Comments (28)
As a workaround for MacOS Sierra/High Sierra add to your ENV this:
export EASYRSA_OPENSSL="/usr/local/Cellar/openssl/1.0.2l/bin/openssl"
from easy-rsa.
To make the fix of @noizo "permanent" create or edit the vars
file and add set_var EASYRSA_OPENSSL "/usr/local/Cellar/openssl/1.0.2l/bin/openssl"
(reference: vars.example ).
from easy-rsa.
+1 macOS high Sierra (10.13) #155
from easy-rsa.
So none of the above worked for me. I had to modify vars and replace:
export OPENSSL="openssl"
with
export OPENSSL="/usr/local/Cellar/openssl/1.0.2o_1/bin/openssl"
from easy-rsa.
I'm also struggling to get easy-rsa to work on macOS 10.13.4 which is bundled with LibreSSL. The only problem is that /usr/local/Cellar/openssl/1.0.2l/bin/openssl doesn't seem to exist (nor does the folder /usr/local/Cellar on my machine, for that matter, running macOS 10.13.4). I even tried installing the latest version of OpenSSL, but that failed also. There's got to be a better, easier way to generate OpenVPN certs and keys.
from easy-rsa.
I'm having the same issue with OpenBSD 5.8 and Libre 2.2.2
from easy-rsa.
There has been no testing with LibreSSL at this time. I'm certainly open to feed back and bug testing, however.
from easy-rsa.
Easy-rsa works with LibreSSL for me on OpenBSD 5.8. However one has to hard-code info into openssl.cnf as $ENV is not allowed to be passed to libressl. I just open another issue with that.
from easy-rsa.
EasyRSA has only been written to support OpenSSL at this point. Inclusion of another SSL library and set of utilities will be complicated and regression testing will be tough. Moving this to 4.x. Honestly, I don't see it happening unless someone else steps in.
from easy-rsa.
4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.
from easy-rsa.
Can you cite sources?
Eric
On Sep 1, 2016, at 2:32 AM, comio [email protected] wrote:
4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub, or mute the thread.
from easy-rsa.
Same issue here on OpenBSD 6.0
from easy-rsa.
Any updates on this thread? Im using OpenBSD 6.0 and the newest easy-rsa version from github, in the easy-rsa script I recognize, that LibreSSL is mentioned, but it still doesnt work. In other OpenBSD related threads they say its because the use of the $ENV variable is deprecated and should not be used...
# Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then local val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in OpenSSL|LibreSSL) ;; *) die "\ Missing or invalid OpenSSL Expected to find openssl command at: $EASYRSA_OPENSSL" esac fi
For all interested in this topic: the pkg version of easy-rsa on OpenBSD 6.0 is working properly!
from easy-rsa.
See also #76
from easy-rsa.
from easy-rsa.
+1 FreeBSD 11.1 :)
from easy-rsa.
@noizo Thank you for your reply.
from easy-rsa.
Same problem on OS X - I workarounded it by adding this to my vars file:
# workaround for https://github.com/OpenVPN/easy-rsa/issues/74 libressl doesn't support passing in values via ENV
if [ ! -z $(brew --prefix) ] ; then
export EASYRSA_OPENSSL="$(brew list openssl|grep 'openssl$')"
fi
To retain usability on multiple machines / platforms (not great, but at least it doesn't break immediately.
from easy-rsa.
Still getting errors on OSX High Sierra even with the EASYRSA_OPENSSL env var declared. The pki/extensions.temp file referred to in the error doesn't even exist.
04:25 pm xxxx@MBA72986 ~/support/tmp/easy-rsa/easyrsa3
$ ./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........+++
..........................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server.key.IhiGDNWXaT'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16
Easy-RSA error:
signing failed (openssl output above may have more detail)
04:25 pm xxxx@MBA72986
Using easyrsa v3.0.4:
$ git status
On branch v3.0.4
Your branch is up-to-date with 'origin/v3.0.4'.
from easy-rsa.
I removed the pki directory and ran it all again and got a different error:
$ ./easyrsa build-server-full server1 nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......+++
.............................................................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server1.key.bdtZ2XZ2ok'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
140735596974984:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140735596974984:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:201:
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16
Easy-RSA error:
signing failed (openssl output above may have more detail)
from easy-rsa.
Exactly the same think happened when I ran this on a raspberry pi (Raspbian GNU/Linux 9 (stretch))
root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3# ./easyrsa sign-req server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /apps/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Can't open /apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr for reading, No such file or directory
1996400032:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr','r')
1996400032:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
ca: Error on line 16 of config file "/apps/openvpn/easy-rsa/easyrsa3/pki/extensions.temp"
1996400032:error:0E079065:configuration file routines:def_load_bio:missing equal sign:../crypto/conf/conf_def.c:300:line 16
Easy-RSA error:
signing failed (openssl output above may have more detail)
root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3#
from easy-rsa.
