After update to 2.5 all bats are missing (Windows Server)

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Fri Jan 08, 2021 3:05 pm

Hello,

OS: Windows Server 2016
current Version: Community 2.5

i have a little problem. I updated my server from 2.4 to 2.5 and now all .bats are missing in the "easy-rsa" folder. Also openssl is missing from the server.
I tried to get them back, but I dont know how... also openssl was deleted after update, so the "openssl" cmd is no longer working.
I don't know how to delete/add new vpn users without the bats...

What should I do? Fresh install?

Maybe someone could assist... thanks. :oops:

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Fri Jan 08, 2021 9:39 pm

I think you can install EasyRSA-2 with OpenVPN 2.5

By default OpenVPN 2.5 installs EasyRSA-3.

EasyRSA-3 can upgrade your current PKI to be compatible with EasyRSA-3

give it a shot !

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Sun Jan 10, 2021 11:05 pm

Yes i gave it a shot !

Seems that the new windows Version is really buggy.
I started from scratch to not waste time...

- fresh install
- init-pki , build-ca ...

what to say...

Code: Select all

Generating a RSA private key
......................................................................................+++++
..........+++++
writing new private key to '/temp/easy-rsa-30184.a14428/tmp.a12668'
-----
Can't open C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf for reading, No such file or directory
26984:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf','r')
26984:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
Can't open C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf for reading, No such file or directory
29864:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf','r')
29864:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
path = /temp/easy-rsa-30184.a14428/tmp.XXXXXX
Last edited by starlight2 on Sun Jan 10, 2021 11:13 pm, edited 2 times in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Sun Jan 10, 2021 11:10 pm

It looks like you have already used this work around:
https://github.com/OpenVPN/easy-rsa/issues/412

Can you paste the entire terminal window where you run easyrsa ?

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Sun Jan 10, 2021 11:15 pm

So i copied the openssl-easyrsa.cnf to PKI folder and renamed it,,, but connection does not work. certs seems to be faulty. Without the file there is not even a key created

and yes, i already used the temp fix from you because i got the other error.


with copied file:

Code: Select all

EasyRSA Shell
# ./easyrsa build-client-full kerstin nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1i  8 Dec 2020
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp5F45.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp5F45.tmp
fd = 3
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6020.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6020.tmp
fd = 3
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp60EB.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp60EB.tmp
fd = 3
Generating a RSA private key
............................+++++
...........................................................................+++++
writing new private key to '/temp/easy-rsa-15312.a26584/tmp.a28200'
-----
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp681F.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp681F.tmp
fd = 3
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp69F4.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp69F4.tmp
fd = 3
path = /temp/easy-rsa-15312.a26584/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6ABF.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6ABF.tmp
fd = 3
Using configuration from /temp/easy-rsa-15312.a26584/tmp.a25284
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'kerstin'
Certificate is to be certified until Apr 15 23:11:34 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated
without:

Code: Select all

EasyRSA Shell
# ./easyrsa build-client-full testuser nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1i  8 Dec 2020
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6225.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6225.tmp
fd = 3
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6300.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6300.tmp
fd = 3
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp63CB.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp63CB.tmp
fd = 3
Generating a RSA private key
....................+++++
..........................................+++++
writing new private key to '/temp/easy-rsa-19020.a27932/tmp.a18352'
-----
Can't open C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf for reading, No such file or directory
29044:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf','r')
29044:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
Can't open C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf for reading, No such file or directory
29080:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('C:/Program Files/OpenVPN/easy-rsa/pki/safessl-easyrsa.cnf','r')
29080:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6A91.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6A91.tmp
fd = 3
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6C57.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6C57.tmp
fd = 3
path = /temp/easy-rsa-19020.a27932/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp6D31.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp6D31.tmp
fd = 3
Using configuration from /temp/easy-rsa-19020.a27932/tmp.a09048
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testuser'
Certificate is to be certified until Apr 15 23:14:52 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated


EasyRSA Shell

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Mon Jan 11, 2021 12:15 am

Before you get headache..

problem seems to be one variable..

Code: Select all

set_var EASYRSA                 "$PWD"
if i delete the var, the PKI folder is created under c:/pki .. and the easyssl file is created. with the variable the pki folder is created in the easyrsa home, but without the file... not sure why... must the the same problem as temp folder... seems that there is a permission problem by writing files into the easyrsa folder... by init-pki

i dont want to use c:/pki ... :?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Mon Jan 11, 2021 12:37 am

starlight2 wrote:
Sun Jan 10, 2021 11:15 pm
So i copied the openssl-easyrsa.cnf to PKI folder and renamed it
That file is supposed to be there.

I think this is a bug and I'm looking into it ..

For the time being, can you try copying EasyRSA3 to your Home directory and try from there ?

