Giter Site home page Giter Site logo

Comments (28)

noizo avatar noizo commented on July 30, 2024 28

As a workaround for MacOS Sierra/High Sierra add to your ENV this:

export EASYRSA_OPENSSL="/usr/local/Cellar/openssl/1.0.2l/bin/openssl"

from easy-rsa.

neuhalje avatar neuhalje commented on July 30, 2024 4

To make the fix of @noizo "permanent" create or edit the vars file and add set_var EASYRSA_OPENSSL "/usr/local/Cellar/openssl/1.0.2l/bin/openssl" (reference: vars.example ).

from easy-rsa.

hiroyuki-sato avatar hiroyuki-sato commented on July 30, 2024 2

+1 macOS high Sierra (10.13) #155

from easy-rsa.

nikordaris avatar nikordaris commented on July 30, 2024 1

So none of the above worked for me. I had to modify vars and replace:

 export OPENSSL="openssl"

with

export OPENSSL="/usr/local/Cellar/openssl/1.0.2o_1/bin/openssl"

from easy-rsa.

bhall7 avatar bhall7 commented on July 30, 2024 1

I'm also struggling to get easy-rsa to work on macOS 10.13.4 which is bundled with LibreSSL. The only problem is that /usr/local/Cellar/openssl/1.0.2l/bin/openssl doesn't seem to exist (nor does the folder /usr/local/Cellar on my machine, for that matter, running macOS 10.13.4). I even tried installing the latest version of OpenSSL, but that failed also. There's got to be a better, easier way to generate OpenVPN certs and keys.

from easy-rsa.

sseekamp avatar sseekamp commented on July 30, 2024

I'm having the same issue with OpenBSD 5.8 and Libre 2.2.2

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

There has been no testing with LibreSSL at this time. I'm certainly open to feed back and bug testing, however.

from easy-rsa.

ppunosevac avatar ppunosevac commented on July 30, 2024

Easy-rsa works with LibreSSL for me on OpenBSD 5.8. However one has to hard-code info into openssl.cnf as $ENV is not allowed to be passed to libressl. I just open another issue with that.

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

EasyRSA has only been written to support OpenSSL at this point. Inclusion of another SSL library and set of utilities will be complicated and regression testing will be tough. Moving this to 4.x. Honestly, I don't see it happening unless someone else steps in.

from easy-rsa.

comio avatar comio commented on July 30, 2024

4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

Can you cite sources?

Eric

On Sep 1, 2016, at 2:32 AM, comio [email protected] wrote:

4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.


You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub, or mute the thread.

from easy-rsa.

gtozzi avatar gtozzi commented on July 30, 2024

Same issue here on OpenBSD 6.0

from easy-rsa.

rebbdohr avatar rebbdohr commented on July 30, 2024

Any updates on this thread? Im using OpenBSD 6.0 and the newest easy-rsa version from github, in the easy-rsa script I recognize, that LibreSSL is mentioned, but it still doesnt work. In other OpenBSD related threads they say its because the use of the $ENV variable is deprecated and should not be used...

# Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then local val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in OpenSSL|LibreSSL) ;; *) die "\ Missing or invalid OpenSSL Expected to find openssl command at: $EASYRSA_OPENSSL" esac fi

For all interested in this topic: the pkg version of easy-rsa on OpenBSD 6.0 is working properly!

from easy-rsa.

rebbdohr avatar rebbdohr commented on July 30, 2024

See also #76

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

from easy-rsa.

neilabdev avatar neilabdev commented on July 30, 2024

+1 FreeBSD 11.1 :)

from easy-rsa.

hiroyuki-sato avatar hiroyuki-sato commented on July 30, 2024

@noizo Thank you for your reply.

from easy-rsa.

dwt avatar dwt commented on July 30, 2024

Same problem on OS X - I workarounded it by adding this to my vars file:

# workaround for https://github.com/OpenVPN/easy-rsa/issues/74 libressl doesn't support passing in values via ENV
if [ ! -z $(brew --prefix) ] ; then 
    export EASYRSA_OPENSSL="$(brew list openssl|grep 'openssl$')"
fi

To retain usability on multiple machines / platforms (not great, but at least it doesn't break immediately.

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

Still getting errors on OSX High Sierra even with the EASYRSA_OPENSSL env var declared. The pki/extensions.temp file referred to in the error doesn't even exist.

