EasyRSA 3 build-ca fails on Windows

Support forum for Easy-RSA certificate management suite.
Post Reply
cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Wed Feb 10, 2021 5:39 am

I'm having trouble getting EasyRSA 3 working on Windows Server 2019. This is OpenVPN 2.5.0. After creating the vars file from vars.example, init-pki works but build-ca aborts on an error. The config file referenced in the error message as having an invalid line 88 is apparently deleted after easyrsa exits.

I'm much more accustomed to the earlier EasyRSA 2, especially on Windows since that version has native batch files instead of requiring a *nix shell. What do I need to do to get this working?

Code: Select all

EasyRSA Shell
# ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1h  22 Sep 2020
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-260.a05132/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9AF9.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9AF9.tmp
fd = 3
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-260.a05132/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9B47.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9B47.tmp
fd = 3
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................++++
..............++++
e is 65537 (0x010001)
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-260.a05132/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9C7F.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\tmp9C7F.tmp
fd = 3
req: Error on line 88 of config file "C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-260.a05132/tmp.a07416"
9164:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:624:line 88
9164:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:624:line 88

Easy-RSA error:

Failed to build the CA

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Wed Feb 10, 2021 4:36 pm


cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 1:19 am

Thanks - I made the change suggested in that link (change EASYRSA_TEMP_DIR to "/tmp") but buld-ca still fails. Then I tried moving the easy-rsa directory tree to C:\OpenVPN\easy-rsa so there would be no spaces in any paths but it still bombs out on build-ca. Tried downloading and using version 3.08 (appears to be the latest) from sourceforge with the same result.

Code: Select all

req: Error on line 88 of config file "/tmp/easy-rsa-9116.a07944/tmp.a07200"
8524:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:624:line 88
8524:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:624:line 88

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Thu Feb 11, 2021 2:21 am

cbraxton wrote:
Thu Feb 11, 2021 1:19 am
8524:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:624:line 88
https://github.com/OpenVPN/easy-rsa/blo ... sa.cnf#L88

No idea ..

My crystal ball tells me, not enough information.

My Eight ball says, start from the beginning

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 4:29 am

TinCanTech wrote:
Thu Feb 11, 2021 2:21 am
No idea ..

My crystal ball tells me, not enough information.

My Eight ball says, start from the beginning
It's got me stumped as well, though I've only had minimal contact with EasyRSA V3, in fact on just one system running Linux and it worked OK there. (On the other hand I've been using EasyRSA V2 for ages on quite a few Linux and Windows systems with no problem.)

I've started from the beginning a few times now with the same result. Below are all of the uncommented variables in my vars file, generated via grep -o '^[^#]*' vars. Only the names have been changed to protect the guilty.

Code: Select all

set_var EASYRSA_TEMP_DIR" /tmp"
set_var EASYRSA_REQ_COUNTRY  "US"
set_var EASYRSA_REQ_PROVINCE  "Ohio"
set_var EASYRSA_REQ_CITY "Cincinnati"
set_var EASYRSA_REQ_ORG "WKRP Radio"
set_var EASYRSA_REQ_EMAIL "johnny.fever@wkrp.com"
set_var EASYRSA_REQ_OU "Cincinatti Office"
Will have to keep at it, I must be missing something stupid, though it might actually be easiest to just run EasyRSA in a LInux VM at this point...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Thu Feb 11, 2021 4:55 am

cbraxton wrote:
Thu Feb 11, 2021 4:29 am
I've been using EasyRSA V2 for ages on quite a few Linux and Windows systems with no problem
Did you try the Easy-RSA upgrade .. from v2 to v3 ?

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 2:56 pm

TinCanTech wrote:
Thu Feb 11, 2021 4:55 am
Did you try the Easy-RSA upgrade .. from v2 to v3 ?
No, unless I missed something I don't think EasyRSA v2 was offered at all with the Windows installer.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Thu Feb 11, 2021 4:36 pm

If you have a PKI created in EasyRSA 2 then to use EasyRSA 3 on the same PKI it needs to be upgraded.

But that does not sound like the case here.

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 6:53 pm

TinCanTech wrote:
Thu Feb 11, 2021 4:36 pm
If you have a PKI created in EasyRSA 2 then to use EasyRSA 3 on the same PKI it needs to be upgraded.

But that does not sound like the case here.
No, this is a fresh installation on a new server so there is no old PKI to migrate. I just need to find a way around this error.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Thu Feb 11, 2021 7:37 pm

Does `init-pki` work ?

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 9:50 pm

TinCanTech wrote:
Thu Feb 11, 2021 7:37 pm
Does `init-pki` work ?
Yes, init-pki works with no problems.

