easyrsa nopass fails on OpenBSD
Posted: Thu Mar 23, 2023 5:49 pm
I'm unable to create a new client for openvpn using the "nopass" option for easyrsa. Something seems to have changed with libressl which prevents this, but subsequent changes to easyrsa have not been made (please correct me if I'm wrong!).
On my existing server, the following command used to complete successfully:
./easyrsa --batch=1 --pki-dir=${pkiDir} --req-cn=${vpnclientuser} gen-req ${vpnclientuser} nopass
This now fails with:
-----
usage: req [-addext ext] [-batch] [-config file]
--snip--
Easy-RSA error:
Failed to generate request
Host: nix | OpenBSD | /bin/bash
-----
After further investigation, I was unable to create a new CA with the nopass option either.
Simple test to recreate the problem:
Fresh install of OpenBSD 7.2
pkg_add easyrsa
bsdtest# ./easyrsa build-ca nopass
* Notice:
Using Easy-RSA configuration from: /root/easy-rsa/pki/vars
* Notice:
Using SSL: openssl LibreSSL 3.6.0
usage: genpkey [-algorithm alg] [cipher] [-genparam] [-out file]
[-outform der | pem] [-paramfile file] [-pass arg]
[-pkeyopt opt:value] [-text]
-algorithm name Public key algorithm to use (must precede -pkeyopt)
-genparam Generate a set of parameters instead of a private key
-out file Output file to write to (default stdout)
-outform format Output format (DER or PEM)
-paramfile file File to load public key algorithm parameters from
(must precede -pkeyopt)
-pass arg Output file password source
-pkeyopt opt:value Set public key algorithm option to the given value
-text Print the private/public key in human readable form
Easy-RSA error:
Failed create CA private key
Host: nix | OpenBSD | /bin/ksh
The option still exists according to the help:
bsdtest# ./easyrsa help build-ca
build-ca [ cmd-opts ]
Creates a new CA
cmd-opts is an optional set of command options from this list:
nopass - do not encrypt the CA key (default is encrypted)
subca - create an intermediate CA keypair and request (default is a root CA)
intca - alias to the above
Note: If I remove "nopass" then both commands complete successfully. I've been unable to find a solution to this myself. Please help!
Cheers,
Chris
On my existing server, the following command used to complete successfully:
./easyrsa --batch=1 --pki-dir=${pkiDir} --req-cn=${vpnclientuser} gen-req ${vpnclientuser} nopass
This now fails with:
-----
usage: req [-addext ext] [-batch] [-config file]
--snip--
Easy-RSA error:
Failed to generate request
Host: nix | OpenBSD | /bin/bash
-----
After further investigation, I was unable to create a new CA with the nopass option either.
Simple test to recreate the problem:
Fresh install of OpenBSD 7.2
pkg_add easyrsa
bsdtest# ./easyrsa build-ca nopass
* Notice:
Using Easy-RSA configuration from: /root/easy-rsa/pki/vars
* Notice:
Using SSL: openssl LibreSSL 3.6.0
usage: genpkey [-algorithm alg] [cipher] [-genparam] [-out file]
[-outform der | pem] [-paramfile file] [-pass arg]
[-pkeyopt opt:value] [-text]
-algorithm name Public key algorithm to use (must precede -pkeyopt)
-genparam Generate a set of parameters instead of a private key
-out file Output file to write to (default stdout)
-outform format Output format (DER or PEM)
-paramfile file File to load public key algorithm parameters from
(must precede -pkeyopt)
-pass arg Output file password source
-pkeyopt opt:value Set public key algorithm option to the given value
-text Print the private/public key in human readable form
Easy-RSA error:
Failed create CA private key
Host: nix | OpenBSD | /bin/ksh
The option still exists according to the help:
bsdtest# ./easyrsa help build-ca
build-ca [ cmd-opts ]
Creates a new CA
cmd-opts is an optional set of command options from this list:
nopass - do not encrypt the CA key (default is encrypted)
subca - create an intermediate CA keypair and request (default is a root CA)
intca - alias to the above
Note: If I remove "nopass" then both commands complete successfully. I've been unable to find a solution to this myself. Please help!
Cheers,
Chris