Definitely a bug here - just tried on an O/S (14.04.3 LTS, Trusty Tahr) that I have used EasyRSA on in the past and it fails with the same error.
xxxx@xxxx:~/easy-rsa/easyrsa3$ ./easyrsa build-server-full server nopass
Generating a 2048 bit RSA private key
.............................................................................................................................+++
....................................+++
writing new private key to '/home/xxxx/easy-rsa/easyrsa3/pki/private/server.key.aGeIRduxeo'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /home/xxxx/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/home/xxxx/easy-rsa/easyrsa3/pki/extensions.temp'
3074406076:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/home/xxxx/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
3074406076:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3074406076:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
3074406076:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:362:line 16
Easy-RSA error:
signing failed (openssl output above may have more detail)
xxxx@xxxx:~/easy-rsa/easyrsa3$ uname -a
Linux xxxx 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:27:48 UTC 2015 i686 i686 i686 GNU/Linux
xxxx@xxxx:~/easy-rsa/easyrsa3$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
from easy-rsa.
Problem is in the pki/extensions.temp file that is written during cert creation:
Line 16 in that file:
default_server_san /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server06.req
The error pointed to a missing "=" sign. I tried adding this so it was like the other x509 declarations made in the same file but I got more errors:
$ ./easyrsa build-server-full server11 nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
.....+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server11.key.enzOJXHKD4'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server11'
ERROR: adding extensions in section default
140735596974984:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=default_server_san, value=/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server11.req
Easy-RSA error:
signing failed (openssl output above may have more detail)
I then initiated creating another server cert and before entering the CA signing password I deleted the line all-together in pki/extensions.temp and it issued the cert as expected.
There is something wrong with the x509 default_server_san extension declaration.
You can see also from the easyrsa help text that the string easyrsa is trying to add in the default_server_san field is nothing like what is expected:
$ ./easyrsa help altname
Note: using Easy-RSA configuration from: ./vars
--subject-alt-name=SAN_FORMAT_STRING
This global option adds a subjectAltName to the request or issued
certificate. It MUST be in a valid format accepted by openssl or
req/cert generation will fail. Note that including multiple such names
requires them to be comma-separated; further invocations of this
option will REPLACE the value.
Examples of the SAN_FORMAT_STRING shown below:
DNS:alternate.example.net
DNS:primary.example.net,DNS:alternate.example.net
IP:203.0.113.29
email:[email protected]
from easy-rsa.
If I specify --subject-alt-name during server cert creation the code seems to work (ie. adds the "=") but there is something with the x509 extension that fails:
$ ./easyrsa --subject-alt-name=test12 build-server-full server12 nopass
Note: using Easy-RSA configuration from: ./vars
Error Loading request extension section req_extra
140735596974984:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:541:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=test12
Easy-RSA error:
Failed to generate request
from easy-rsa.
So after wasting a whole afternoon on this I found the fix in a fork of this code:
Tested and works.
from easy-rsa.
from easy-rsa.
ericst, now that High Sierra has switched to Libre, and many Linux distress are apparently now doing the same, it has become critical that EasyRSA must have a way to support it.
from easy-rsa.
This should be resolved in 93b0f2e
from easy-rsa.
Related Issues (20)
- Add CA certificate to expiry report `show-expire`
- Revert changes made for Windows 10/11 `mkdir -p` failure
- `dev/easyrsa-tools.lib` missing in release build HOT 1
- mandatory SAN HOT 16
- EasyRSA Behavior Change - 3.0.8 - 3.2.0 - EASYRSA_REQ_CN / --req-cn /--subject-alt-name HOT 18
- LibreSSL: `build-*-full` uses an incorrect SSL config file HOT 1
- UT failure from `easyrsa-tools.lib` for command `show-expire`
- Importing the CA certificates for OpenVPN clients and internal domains. HOT 1
- Outline use and expansion of `openssl-easyrsa.cnf` HOT 1
- Windows 7: `gen-crl` always prompts for over-write
- `display_dn()`: Remove unnecessary subshell
- `sign-req`: `--cop-ext` is removed by `--force-safe-ssl`
- Command `write`: Allow to specify target file instead of directory
- Use of `revoke` when `revoke-expired` is intended
- one location HOT 1
- Command `revoke` must not move key and request files
- `gen-req` overwrites an existing request without confirmation
- Need Guide for Upgrading 3.0.8 to 3.1.1 HOT 1
- Understanding how to renew/revoke HOT 2
- subjectAltName should be mandatory HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-rsa.