[Solved] Trouble generating key pairs on debian 8.3

[anti-pasta]

Hi,

I have been trying to set up an OpenVPN server on debian 8.3. Everything has been going fine until I get to the step where I create the ca and private key.

I have read that the steps to do this are as follows:

1.

Code: Select all

sudo su - root

2.

Code: Select all

cd /etc/openvpn/easy-rsa/

3.

Code: Select all

source ./vars  ## I have also tried using `. ./vars` without success

4.

Code: Select all

./clean-all

5.

Code: Select all

./build-ca

6.

Code: Select all

./build-key-server server

After trying this, I end up with the following errors:

Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.

or, this:

Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.

the contents of my vars file are as follows:

Code: Select all

export KEY_COUNTRY="US"
export KEY_PROVINCE="Anystate_USA"
export KEY_CITY="Anytown_USA"
export KEY_ORG="whatever"
export KEY_EMAIL="admin@tryingtogetitright.net"
export KEY_OU="whatevervpn"

version of OpenVPN:

Code: Select all

openvpn --version
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

contents of `/etc/openvpn/easy-rsa`

Code: Select all

build-ca     build-key	       build-key-server  clean-all	list-crl	   openssl-1.0.0.cnf  revoke-full  whichopensslcnf
build-dh     build-key-pass    build-req	 inherit-inter	openssl-0.9.6.cnf  openssl.cnf	      sign-req
build-inter  build-key-pkcs12  build-req-pass	 keys		openssl-0.9.8.cnf  pkitool	      vars

After everything I have read and by all accounts, the steps I have taken should work, but I can't seem to get passed this issue . If anyone has any advice, I would be grateful for your help.

[anti-pasta]

I ended up fixing my issue, which as the error suggested, rested entirely on the way I had configured my vars file. To recap, what I started with was this:

Code: Select all

export KEY_COUNTRY="US"
export KEY_PROVINCE="Anystate_USA"
export KEY_CITY="Anytown_USA"
export KEY_ORG="whatever"
export KEY_EMAIL="admin@tryingtogetitright.net"
export KEY_OU="whatevervpn"

and what I ended up using instead was the following:

Code: Select all

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=US
export KEY_PROVINCE=Anystate_USA
export KEY_CITY=Anytown_USA
export KEY_ORG="whatever"
export KEY_EMAIL="admin@heyifigureditout.net"
export KEY_OU="whatevervpn"

This bit of information, courtesy of openvpn.net, here:
https://openvpn.net/index.php/open-sour ... ement.html

As usual with these kinds of things, I should have RTFM!!!

good luck!