Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by BobAGI » Wed Oct 25, 2017 10:52 pm

I am trying to set up an OpenVPN server on a brand new RPi3B with Raspbian Stretch from the Sept 2017 image.
I have performed all the usual steps using apt-get to install openvpn and it got me version 2.4.0
Previous installations I have done on Raspbian Wheezy ended up with 2.1.xx.

On 2.4.0 easy-rsa is part of the install but is hidden in /usr/share/easy-rsa, so I copied it to /etc/openvpn/easy-rsa

Now I have edited the vars script and it seemed satisfied after I replaced the double quotes in these lines:

Code: Select all

export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_CONFIG="$EASY_RSA/whichopensslcnf $EASY_RSA"
But when I run the command ./build-ca I get this displayed:

Code: Select all

root@rpi3-vpn:/etc/openvpn/easy-rsa# ./build-ca
grep: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/whichopensslcnf /etc/openvpn/easy-rsa
The correct version should have a comment that says: easy-rsa version 2.x
What does this mean and what can I do to fix it?
I checked the openssl version:

Code: Select all

root@rpi3-vpn:/etc/openvpn/easy-rsa# openssl version
OpenSSL 1.1.0f  25 May 2017
And in the easy-rsa dir there are the following sample openssl.cnf files:

Code: Select all

-rw-r--r--   1 root root  7859 Jul 13  2015 openssl-0.9.6.cnf
-rw-r--r--   1 root root  8416 Jul 13  2015 openssl-0.9.8.cnf
-rw-r--r--   1 root root  8313 Jul 13  2015 openssl-1.0.0.cnf
If I look at the openssl-1.0.0.cnf file the very first line is this comment:

Code: Select all

# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
So it does in fact mention easy-rsa 2.0...

In earlier installations I did not touch the KEY_CONFIG line so it looked like this by default:

Code: Select all

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
But if I go back to those quotes I get this error message:

Code: Select all

root@rpi3-vpn:/etc/openvpn/easy-rsa# source ./vars
**************************************************************
  No /etc/openvpn/easy-rsa/openssl.cnf file could be found
  Further invocations will fail
**************************************************************
I am really at a loss here, since no howto I find on the net for OpenVPN on Raspbian Stretch seems to work.
Can someone please advice as to why the openssl is not correctly configured in this case?
And of course tell me what to do to fix it....
Should I just replace the use of whichopensslcnf with this line:

Code: Select all

export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf $EASY_RSA"
But of course it did not cut it:

Code: Select all

root@rpi3-vpn:/etc/openvpn/easy-rsa# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@rpi3-vpn:/etc/openvpn/easy-rsa# ./build-ca
grep: /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa
The correct version should have a comment that says: easy-rsa version 2.x
Finally: I removed the ending part of the export and also took out the quotes:

Code: Select all

export KEY_CONFIG=$EASY_RSA/openssl-1.0.0.cnf
And now it actually worked to start the build-ca process!
Why in heavens name does not the whichopensslcnf script work on 2.4.0?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by TinCanTech » Wed Oct 25, 2017 11:20 pm


BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by BobAGI » Thu Oct 26, 2017 7:11 am

Seems to be a lot for Windows...
What do I use on a Raspbian Stretch (Debian-Linux-ARM) platform?
There are binaries, which presumably are compiled for some CPU architecture, but which?
The easy-rsa shipped with OpenVPN (via apt-get install) does not contain binaries as far as I know.
Should it?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by TinCanTech » Thu Oct 26, 2017 10:33 am

BobAGI wrote:
Thu Oct 26, 2017 7:11 am
Seems to be a lot for Windows...
You did not mention windows before ?
BobAGI wrote:
Thu Oct 26, 2017 7:11 am
What do I use on a Raspbian Stretch (Debian-Linux-ARM) platform?
I believe you should be able to use https://github.com/OpenVPN/easy-rsa/rel ... -3.0.3.tgz

As you are using Raspian I cannot be sure, please try it and let us know.

The *.tgz are for Linux while the *.zip are for Windows.

The extra binaries included with the Windows version are in order to provide a working *Nix like Shell.