Another thing I just tried was installing Windows' Linux subsystem with Debian Stretch, into which I installed OpenVPN 2.5 in an attempt to try running easyrsa in its native Linux environment. Unfortunately although I added the current OpenVPN repository, EasyRSA v2 is still installed rather than v3. I attempted to use the EasyRSA v3.08 downloaded direct from sourceforge but am still running into errors with build-ca. A different error message, but still referencing line 88 in the config:

Code: Select all

administrator@WINSERVER:~/easy-rsa$ ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: /home/administrator/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Generating RSA private key, 4096 bit long modulus
.....................++++
..........................................................++++
e is 65537 (0x010001)
req: Error on line 88 of config file "/tmp/easy-rsa-2623.XXQrX1/tmp.sfOXL0"
req: Error on line 88 of config file "/home/administrator/easy-rsa/pki/safessl-easyrsa.cnf"
unable to find 'distinguished_name' in config
problems making Certificate Request
140017172288896:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:../crypto/conf/conf_lib.c:272:

Easy-RSA error:

Failed to build the CA
This is line 88 in the file /home/administrator/easy-rsa/pki/safessl-easyrsa.cnf:

Code: Select all

0.organizationName_default      = $ENV::EASYRSA_REQ_ORG
(The file in /tmp is not there after easyrsa exits.)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Thu Feb 11, 2021 10:00 pm

cbraxton wrote:
Thu Feb 11, 2021 9:50 pm
EasyRSA v2 is still installed rather than v3
I think you have to use Custom Install and select v3
cbraxton wrote:
Thu Feb 11, 2021 9:50 pm
I attempted to use the EasyRSA v3.08 downloaded direct from sourceforge
Use the version on github if you need to install that way:
https://github.com/OpenVPN/easy-rsa/releases
cbraxton wrote:
Thu Feb 11, 2021 9:50 pm
This is line 88 in the file /home/administrator/easy-rsa/pki/safessl-easyrsa.cnf:

Code: Select all

0.organizationName_default      = $ENV::EASYRSA_REQ_ORG
That means something fundamental has gone wrong.

A guess would be that you don't have sed installed.
cbraxton wrote:
Thu Feb 11, 2021 9:50 pm
(The file in /tmp is not there after easyrsa exits.)
Good, it is a temp file and supposed to be removed.

My impression is that you have not installed EasyRSA-3 correctly in either Windows or Linux.

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Thu Feb 11, 2021 11:51 pm

Oh, it's quite likely that EasyRSA 3 is not installed correctly, as I said I've had very little experience with it so installing it manually I've likely missed a few things. The original Windows installation that failed, however, was performed by the OpenVPN installer. Sed is installed. I'll have to go over the installation again.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Fri Feb 12, 2021 12:01 am

You can either install Easy-RSA from the OpenVPN installer or from github, it's quite easy.

Once you get the hang of that you may like to try this:
https://github.com/TinCanTech/easy-tls

If you have any problems with that then please start a thread here or open an issue on github.

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Fri Feb 12, 2021 4:03 pm

TinCanTech wrote:
Fri Feb 12, 2021 12:01 am
You can either install Easy-RSA from the OpenVPN installer or from github, it's quite easy.

Once you get the hang of that you may like to try this:
https://github.com/TinCanTech/easy-tls

If you have any problems with that then please start a thread here or open an issue on github.
OK, I deleted my previous EasyRSA installations both in Windows and my Debian environment to start with a clean sheet, downloaded the appropriate archives from github and lo and behold it works, both in Windows and in Debian. So obviously I had something wrong going on in the previous installations, but it's working now. Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Fri Feb 12, 2021 5:18 pm

Good.

Do you have a link for the version on sourceforge ?

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Fri Feb 12, 2021 5:50 pm

TinCanTech wrote:
Fri Feb 12, 2021 5:18 pm
Good.

Do you have a link for the version on sourceforge ?
No, though I just did a search there and only found old versions. When the EasyRSA that came bundled with OpenVPN for Windows didn't work I was scrambling to find one that would while also putting out fires elsewhere. It may have been a link from one of the sourceforge mailing lists rather than a direct sourceforge download. It's obvious I screwed something up when setting it up initially and "fixed" it by backing off and starting over with the official latest release from github. At least at this point I have a working EasyRSA v3 and OpenVPN service running on the Windows server.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA 3 build-ca fails on Windows

Post by TinCanTech » Fri Feb 12, 2021 6:18 pm

That all sounds reasonable.

If you find time, I would really appreciate more testing on this:
https://github.com/TinCanTech/easy-tls

But I know time is hard to find ..

cbraxton
OpenVpn Newbie
Posts: 13
Joined: Wed Feb 10, 2021 5:11 am

Re: EasyRSA 3 build-ca fails on Windows

Post by cbraxton » Fri Feb 12, 2021 7:21 pm

TinCanTech wrote:
Fri Feb 12, 2021 6:18 pm
That all sounds reasonable.

If you find time, I would really appreciate more testing on this:
https://github.com/TinCanTech/easy-tls

But I know time is hard to find ..
I saw that and it looks interesting though I must admit being barely acquainted with EasyRSA v3 at this point I'm not sure exactly what easy-tls does - looks like a more automated way to check configuration and generate inline config files? (Currently I just use a template for client configs and insert certs and keys using vim.) I'll have to take a closer look, though as you say time can be difficult to find.

Post Reply