maybe there is some password-entropy requirement that fails with an unhelpful error message. It is most likely an EasyRSA problem rather than a problem with this repo.

tldr: use a stronger password

deepsidhu1313 commented 5 years ago

Edited Dockerfile and replaced 

FROM alpine:latest

with

FROM alpine:3.8

And worked. I guess it is unstable docker image file.

stevevanhoyweghen commented 5 years ago

I have the same issue. ... e is 65537 (0x010001) Can't load /etc/openvpn/pki/.rnd into RNG 140618083146600:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=ls.rnd ...

Tried several password from complex to simple. No success.

easy-rsa issue https://github.com/OpenVPN/easy-rsa/issues/261 seems related and is fixed now. Is this (one of) the root causes?

anginear commented 5 years ago

I also have the same issue. Stronger password does not seem to help. Any fix or suggestions?

J216 commented 5 years ago

I am also also having the same issue. It worked a month ago, now I can't sign request, though I can generate them. I was just starting to feel like I had easyRSA and openVPN figured out, now it doesn't work. ... Enter pass phrase for /home/dknots/EasyRSA-3.0.4/pki/private/ca.key: unable to load CA private key 139714059077264:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:544: 139714059077264:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104: 139714059077264:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: 139714059077264:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: ...

casenjo commented 5 years ago

Doesn't seem like the latest alpine image (3.10.1 as of this post) has fixed this issue. The solution that @deepsidhu1313 suggested is what's working for me too

MountainLynx commented 4 years ago

I also encountered same issue on a headless server, and the problem for me at least, seems to have been that the entropy on my device was rather low (around 700, checked by _ cat /proc/sys/kernel/random/entropyavail), because running haveged generator immediately solved the problem. Is it possible low entropy has something to do with this issue?

maurerle commented 4 years ago

I had this issue too. I read for example here that smashing your keyboard while generating dh parameters would speed up this process. This is bad in this case, as characters typed while generating dh params in the same shell are not lost and are instead part of the passphrase inserted afterwards, which makes the passphrase invalid.

So make sure to type the same amount of backspace if you typed on your keyboard while generating dh params

To create entropy you can instead use a different shell on the server.

Maybe the usability could be improved here or mention this in the README/docs.

maurerle commented 4 years ago

this issue is a duplicate of #323 and #148

Dieterm5 commented 1 year ago

I have the same issue :(((

Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
.+++++
...........................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.MANEBF/tmp.ImFLdD'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.MANEBF/tmp.eNAJap
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
User interface error
139850348707144:error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:545:while reading strings
unable to load CA private key
139850348707144:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:583:
139850348707144:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:

Easy-RSA error:

signing failed (openssl output above may have more detail)

Easy-RSA error:

Failed to sign 'user'

I removed the image and downloaded it again, but it's not working. I want to run this image on synology NAS, anyone could help me?

Thanks