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by BobAGI » Thu Oct 26, 2017 5:53 pm

TinCanTech wrote:
Thu Oct 26, 2017 10:33 am
BobAGI wrote:
Thu Oct 26, 2017 7:11 am
Seems to be a lot for Windows...
You did not mention windows before ?
Not in this thread...
The first line says:
I am trying to set up an OpenVPN server on a brand new RPi3B with Raspbian Stretch from the Sept 2017 image.
BobAGI wrote:
Thu Oct 26, 2017 7:11 am
What do I use on a Raspbian Stretch (Debian-Linux-ARM) platform?
I believe you should be able to use https://github.com/OpenVPN/easy-rsa/rel ... -3.0.3.tgz

As you are using Raspian I cannot be sure, please try it and let us know.

The *.tgz are for Linux while the *.zip are for Windows.
I did a wget on the tgz file and then tar -xvzf on the downloaded file.
That gave me a directory EasyRSA-3.0.3 containing this:

Code: Select all

drwxr-xr-x 4 pi pi  4096 Oct 26 17:43 .
drwxr-xr-x 3 pi pi  4096 Oct 26 17:40 ..
-rw-r--r-- 1 pi pi  2415 Sep  2  2015 ChangeLog
-rw-r--r-- 1 pi pi  1305 Aug 21 21:31 COPYING.md
drwxr-xr-x 2 pi pi  4096 Oct 26 17:40 doc
-rwxr-xr-x 1 pi pi 35985 Aug 21 21:31 easyrsa
-rw-r--r-- 1 pi pi 18093 Sep  2  2015 gpl-2.0.txt
-rw-r--r-- 1 pi pi  4560 Sep  2  2015 openssl-1.0.cnf
-rw-r--r-- 1 pi pi  3350 Sep  2  2015 README.quickstart.md
-rw-r--r-- 1 pi pi  8126 Sep  2  2015 vars.example
drwxr-xr-x 2 pi pi  4096 Aug 21 22:55 x509-types
Now I am stuck again because none of the scripts I am used to from easy-rsa are present, and the only directory here is the doc, which contains just documents.

Since I managed to somehow "solve" my problem by discarding the use of whichopensslcnf and instead setting the cnf file directly in the vars file, I might as well try that path.
Yesterday I managed to create the ca by running build-ca but then it was too late to go on, well after midnight here...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by TinCanTech » Thu Oct 26, 2017 7:26 pm

Try running easyrsa

:roll:

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by BobAGI » Thu Oct 26, 2017 9:33 pm

Regarding using easyrsa as the command I have a problem since there are no OpenVPN installation howto:s I have read that use it, they all refer to the individual scripts available in earlier releases of easy-rsa....

Fix for whichopensslcnf
I now found that the the script whichopensslcnf is flawed after inspecting it and checking my system out...
The version of openssl is found like this:

Code: Select all

# openssl version
OpenSSL 1.1.0f  25 May 2017
Notice that the version is 1.1.0
Now in the whichopensslcnf script this is being done:

Code: Select all

#!/bin/sh

cnf="$1/openssl.cnf"

if [ "$OPENSSL" ]; then
    if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-0.9.6.cnf"
    elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-0.9.8.cnf"
    elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-1.0.0.cnf"
    else
        cnf="$1/openssl.cnf"
    fi
fi
echo $cnf

if [ ! -r $cnf ]; then
    echo "**************************************************************" >&2
    echo "  No $cnf file could be found" >&2
    echo "  Further invocations will fail" >&2
    echo "**************************************************************" >&2
fi
exit 0
What I realized is that the script does not zero in on the 1.0.0 cnf for 1.1.x openssl so what I did was adding this after the last file check right before else:

Code: Select all

    elif $OPENSSL version | grep -E "1\.1\.[[:digit:]][[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-1.0.0.cnf"
I guess that this is not really the correct way since probably the openvpn installer should have provided a cnf file for openssl 1.1.x too.
But the 1.0.0 file seems to work just fine so this is a way to fix the problem until there is a correct cnf file available for 1.1.0.
At that time the script needs to be changed to point to this new cnf file of course.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Stuck in easy-rsa on 2.4.0 install on Raspbian stretch

Post by TinCanTech » Thu Oct 26, 2017 10:52 pm


Post Reply