Error trying to add client key 'build-key'

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Error trying to add client key 'build-key'

Post by rezonq3 » Mon Jun 20, 2016 11:10 pm

I have set up OpenVPN several times with Windows without issue but only now have had a need to expand the client base to additional users. I manage the users separately per best practices but I cannot seem to perform a build-key now that the server has been set and finalized and dh command completed to establish the encryption.

When attempting to add a client by running C:\Program Files (x86)\OpenVPN\easy-rsa\build-key <keyname>, I get the following error:

C:\Program Files (x86)\OpenVPN\easy-rsa
924:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 37
3228:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 37
Could Not Find C:\*.old

I run the command in both regular and elevated command prompt. Both return the same error.

I figure it has something to do with vars.bat as there are Linux tutorials discussing changing the source to vars before generating another key. I just can't seem to find a tutorial or discussion on how to generate additional keys to an already established server.

Thank you for your help. Software works great and have always been appreciative of such a great open source project.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Error trying to add client key 'build-key'

Post by TinCanTech » Tue Jun 21, 2016 12:44 am

Do you have a full backup ?

rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Re: Error trying to add client key 'build-key'

Post by rezonq3 » Tue Jun 21, 2016 2:12 am

Yes indeed, including certificates and private keys.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Error trying to add client key 'build-key'

Post by TinCanTech » Tue Jun 21, 2016 12:13 pm

I suggest you keep what you currently have but now roll back to your last known good backup.
I would consider moving the entire easyrsa tree to a directory your user has write access to.
Read the README.txt File and make sure you have all the required files .. then try again.

If this is a new PKI I would consider redoing it with easyrsa3 ..

rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Re: Error trying to add client key 'build-key'

Post by rezonq3 » Fri Jun 24, 2016 5:42 pm

I attempted to build a key using one of the other installations I have and it came back with the same error. I followed the installation and initial configuration instructions for both setups and they both function perfectly as expected but neither one can build additional keys after the encryption is finalized on the https://community.openvpn.net/openvpn/w ... dows_Guide build-dh command. It's like after that, adding keys just ceases to function.

The Linux instructions speak to the vars script but the commands won't be the same since we are dealing with different operating systems. Thoughts?

rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Re: Error trying to add client key 'build-key'

Post by rezonq3 » Fri Jun 24, 2016 5:50 pm

I'm starting to wonder if it has something to do with environmental variables. The bat files are calling environmental variables that don't seem to have values set. Possibly they weren't permanently established and a reboot wiped them after the installation finished and setup was completed?

I think vars.bat should be run before anything to establish the environmental variables for the session. I'm going to try that.

rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Re: Error trying to add client key 'build-key'

Post by rezonq3 » Fri Jun 24, 2016 7:39 pm

Nope, I actually attempted a fix like this before because I remember having to try to add a key a long time ago and I discovered openssl.cnf was a previous error that I corrected by copying openssl-1.0.0.cnf to C:\etc\ssl\openssl.cnf. I already did that fix on this system and attempted to add a key and the error that came up after I fixed the previous error is the current error I'm getting now.

Got it, steps in Windows for adding another client key should read:

empty the index.txt file located in the keys directory
open elevated command prompt by right clicking cmd.exe and selecting 'Run as administrator' or hold ctrl+shift before clicking
cd to the OpenVPN\easy-rsa program file folder for your 32 or 64 bit version
FOR x86 INSTALLATIONS: modify the vars.bat file to set the %HOME% variable to %ProgramFiles(x86)%\OpenVPN\easy-rsa
run vars.bat first to re-establish the environmental variables
run build-key with the key name you choose and copy the .ovpn config over per the Windows guide

These steps apply to both version 2.3.6 and 2.3.9 32 bit version of OpenVPN for Windows

rezonq3
OpenVpn Newbie
Posts: 6
Joined: Mon Jun 20, 2016 10:56 pm

Re: Error trying to add client key 'build-key'

Post by rezonq3 » Fri Jun 24, 2016 7:42 pm

Or add the following lines to vars.bat just under the set KEY_CONFIG line and run it from an elevated command prompt before you run build-key:

rem Fix a few issues with OpenVPN
rem version 2.3.x
md C:\etc\ssl
copy "%ProgramFiles(x86)%\OpenVPN\easy-rsa\%KEY_CONFIG%" C:\etc\ssl\openssl.cnf
break>keys\index.txt

Still assuming you are using the 32 bit OpenVPN on a 64 bit Windows installation.

Post Reply