openvpn-install icon indicating copy to clipboard operation
openvpn-install copied to clipboard

Published 20 hours ago verified publisher icon angristan

[Bug]: Error when CA-Root-PW to short

Open petterpet opened this issue 1 year ago • 6 comments

What is the bug?

While the script is running it creates a root ca using easy-rsa. It asks for a passphrase to encrypt the private key of the ca. If the password is too short or skipped by the user, there will be errors while creating clients.

There should be a hint in the README and in the script.

Relevant log output

Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
read EC key
writing EC key
Enter PEM pass phrase:

---------------------------------------

Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run easyrsa without commands for usage and command help.

Client Test added.
cat: /etc/openvpn/easy-rsa/pki/ca.crt: No such file or directory
awk: cannot open /etc/openvpn/easy-rsa/pki/issued/Test.crt (No such file or directory)
cat: /etc/openvpn/easy-rsa/pki/private/Test.key: No such file or directory

petterpet avatar Aug 30 '22 10:08 petterpet

The version of EasyRSA which angristan uses does not support OpenSSL v3.

@angristan An update is required.

TinCanTech avatar Aug 30 '22 13:08 TinCanTech

I installed on a plain system. So openssl was installed by the script, or not?

petterpet avatar Aug 30 '22 15:08 petterpet

Hi @petterpet, I found that the problem was a duplicated "vars" file ("/etc/openvpn/easy-rsa/vars" : old location, "/etc/openvpn/easy-rsa/pki/vars" : new location).

So I tweaked the script to store the variables in /tmp and then overwrite the "pki/vars" with it.

I do not create a pull request because you may want to make it cleaner or change the arrangement of this section. Here is the modified code (line 704 to 734) :

if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
		local version="3.1.0"
		wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
		mkdir -p /etc/openvpn/easy-rsa
		tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
		rm -f ~/easy-rsa.tgz

		cd /etc/openvpn/easy-rsa/ || return
		
		case $CERT_TYPE in
		1)
			echo "set_var EASYRSA_ALGO ec" >/tmp/vars
			echo "set_var EASYRSA_CURVE $CERT_CURVE" >>/tmp/vars
			;;
		2)
			echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >/tmp/vars
			;;
		esac

		# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
		SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
		echo "$SERVER_CN" >SERVER_CN_GENERATED
		SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
		echo "$SERVER_NAME" >SERVER_NAME_GENERATED

		echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>/tmp/vars

		# Create the PKI, set up the CA, the DH params and the server certificate
		./easyrsa init-pki
		mv /tmp/vars pki
		./easyrsa --batch build-ca nopass

I now have my client generated normally, with latest easy rsa and openssl version (tested on ubuntu:20.04) !

Abyss-W4tcher avatar Aug 31 '22 15:08 Abyss-W4tcher

@Abyss-W4tcher's fix works perfectly for me on Debian bookworm (testing)!

Here's the diff from the original, not including a whitespace change, if that's an easier format to review (it was for me):

--- openvpn-install.sh.ref      2022-08-31 15:50:25.983213571 +0000
+++ openvpn-install.sh  2022-08-31 15:51:50.058884463 +0000
@@ -702,7 +702,7 @@

        # Install the latest version of easy-rsa from source, if not already installed.
        if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
-               local version="3.0.7"
+               local version="3.1.0"
                wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
                mkdir -p /etc/openvpn/easy-rsa
                tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
@@ -711,11 +711,11 @@
                cd /etc/openvpn/easy-rsa/ || return
                case $CERT_TYPE in
                1)
-                       echo "set_var EASYRSA_ALGO ec" >vars
-                       echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
+                       echo "set_var EASYRSA_ALGO ec" >/tmp/vars
+                       echo "set_var EASYRSA_CURVE $CERT_CURVE" >>/tmp/vars
                        ;;
                2)
-                       echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
+                       echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >/tmp/vars
                        ;;
                esac

@@ -725,10 +725,11 @@
                SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
                echo "$SERVER_NAME" >SERVER_NAME_GENERATED

-               echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
+               echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>/tmp/vars

                # Create the PKI, set up the CA, the DH params and the server certificate
                ./easyrsa init-pki
+               mv /tmp/vars pki
                ./easyrsa --batch build-ca nopass

                if [[ $DH_TYPE == "2" ]]; then

mikeage avatar Aug 31 '22 15:08 mikeage

Glad it worked ! It was really annoying, as this project was exactly what I was looking for ...

Yeah it was not really clean, I should have thought to make a diff x)

Abyss-W4tcher avatar Aug 31 '22 16:08 Abyss-W4tcher

FTR: EasyRSA v3.1.0 is a .0 release with known issues.

EasyRSA v3.1.1, Currently git/master, has many fixes, making it an even better option.

TinCanTech avatar Aug 31 '22 16:08 TinCanTech