OpenVPN 2.3.4 and easy-rsa build-ca Warning

Support forum for Easy-RSA certificate management suite.
Post Reply
taelvin
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 17, 2014 3:19 pm

OpenVPN 2.3.4 and easy-rsa build-ca Warning

Post by taelvin » Tue Jun 17, 2014 3:44 pm

Good Afternoon,

I have reviewed the following posts:

topic14260.html

http://openvpn.net/index.php/open-sourc ... howto.html

And several other sources from a google search and have found no clear solution for the latest install of OpenVPN for Windows 7.

In the command line, as administrator, I successfully set up the vars.bat file and followed the vars, clean-all, build-ca command sequence.

The first line shows WARNING: can't open config file: /etc/ssl/openssl.cnf
it then goes through the normal key creation sequence (asking for the Country Name, etc) and it generates 2 key files.

But I would like to fix the error shown. I tried the suggestions in the first post linked above. I have copied and renamed the openssl-1.0.0.cnf found in the easy-rsa folder (which installed after I uninstalled my first install of OpenVPN and wen't back and installed it again selecting the checkmark for OpenSSL and the one below it).

I have an /etc/ssl/openssl.cnf in both \OpenVPN\easy-rsa and \OpenVPN\bin and it still has the error.

Is this because the newest version of OpenVPN is not bundled with easyrsa3? I downloaded the easyrsa3 files from Gnu but I did not know what to do with the files to get them into OpenVPN, but re-installing the OpenVPN 2.3.4 and checking the unchecked boxes (OpenSSL, etc) seemed to put its own easy-rsa into the OpenVPN folders so I let it be.

taelvin
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 17, 2014 3:19 pm

Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning

Post by taelvin » Tue Jun 17, 2014 6:00 pm

I uninstalled OpenVPN and removed all the folders I had created placing the openssl.cnf file in different spots. Then I installed Win64 OpenSSL v1.0.1h Light. After that I re-installed OpenVPN 2.3.4 and selected both the unchecked options (I had done this before in the last install, so I do not think this fixed the problem).

Then I attempted to build a cert again using the init-config-->modify vars.bat in admin notepad--->vars--->clean-all-->build-ca

and it shows the following:-------------------------------------------------------------

c:\Program Files\OpenVPN\easy-rsa>init-config

c:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
1 file(s) copied.

c:\Program Files\OpenVPN\easy-rsa>vars

c:\Program Files\OpenVPN\easy-rsa>clean-all
The system cannot find the file specified.
1 file(s) copied.
1 file(s) copied.

c:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................................................................+++++
+
..........................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
----------------------------(copy ended)---------------------------------------------------------

So it would seem it doesn't have the openssl error anymore but now it isn't recognizing my request to generate a 2024 bit RSA key. I did modify the vars.bat file to have the following:

rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=2048

I should also note that none of the Country name, Province, etc values that i changed in the vars.bat file showed as the default options in the command line when it asks you for them after typing build-ca. Instead, it showed the text that was there before. Might it not be accessing the vars.bat file I saved after I typed in the "vars" and then "clean-all" because it does say below that command that it couldn't find a file but then copied two.

One problem goes away...another one sets itself up...

taelvin
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 17, 2014 3:19 pm

Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning

Post by taelvin » Tue Jun 17, 2014 6:31 pm

So it would seem it doesn't have the openssl error anymore but now it isn't recognizing my request to generate a 2024 bit RSA key. I did modify the vars.bat file to have the following:

rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=2048

I should also note that none of the Country name, Province, etc values that i changed in the vars.bat file showed as the default options in the command line when it asks you for them after typing build-ca. Instead, it showed the text that was there before. Might it not be accessing the vars.bat file I saved after I typed in the "vars" and then "clean-all" because it does say below that command that it couldn't find a file but then copied two.
I figured this out with more tinkering. I blame myself for trying to adhere to a guide too much and not looking at what my screen was saying. In the new version of OpenVPN 2.3.4 if you type "init-config" it will generate two files. One will be the "vars" file and it truly is a "Windows Batch File" under type. Then below it is the vars.bat file but that is a SAMPLE file. I modified in administrator with Notepad++ the SAMPLE file and not the "vars" file. Thus, when I went and told command line to access vars-->clean-all it was cleaning from the un-modified file. That is why the command line wasn't showing any of my changes made to lines like KEY_COUNTRY. This can be hard for a new user to discern that it is not just displaying a default even though you have made modifications to the file but that it truly is showing you the options it currently has in the file in [].

In terms of RSA3 and the fact that OpenVPN is no longer batched with it. Is using this "easy-rsa" that gets installed if you select the additional checkboxes mean I am using an out-dated version of RSA? And if so, is that a problem for security?

Just wondering if I need to go figure out RSA3....(i pray not)....

taelvin
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 17, 2014 3:19 pm

Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning

Post by taelvin » Tue Jun 17, 2014 7:21 pm

thank you for your help debbie10t,

What is the difference between the easy-ras installed in OpenVPN 2.3.4 and Ras3?

Just trying to understand why I should dump the certs I just made and go make them from Ras3

Thanks for guiding me,
Chad

taelvin
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 17, 2014 3:19 pm

Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning

Post by taelvin » Tue Jun 17, 2014 8:50 pm

Oh they definitely aren't. I just figured that when you said I would want to use RAS3 over the ones made in easy-ras that it means I should get rid of them and start over with RAS3. :-)

Post Reply