easyrsa nopass fails on OpenBSD

[chrisaj]

I'm unable to create a new client for openvpn using the "nopass" option for easyrsa. Something seems to have changed with libressl which prevents this, but subsequent changes to easyrsa have not been made (please correct me if I'm wrong!).

On my existing server, the following command used to complete successfully:
./easyrsa --batch=1 --pki-dir=${pkiDir} --req-cn=${vpnclientuser} gen-req ${vpnclientuser} nopass

This now fails with:
-----
usage: req [-addext ext] [-batch] [-config file]
--snip--
Easy-RSA error:

Failed to generate request

Host: nix | OpenBSD | /bin/bash
-----
After further investigation, I was unable to create a new CA with the nopass option either.

Simple test to recreate the problem:
Fresh install of OpenBSD 7.2
pkg_add easyrsa

bsdtest# ./easyrsa build-ca nopass
* Notice:
Using Easy-RSA configuration from: /root/easy-rsa/pki/vars

* Notice:
Using SSL: openssl LibreSSL 3.6.0

usage: genpkey [-algorithm alg] [cipher] [-genparam] [-out file]
[-outform der | pem] [-paramfile file] [-pass arg]
[-pkeyopt opt:value] [-text]

-algorithm name Public key algorithm to use (must precede -pkeyopt)
-genparam Generate a set of parameters instead of a private key
-out file Output file to write to (default stdout)
-outform format Output format (DER or PEM)
-paramfile file File to load public key algorithm parameters from
(must precede -pkeyopt)
-pass arg Output file password source
-pkeyopt opt:value Set public key algorithm option to the given value
-text Print the private/public key in human readable form

Easy-RSA error:

Failed create CA private key

Host: nix | OpenBSD | /bin/ksh

The option still exists according to the help:

bsdtest# ./easyrsa help build-ca

build-ca [ cmd-opts ]
Creates a new CA

cmd-opts is an optional set of command options from this list:

nopass - do not encrypt the CA key (default is encrypted)
subca - create an intermediate CA keypair and request (default is a root CA)
intca - alias to the above

Note: If I remove "nopass" then both commands complete successfully. I've been unable to find a solution to this myself. Please help!

Cheers,

Chris

[chrisaj]

Forgot to mention that I did "./easyrsa init-pki" before the build-ca command.

[chrisaj]

I upgraded my test system to LibreSSL 3.7.1. It still fails.

[chrisaj]

I've narrowed this down and I believe it's an easy-rsa bug. Version 3.0.8 works correctly, version 3.0.9 fails. The following outputs are from the same system using a downloaded version of openssl 3.7.1 and the above versions of easy-rsa download from github:

bsdtest# ./easyrsa version
WARNING: can't open config file: /home/EasyRSA-3.0.8/pki/safessl-easyrsa.cnf
EasyRSA Version Information
Version: 3.0.8
Generated: Wed Sep 9 15:59:45 CDT 2020
SSL Lib: LibreSSL 3.7.1
Git Commit: f12e00e53b4f486ce3d119ca429198780fa694ac
Source Repo: https://github.com/OpenVPN/easy-rsa

bsdtest# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/EasyRSA-3.0.8/pki


bsdtest# ./easyrsa build-ca nopass
Using SSL: openssl LibreSSL 3.7.1
Generating RSA private key, 2048 bit long modulus
....................................................................
........
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/EasyRSA-3.0.8/pki/ca.crt


bsdtest#
----------------------------------------------------------------------------------
bsdtest# ./easyrsa version
WARNING: can't open config file: /home/EasyRSA-v3.0.9/pki/safessl-easyrsa.cnf
EasyRSA Version Information
Version: v3.0.9
Generated: Wed May 18 08:04:38 CDT 2022
SSL Lib: LibreSSL 3.7.1
Git Commit: 150e96ec9b290396ccbe160bd23f6dd1b277250d
Source Repo: https://github.com/OpenVPN/easy-rsa

bsdtest# ./easyrsa init-pki
* Notice:

init-pki complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/EasyRSA-v3.0.9/pki

IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.


bsdtest# ./easyrsa build-ca nopass
* Notice:
Using Easy-RSA configuration from: /home/EasyRSA-v3.0.9/pki/vars

* Notice:
Using SSL: openssl LibreSSL 3.7.1

usage: genpkey [-algorithm alg] [cipher] [-genparam] [-out file]
[-outform der | pem] [-paramfile file] [-pass arg]
[-pkeyopt opt:value] [-text]

-algorithm name Public key algorithm to use (must precede -pkeyopt)
-genparam Generate a set of parameters instead of a private key
-out file Output file to write to (default stdout)
-outform format Output format (DER or PEM)
-paramfile file File to load public key algorithm parameters from
(must precede -pkeyopt)
-pass arg Output file password source
-pkeyopt opt:value Set public key algorithm option to the given value
-text Print the private/public key in human readable form

Easy-RSA error:

Failed create CA private key

Host: nix | OpenBSD | /bin/ksh


bsdtest#

[chrisaj]

Annnnnnd never mind. This seems to have been fixed in easy-rsa 3.1.2. Hopefully the OpenBSD package is updated soon!

bsdtest# ./easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/EasyRSA-3.1.2/pki

* Using Easy-RSA configuration:

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
Edit this 'vars' file to customise the settings for your PKI.
To use a global vars file, use global option --vars=<YOUR_VARS>

* Using x509-types directory: /home/EasyRSA-3.1.2/x509-types

bsdtest# ./easyrsa build-ca nopass

* Using SSL: openssl LibreSSL 3.7.1

* Using Easy-RSA configuration: /home/EasyRSA-3.1.2/pki/vars

...................
..................
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/EasyRSA-3.1.2/pki/ca.crt

bsdtest# pwd
/home/EasyRSA-3.1.2
bsdtest#

[chrisaj]

Conclusion:

easy-rsa 3.1.0 does *not* work with the nopass option.
This is the version currently available through OpenBSD 7.2's package management system.

easy-rsa 3.1.2 *does* work with the nopass option.
https://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.2

[chrisaj]

Small update:

OpenBSD 7.3 has easy-rsa 3.1.1 in its repository (After fresh install: pkg_add easy-rsa).

This *does* work properly with the nopass option.