easy-rsa
easy-rsa copied to clipboard
OpenVPN
The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'
Bug in the latest v3.1.1 release:
./easyrsa --batch build-ca
Easy-RSA error:
The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
* /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Please update openssl-easyrsa.cnf to the latest official release.
EasyRSA Version Information
Version: 3.1.1
Generated: Thu Oct 13 06:37:48 CDT 2022
SSL Lib: OpenSSL 1.1.1n 15 Mar 2022
Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 1.1.1n 15 Mar 2022
@Nyr
The problem here is caused by: https://github.com/OpenVPN/easy-rsa/blob/2083fb29b512c5b2fccf65db8e5f89771fbf90f5/easyrsa3/easyrsa#L1318-L1324
You need to update your copy of openssl-easyrsa.cnf.
I am using the openssl-easyrsa.cnf built with the latest release, something is going on:
root@localhost:~# tar xzf EasyRSA-3.1.1.tgz
root@localhost:~# cd EasyRSA-3.1.1/
root@localhost:~/EasyRSA-3.1.1# ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /root/EasyRSA-3.1.1/pki
* Using Easy-RSA configuration:
* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
Edit this 'vars' file to customise the settings for your PKI.
* Using x509-types directory: /root/EasyRSA-3.1.1/x509-types
root@localhost:~/EasyRSA-3.1.1# ./easyrsa --batch build-ca nopass
Easy-RSA error:
The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
* /root/EasyRSA-3.1.1/pki/openssl-easyrsa.cnf
Please update openssl-easyrsa.cnf to the latest official release.
EasyRSA Version Information
Version: 3.1.1
Generated: Thu Oct 13 06:37:48 CDT 2022
SSL Lib: OpenSSL 1.1.1n 15 Mar 2022
Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 1.1.1n 15 Mar 2022
Meanwhile, in a different system, same release, it is fine:
nyr@DESKTOP-3V4BVLV:~$ tar xzf EasyRSA-3.1.1.tgz
nyr@DESKTOP-3V4BVLV:~$ cd EasyRSA-3.1.1
nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /home/nyr/EasyRSA-3.1.1/pki
* Using Easy-RSA configuration:
* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
Edit this 'vars' file to customise the settings for your PKI.
* Using x509-types directory: /home/nyr/EasyRSA-3.1.1/x509-types
nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa --batch build-ca nopass
........+++++
..........+++++
nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa --version
EasyRSA Version Information
Version: 3.1.1
Generated: Thu Oct 13 06:37:48 CDT 2022
SSL Lib: OpenSSL 1.1.1n 15 Mar 2022
Git Commit: 2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
I will troubleshoot later as I do not have time right now, but I suspect there is a bug with the latest release. I am definitively not using an old configuration file.
Sorry. I cannot replicate the issue here.
@Nyr My first guess would be that you follow development here quite closely and so you have already tested the new data-dir locations, such as /usr/local/share/easy-rsa. If so then perhaps the script picked up an old copy from such a place.
This issue is happening on a 100% clean system.
To be specific it happens in a clean Debían 11 image at Linode, while it does not happen in my also clean Debían 11 WSL image.
I will take a look later, but this is absolutely on a clean, just installed system.
To be specific it happens in a clean Debían 11 image at Linode
Then perhaps Linode have the same issue. They may have an old version of easyrsa installed by default.
I could have made the check above only issue a warning but I would prefer to see all old openssl-easyrsa.cnf replaced. Even at this level of inconvenience.
@Nyr Thanks to your feedback, I have just pushed a change to Easy-RSA unit-test which will allow it to be run on the downloaded/extracted release tar-ball.
Download easyrsa-unit-tests.sh to the extracted EasyRSA-xxx directory and run it from there. ./easyrsa-unit-tests.sh -v
Found the issue, it is not a problem with the latest easy-rsa.
But keep the issue open, I will update soon with further information.
First of all, sorry for wasting your time on this, I should have troubleshooted more before opening an issue.
The problem was occurring for systems which had the easy-rsa package installed. Those systems were clean other than an apt-get install openvpn, but I was unaware that the easy-rsa was still among the "recommends" for the openvpn package. I was under the assumption that this was no longer the case and I did not check, very sorry about that.
So the issue is indeed related to the new data-dir locations. This is not a technical issue but I think it is an UX issue, as people doing an apt-get install openvpn will run into it.
One can of course do --no-install-recommends (as I will), but the average user will run into this.
Main thing which contributed to the confusion is that the easy-rsa package is a "recommend" in Debian, but only a "suggest" in Ubuntu.
@Nyr Thank you for your help.
This is entirely my fault for over-looking such an obvious use case.
I am re-opening this issue for better visibility.
For the record, I am drawing Easy-RSA toward the more Unix style use of separating application from data-in and output files. However, due to Windows support, the old method has to continue to work.
The combination of having the OpenVPN install include EasyRSA, plus data-in files found in the wrong order, plus making the error fatal is just a step too far.
It is unfortunate but I may have shot myself in the foot here..
Workable solutions for v3.1.1 very welcome.
It is not a fast nor guaranteed approach, but if the Debian package is the only one from the main distros recommending easy-rsa (I have not thoroughly, but it seems to be) you could potentially talk with the maintainers about a change.
Additional information within the error message could also help, but will probably not be enough for inexperienced users.
I've adjusted the EasyRSA timeline to push an early bug-fix out for this specific issue.
@Nyr Again, thank you for your help. And timely reminder to test more thoroughly ;-).
Regarding Debian, this feels like my error not theirs. Regarding the error message and even improving it, I agree that it would not be enough.
My initial approach was a shade too severe, on this occasion.
For future reference: This is the cause of the problem:
https://github.com/OpenVPN/easy-rsa/blob/2083fb29b512c5b2fccf65db8e5f89771fbf90f5/easyrsa3/easyrsa#L1318-L1324
Temporary work-around: In easyrsa Change line 1320 From die To warn.
git diff:
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 4f76077..f8ad74a 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1317,7 +1317,7 @@ Missing X509-type 'COMMON'"
# Check for insert-marker in ssl config file
if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
- die "\
+ warn "\
The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
* $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release."
First of all, sorry for wasting your time on this, I should have troubleshooted more before opening an issue.
The problem was occurring for systems which had the
easy-rsapackage installed. Those systems were clean other than anapt-get install openvpn, but I was unaware that theeasy-rsawas still among the "recommends" for theopenvpnpackage. I was under the assumption that this was no longer the case and I did not check, very sorry about that.So the issue is indeed related to the new
data-dirlocations. This is not a technical issue but I think it is an UX issue, as people doing anapt-get install openvpnwill run into it.One can of course do
--no-install-recommends(as I will), but the average user will run into this.
I did not know this either. I just copy the currently installed easy-rsa to my openvpn directory: https://askubuntu.com/a/780302/296502.
@xinthose if you can outline the problem then this issue can be reopened.