04:25 pm xxxx@MBA72986 ~/support/tmp/easy-rsa/easyrsa3
$ ./easyrsa build-server-full server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........+++
..........................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server.key.IhiGDNWXaT'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
04:25 pm xxxx@MBA72986

Using easyrsa v3.0.4:

$ git status
On branch v3.0.4
Your branch is up-to-date with 'origin/v3.0.4'.

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

I removed the pki directory and ran it all again and got a different error:

$ ./easyrsa build-server-full server1 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......+++
.............................................................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server1.key.bdtZ2XZ2ok'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
140735596974984:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140735596974984:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:201:
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

Exactly the same think happened when I ran this on a raspberry pi (Raspbian GNU/Linux 9 (stretch))

root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3# ./easyrsa sign-req server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /apps/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Can't open /apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr for reading, No such file or directory
1996400032:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr','r')
1996400032:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
ca: Error on line 16 of config file "/apps/openvpn/easy-rsa/easyrsa3/pki/extensions.temp"
1996400032:error:0E079065:configuration file routines:def_load_bio:missing equal sign:../crypto/conf/conf_def.c:300:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3#

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

Definitely a bug here - just tried on an O/S (14.04.3 LTS, Trusty Tahr) that I have used EasyRSA on in the past and it fails with the same error.

xxxx@xxxx:~/easy-rsa/easyrsa3$ ./easyrsa build-server-full server nopass
Generating a 2048 bit RSA private key
.............................................................................................................................+++
....................................+++
writing new private key to '/home/xxxx/easy-rsa/easyrsa3/pki/private/server.key.aGeIRduxeo'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /home/xxxx/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/home/xxxx/easy-rsa/easyrsa3/pki/extensions.temp'
3074406076:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/home/xxxx/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
3074406076:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3074406076:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
3074406076:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:362:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
xxxx@xxxx:~/easy-rsa/easyrsa3$ uname -a
Linux xxxx 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:27:48 UTC 2015 i686 i686 i686 GNU/Linux
xxxx@xxxx:~/easy-rsa/easyrsa3$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

Problem is in the pki/extensions.temp file that is written during cert creation:

Line 16 in that file:

default_server_san /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server06.req

The error pointed to a missing "=" sign. I tried adding this so it was like the other x509 declarations made in the same file but I got more errors:

$ ./easyrsa build-server-full server11 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
.....+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server11.key.enzOJXHKD4'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server11'
ERROR: adding extensions in section default
140735596974984:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=default_server_san, value=/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server11.req

Easy-RSA error:

signing failed (openssl output above may have more detail)

I then initiated creating another server cert and before entering the CA signing password I deleted the line all-together in pki/extensions.temp and it issued the cert as expected.

There is something wrong with the x509 default_server_san extension declaration.

You can see also from the easyrsa help text that the string easyrsa is trying to add in the default_server_san field is nothing like what is expected:

$ ./easyrsa help altname

Note: using Easy-RSA configuration from: ./vars

  --subject-alt-name=SAN_FORMAT_STRING
      This global option adds a subjectAltName to the request or issued
      certificate. It MUST be in a valid format accepted by openssl or
      req/cert generation will fail. Note that including multiple such names
      requires them to be comma-separated; further invocations of this
      option will REPLACE the value.

      Examples of the SAN_FORMAT_STRING shown below:
        DNS:alternate.example.net
        DNS:primary.example.net,DNS:alternate.example.net
        IP:203.0.113.29
        email:[email protected]

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

If I specify --subject-alt-name during server cert creation the code seems to work (ie. adds the "=") but there is something with the x509 extension that fails:

$ ./easyrsa --subject-alt-name=test12 build-server-full server12 nopass

Note: using Easy-RSA configuration from: ./vars
Error Loading request extension section req_extra
140735596974984:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:541:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=test12

Easy-RSA error:

Failed to generate request

from easy-rsa.

ilium007 avatar ilium007 commented on July 30, 2024

So after wasting a whole afternoon on this I found the fix in a fork of this code:

TinCanTech@6914461

Tested and works.

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

from easy-rsa.

SundialServices avatar SundialServices commented on July 30, 2024

ericst, now that High Sierra has switched to Libre, and many Linux distress are apparently now doing the same, it has become critical that EasyRSA must have a way to support it.

from easy-rsa.

ecrist avatar ecrist commented on July 30, 2024

This should be resolved in 93b0f2e

from easy-rsa.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.