EasyRSA fails with sign_req randomize serial number failed

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nhenderson@ceml.net
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 25, 2021 6:45 pm

EasyRSA fails with sign_req randomize serial number failed

Post by nhenderson@ceml.net » Tue Feb 06, 2024 12:17 pm

I was able to renew one client and one server cert a couple of weeks ago.
Today, I attempted to revoke-renewed those certs which failed, although I was able to revoke them manually with openssl.

I then tried to renew some expired certs and get:
Easy-RSA error:
sign_req - Randomize Serial number failed:
Using configuration from /home/norm/easy-rsa/pki/openssl-easyrsa.cnf
Easy-RSA error:
easyrsa_openssl - Command has failed:
* openssl ca -status 3b11ea....
The same error occurs if i create new CSRs and attempt to sign-req (whether client or server)

I installed haveged (entropy generator) although it seems entropy problems are unlikely these days; it didn't make a difference.
I tried a script to rebuild index.txt; no difference.

If I manually set up the environment variables, and run

Code: Select all

openssl ca -config ./openssl-easyrsa.cnf -status (serialnumber)
directly I get nothing back, I don't know if that is expected.

Please can anyone help?

TinCanTech
OpenVPN Protagonist
Posts: 11135
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA fails with sign_req randomize serial number failed

Post by TinCanTech » Tue Feb 06, 2024 9:04 pm

What is your Operating System name ?

What is the version of Easy-RSA that you are using ?

nhenderson@ceml.net
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 25, 2021 6:45 pm

Re: EasyRSA fails with sign_req randomize serial number failed

Post by nhenderson@ceml.net » Wed Feb 07, 2024 5:15 pm

Sorry, it's EasyRSA 3.1.7 OpenSSL 1.1.1f Ubuntu 20.04.6 LTS kernel 5.4.0-169-generic

After the above post I initialized a new PKI and copied back in my original ca.crt and ca.key. I was able to generate several requests and sign them. I also revoked a few certs, generated and signed some more.

To cut a long story short: what I had done wrong, was to try to import a cert and key manually from the earlier PKI structure - it's already deployed, with a long end date and I don't want to redeploy. The key and cert were generated with the same ca.key/ca.crt; I put the files in pki/private pki/issued pki/certs_by_serial as appropriate. Permissions all identical and all was fine to that point. However when I copied the corresponding line from the old index.txt to the new one, that broke everything. Deleting the line fixed it.

Since EasyRSA lacks an import function - should this not have worked?

TinCanTech
OpenVPN Protagonist
Posts: 11135
Joined: Fri Jun 03, 2016 1:17 pm

Re: EasyRSA fails with sign_req randomize serial number failed

Post by TinCanTech » Sat Feb 10, 2024 7:05 pm

nhenderson@ceml.net wrote:
Wed Feb 07, 2024 5:15 pm
when I copied the corresponding line from the old index.txt to the new one, that broke everything
EasyRSA failed as expected.
nhenderson@ceml.net wrote:
Wed Feb 07, 2024 5:15 pm
should this not have worked?
Please ask OpenSSL.
nhenderson@ceml.net wrote:
Wed Feb 07, 2024 5:15 pm
EasyRSA lacks an import function
EasyRSA has an import function. Please see the related help.
nhenderson@ceml.net wrote:
Wed Feb 07, 2024 5:15 pm
what I had done wrong, was to try to import a cert and key manually from the earlier PKI structure
Is it possible that you need to upgrade from an earlier PKI ?

EasyRSA v3.1.7 supports upgrading a PKI. Please see the related help.

Post Reply