./build-ca is not working

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
maskedkuma
OpenVpn Newbie
Posts: 5
Joined: Tue Aug 01, 2017 10:46 am

./build-ca is not working

Post by maskedkuma » Mon Aug 21, 2017 9:43 am

I am trying to setup openvpn on a new debian 9 stretch install. i have done this before on debian 8 without a problem, but i can't figure this out:

i am using defaults in `vars`

Code: Select all

# cd /etc/openvpn/easy-rsa && source ./vars

Code: Select all

# ./clean-all

Code: Select all

# ./build-ca
req: Error on line 198 of config file "/etc/openvpn/easy-rsa/openssl.cnf"
Generating a 2048 bit RSA private key
................+++
.............................................................................+++
writing new private key to 'ca.key'
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
140484666176768:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:../crypto/conf/conf_lib.c:272:

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: ./build-ca is not working

Post by TinCanTech » Mon Aug 21, 2017 11:17 am

maskedkuma wrote:req: Error on line 198 of config file "/etc/openvpn/easy-rsa/openssl.cnf"
There is no "openssl.cnf" .. so I don't know what you have done.

Look in /usr/share/easy-rsa

maskedkuma
OpenVpn Newbie
Posts: 5
Joined: Tue Aug 01, 2017 10:46 am

Re: ./build-ca is not working

Post by maskedkuma » Mon Aug 21, 2017 11:44 am

Code: Select all

openssl.cnf -> openssl-1.0.0.cnf
and copying openssl-1.0.0.cnf to openssl.cnf has the same effect.

Code: Select all

openssl version
OpenSSL 1.1.0f  25 May 2017

Code: Select all

# ./whichopensslcnf
/openssl.cnf
**************************************************************
  No /openssl.cnf file could be found
  Further invocations will fail
**************************************************************

dicer
OpenVpn Newbie
Posts: 1
Joined: Mon Jul 30, 2018 2:23 pm

Re: ./build-ca is not working

Post by dicer » Mon Jul 30, 2018 2:24 pm

The solution to this problem in Debian Stretch is to add the following line to your vars file (don't forget to "source ./vars" afterwards"):

export KEY_ALTNAMES="EasyRSA"

maskedkuma
OpenVpn Newbie
Posts: 5
Joined: Tue Aug 01, 2017 10:46 am

Re: ./build-ca is not working

Post by maskedkuma » Mon Jul 30, 2018 2:30 pm

Thanks for replying after all this time. I evidently got it working somehow, but I didn't report back here and definitely don't remember how. I didn't use KEY_ALTNAMES.

Thanks again

ve9gfi
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 27, 2020 1:55 pm

Re: ./build-ca is not working

Post by ve9gfi » Fri Mar 27, 2020 2:01 pm

The file /etc/openvpn/easy-rsa/vars does not have KEY_ALTNAME defined but it does have KEY_ALTNAMES.

I created KEY_ALTNAME and everything worked.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: ./build-ca is not working

Post by TinCanTech » Fri Mar 27, 2020 2:15 pm

For future reference: When Easy-RSA 3.0.7 is released it will include an upgrade path for Easy-RSA v2
Easy-TLS helps manage the various OpenVPN specific TLS keys and Inline files.

Post Reply