easy-rsa
easy-rsa copied to clipboard
OpenVPN
easy-rsa 3.0.9 Failed to install required data-files to PKI. (init)
Trying to upgrade to 3.0.9, but saw the easyrsa init-pki runtime failure:
==> easyrsa init-pki
* WARNING:
Failed to install required data-files to PKI. (init)
Easy-RSA error:
init-pki failed to create safe SSL conf: /private/tmp/easy-rsa-test-20220518-71956-ds9c54/pki/safessl-easyrsa.cnf
relates to https://github.com/Homebrew/homebrew-core/pull/101848
Does the script have access to the following data ?
openssl-easyrsa.cnfx509-typesfolder
I do not believe this is an issue with Openssl-version.
what about vars.example, is that still in use. Somehow I still cannot get it working.
On macOS simply extracting the tgz file, changing in to the easyrsa path and running the program works.
I'm not sure what you're trying to do in the brew build, but you're breaking it.
This isn't an easyrsa issue it's your build script in brew.
Eric Crist
On May 18, 2022, at 7:12 PM, Rui Chen @.***> wrote:
what about vars.example, is that still in use. Somehow I still cannot get it working.
— Reply to this email directly, view it on GitHubhttps://github.com/OpenVPN/easy-rsa/issues/573#issuecomment-1130796290, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANXQPY3SULKBNPBHKFIDGDVKWBNDANCNFSM5WJXT2AQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>
what about
vars.example, is that still in use. Somehow I still cannot get it working.
If vars.example is missing that will still allow your PKI to be initialised.
easyrsa MUST find openssl-easyrsa.cnf and x509-types folder.
Have them present in the same folder as easyrsa or one of these folders:
https://github.com/OpenVPN/easy-rsa/blob/cf32d9f4850d09152efb83d87f2230aa3b3ef83b/easyrsa3/easyrsa#L811-L818
On macOS simply extracting the tgz file, changing in to the easyrsa path and running the program works. I'm not sure what you're trying to do in the brew build, but you're breaking it. This isn't an easyrsa issue it's your build script in brew.
There are some brew env variables got setup during the build process to ensure the portability. Other than that I dont think we broke the build process, also this did not happen in 3.0.8. That is the reason why I raised an issue in here (more like a question, not as bug report)
You can use --pki-dir=DIR or set_var EASYRSA_PKI "foo" in vars.
Keep in mind, if you are doing init-pki then your pki/vars will be removed.
If you require an external vars file then do this:
easyrsa --pki-dir=foo init-pkiThis will create PKI dirfooand create a new, blankfoo/varsfile.- Then create your own external
varsfile and call with with option--vars=FILEeg:easyrsa --pki-dir=foo --vars=bar/vars build-ca - Delete the unused
foo/varsfile.
This is due to "chicken and egg" problem with init-pki verses --vars=FILE
Note: easyrsa could handle this better ..
I need to test v3.0.9 for differences ..
Hello
In v3.0.8, easyrsa automatically used the files existing beside the binary. But in v3.0.9, I must copy those data you mentioned (openssl-easyrsa.cnf and x509-types) to the working directory to get init-pki working.
@SSgumS Please post the error message that you receive.
Edit: If you don't have the files openssl-easyrsa.cnf and x509-types then you have not installed EasyRSA, only copied the script.
@SSgumS Please post the error message that you receive.
The error message of command easyrsa init-pki:
* WARNING:
Failed to install required data-files to PKI. (init)
Easy-RSA error:
init-pki failed to create safe SSL conf: /app/pki/safessl-easyrsa.cnf
Host: nix | Linux |
What I did to resolve the error:
$ cp -r /usr/share/easyrsa/x509-types/ ./
$ cp /usr/share/easyrsa/openssl-easyrsa.cnf ./
Then the command is executed without any errors.
Edit:
It's better to clarify that I was using the binary in path /usr/share/easyrsa/easyrsa.
$ cp -r /usr/share/easyrsa/x509-types/ ./ $ cp /usr/share/easyrsa/openssl-easyrsa.cnf ./
You have installed the files to the wrong folder.
The correct name is neasy-rsa, with a dash -.
For v3.0.x there could still be problems related to old packaging or other user error. Such problems can be dealt with as they come to light.
I found that the way to resolve that is to run easyrsa in the directory in which it was installed. Creating a soft link to it from e.g. usr/local/sbin doesn't work and that error is reported.
Surely the script can dereference the link if that is what is materialised as $0 to get the real location and then use that?
@fireflycons I cannot reproduce any problem.
Can you explain exactly how you have installed Easy-RSA ?
I untarred it in /opt leaving the directory structure as per the tarball intact.
I exported env vars for EASYRSA pointing to /opt/EasyRSA-3.1.0, and EASYRSA_PKI pointing to where I wanted PKI to go
Created a symlink ln -s /opt/EasyRSA-3.1.0/easyrsa /usr/local/sbin/easyrsa
Running from root's home: easyrsa init-pki and got the error as per the first message in this thread.
Then
cd /opt/EasyRSA-3.1.0
./easyrsa init-pki
This time no errors.
This issue is specific to version 3.0.9.
You are using version 3.1.0. It is a dot zero version with some known minor issues.
I'll double check your installation method for version 3.1.1.
Closing this. Will raise an issue for v3.1.x, if I find any problems.
@fireflycons assuming that you do not have Easy-RSA data-files installed anywhere then your first attempted installation method is not supported.
However, changing directory to the extracted EasyRSA-3.1.0 and running easyrsa from the PATH does work, even with your specific customisations.