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Mon Jan 11, 2021 1:00 am

i copied it to desktop... does not work !

Code: Select all

EasyRSA Shell
# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: C:/Users/user2/Desktop/easy-rsa/pki

EasyRSA Shell
# exit

C:\Users\user2\Desktop\easy-rsa>dir pki
11.01.2021  01:48    <DIR>          .
11.01.2021  01:48    <DIR>          ..
11.01.2021  01:48    <DIR>          private
11.01.2021  01:48    <DIR>          reqs

... without variable !

Code: Select all

EasyRSA Shell
# easyrsa init-pki

Note: using Easy-RSA configuration from: C:/Program Files/OpenVPN/easy-rsa/vars
path = /temp/easy-rsa-22892.a09616/tmp.XXXXXX
lpPathBuffer = C:\Users\user2\AppData\Local\Temp\
szTempName = C:\Users\user2\AppData\Local\Temp\tmp9FDB.tmp
path = C:\Users\user2\AppData\Local\Temp\tmp9FDB.tmp
fd = 3

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /pki

C:\Program Files\OpenVPN\easy-rsa>dir c:\pki
11.01.2021  01:58    <DIR>          .
11.01.2021  01:58    <DIR>          ..
11.01.2021  01:58    <DIR>          private
11.01.2021  01:58    <DIR>          reqs
11.01.2021  01:58             4.408 safessl-easyrsa.cnf

for some reason (?) the openssl-easyrsa.cnf is copied to C:/

the original file is under easy-rsa folder... not in pki folder... but renaming it does not work, because the openssl-easyrsa.cnf has all $variables .. and the safessl has the values of the variables... so it seems that there is the problem with the keys..

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Mon Jan 11, 2021 5:57 pm

For people who have the same problem... I fixed this today...
(this is all regarding to the hidden administrator account..)

0) make sure that you dont have pki folder or openssl-easyrsa.cnf file under C:/
1) exclude easyrsa variable from vars

Code: Select all

#set_var EASYRSA                 "$PWD"
2) run init-pki
3) change vars and inclube easyrsa variable (remove #)
4) run init-pki again
5) copy safessl_easyrsa.cnf from C:/pki to C:\Program Files\OpenVPN\easy-rsa\pki
6) open the copied safessl_easy.cnf with a good text editor (like notepad++)
7) use find & replace to replace ALL

Code: Select all

/pki
with

Code: Select all

/Program Files/OpenVPN/easy-rsa/pki
8) proceed with build-ca etc.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Mon Jan 11, 2021 7:03 pm

I have been helping develop EasyRSA-3 for some years now and you are the first and only person to report an issue like this.
starlight2 wrote:
Mon Jan 11, 2021 5:57 pm
this is all regarding to the hidden administrator account
What do you mean ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Mon Jan 11, 2021 8:55 pm

After further testing, the most likely explanation is that you have edited ./vars incorrectly.

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Mon Jan 11, 2021 11:27 pm

Maybe... maybe not... Dont know

here are my vars

Code: Select all

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "xxx"
set_var EASYRSA_REQ_PROVINCE    "xxx"
set_var EASYRSA_REQ_CITY        "xxx"
set_var EASYRSA_REQ_ORG         "xxx"
set_var EASYRSA_REQ_EMAIL       "xxx@xxx.com"
set_var EASYRSA_REQ_OU          "xxx"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "xxx"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"
set_var EASYRSA_TEMP_DIR		"/temp"
I tried it on 2 server versions of windows (2016) and 1 windows 10 device ... for server windows i dont need hidden administrator account, for windows 10 i needed it cause there was nothing created under c:\

this is only on windows ... on unix i dont have these problems with the same config

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Tue Jan 12, 2021 12:31 am

Sorry, if you need help administering Windows then that it out-of-scope here.

Just copy the entire, Installed Easy-RSA3 folder to somewhere that your user has write access.
Go back to defaults (I would re-install from scratch) and try again.

starlight2
OpenVpn Newbie
Posts: 8
Joined: Fri Jan 08, 2021 3:01 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by starlight2 » Tue Jan 19, 2021 7:44 pm

i dont need help in administering windows. lol.

this is a bug in the easyrsa script cause of the sh emulation.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: After update to 2.5 all bats are missing (Windows Server)

Post by TinCanTech » Tue Jan 19, 2021 8:03 pm

If you believe this is a bug then please report it to EasyRSA on github.

Otherwise, I suggest you do this:
  • Uninstall OpenVPN and EasyRSA3
  • Move whatever is left in C:\Program Files\OpenVPN to a safe place.
  • Install OpenVPN and EasyRSA3
  • Copy EasyRSA3 to your user account
  • Try again

Post Reply