Good Afternoon,
I have reviewed the following posts:
topic14260.html
http://openvpn.net/index.php/open-sourc ... howto.html
And several other sources from a google search and have found no clear solution for the latest install of OpenVPN for Windows 7.
In the command line, as administrator, I successfully set up the vars.bat file and followed the vars, clean-all, build-ca command sequence.
The first line shows WARNING: can't open config file: /etc/ssl/openssl.cnf
it then goes through the normal key creation sequence (asking for the Country Name, etc) and it generates 2 key files.
But I would like to fix the error shown. I tried the suggestions in the first post linked above. I have copied and renamed the openssl-1.0.0.cnf found in the easy-rsa folder (which installed after I uninstalled my first install of OpenVPN and wen't back and installed it again selecting the checkmark for OpenSSL and the one below it).
I have an /etc/ssl/openssl.cnf in both \OpenVPN\easy-rsa and \OpenVPN\bin and it still has the error.
Is this because the newest version of OpenVPN is not bundled with easyrsa3? I downloaded the easyrsa3 files from Gnu but I did not know what to do with the files to get them into OpenVPN, but re-installing the OpenVPN 2.3.4 and checking the unchecked boxes (OpenSSL, etc) seemed to put its own easy-rsa into the OpenVPN folders so I let it be.
OpenVPN 2.3.4 and easy-rsa build-ca Warning
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jun 17, 2014 3:19 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jun 17, 2014 3:19 pm
Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning
I uninstalled OpenVPN and removed all the folders I had created placing the openssl.cnf file in different spots. Then I installed Win64 OpenSSL v1.0.1h Light. After that I re-installed OpenVPN 2.3.4 and selected both the unchecked options (I had done this before in the last install, so I do not think this fixed the problem).
Then I attempted to build a cert again using the init-config-->modify vars.bat in admin notepad--->vars--->clean-all-->build-ca
and it shows the following:-------------------------------------------------------------
c:\Program Files\OpenVPN\easy-rsa>init-config
c:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
1 file(s) copied.
c:\Program Files\OpenVPN\easy-rsa>vars
c:\Program Files\OpenVPN\easy-rsa>clean-all
The system cannot find the file specified.
1 file(s) copied.
1 file(s) copied.
c:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................................................................+++++
+
..........................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
----------------------------(copy ended)---------------------------------------------------------
So it would seem it doesn't have the openssl error anymore but now it isn't recognizing my request to generate a 2024 bit RSA key. I did modify the vars.bat file to have the following:
rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=2048
I should also note that none of the Country name, Province, etc values that i changed in the vars.bat file showed as the default options in the command line when it asks you for them after typing build-ca. Instead, it showed the text that was there before. Might it not be accessing the vars.bat file I saved after I typed in the "vars" and then "clean-all" because it does say below that command that it couldn't find a file but then copied two.
One problem goes away...another one sets itself up...
Then I attempted to build a cert again using the init-config-->modify vars.bat in admin notepad--->vars--->clean-all-->build-ca
and it shows the following:-------------------------------------------------------------
c:\Program Files\OpenVPN\easy-rsa>init-config
c:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
1 file(s) copied.
c:\Program Files\OpenVPN\easy-rsa>vars
c:\Program Files\OpenVPN\easy-rsa>clean-all
The system cannot find the file specified.
1 file(s) copied.
1 file(s) copied.
c:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................................................................+++++
+
..........................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
----------------------------(copy ended)---------------------------------------------------------
So it would seem it doesn't have the openssl error anymore but now it isn't recognizing my request to generate a 2024 bit RSA key. I did modify the vars.bat file to have the following:
rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=2048
I should also note that none of the Country name, Province, etc values that i changed in the vars.bat file showed as the default options in the command line when it asks you for them after typing build-ca. Instead, it showed the text that was there before. Might it not be accessing the vars.bat file I saved after I typed in the "vars" and then "clean-all" because it does say below that command that it couldn't find a file but then copied two.
One problem goes away...another one sets itself up...
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jun 17, 2014 3:19 pm
Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning
I figured this out with more tinkering. I blame myself for trying to adhere to a guide too much and not looking at what my screen was saying. In the new version of OpenVPN 2.3.4 if you type "init-config" it will generate two files. One will be the "vars" file and it truly is a "Windows Batch File" under type. Then below it is the vars.bat file but that is a SAMPLE file. I modified in administrator with Notepad++ the SAMPLE file and not the "vars" file. Thus, when I went and told command line to access vars-->clean-all it was cleaning from the un-modified file. That is why the command line wasn't showing any of my changes made to lines like KEY_COUNTRY. This can be hard for a new user to discern that it is not just displaying a default even though you have made modifications to the file but that it truly is showing you the options it currently has in the file in [].So it would seem it doesn't have the openssl error anymore but now it isn't recognizing my request to generate a 2024 bit RSA key. I did modify the vars.bat file to have the following:
rem Increase this to 2048 if you
rem are paranoid. This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
set KEY_SIZE=2048
I should also note that none of the Country name, Province, etc values that i changed in the vars.bat file showed as the default options in the command line when it asks you for them after typing build-ca. Instead, it showed the text that was there before. Might it not be accessing the vars.bat file I saved after I typed in the "vars" and then "clean-all" because it does say below that command that it couldn't find a file but then copied two.
In terms of RSA3 and the fact that OpenVPN is no longer batched with it. Is using this "easy-rsa" that gets installed if you select the additional checkboxes mean I am using an out-dated version of RSA? And if so, is that a problem for security?
Just wondering if I need to go figure out RSA3....(i pray not)....
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jun 17, 2014 3:19 pm
Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning
thank you for your help debbie10t,
What is the difference between the easy-ras installed in OpenVPN 2.3.4 and Ras3?
Just trying to understand why I should dump the certs I just made and go make them from Ras3
Thanks for guiding me,
Chad
What is the difference between the easy-ras installed in OpenVPN 2.3.4 and Ras3?
Just trying to understand why I should dump the certs I just made and go make them from Ras3
Thanks for guiding me,
Chad
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jun 17, 2014 3:19 pm
Re: OpenVPN 2.3.4 and easy-rsa build-ca Warning
Oh they definitely aren't. I just figured that when you said I would want to use RAS3 over the ones made in easy-ras that it means I should get rid of them and start over with RAS3.