Not working on windows

[jrocha]

Just tried to build a fresh CA and creating an certificate an it failed. Works on Cygwin.

Could not figure what is going on but I'm guessing there is an issue around line 385 when running sed to generate $easyrsa_openssl_conf.

Execution output below.

EasyRSA Shell
# ./easyrsa build-server-full test0 nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmpED65.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmpED65.tmp
fd = 3
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmpEE9D.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmpEE9D.tmp
fd = 3
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmpEFC6.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmpEFC6.tmp
fd = 3
Generating a RSA private key
.....+++++
..................................+++++
writing new private key to 'C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.a34584'
-----
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmp1E39.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmp1E39.tmp
fd = 3
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmp22FB.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmp22FB.tmp
fd = 3
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmp2666.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmp2666.tmp
fd = 3
path = C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.XXXXXX
lpPathBuffer = C:\Users\jrocha\AppData\Local\Temp\
szTempName = C:\Users\jrocha\AppData\Local\Temp\tmp278F.tmp
path = C:\Users\jrocha\AppData\Local\Temp\tmp278F.tmp
fd = 3
Using configuration from C:/data/testCA/pki/easy-rsa-33528.a39512/tmp.a18584
./easyrsa[2577]: return: -1: unknown option

Easy-RSA error:

signing failed (openssl output above may have more detail)

Easy-RSA error:

Failed to sign 'test0'

[jrocha]

Just tried Easy-RSA 3.0.7 and it works. Probably the issue is related to openssl upgrade on 3.0.8

[ecrist]

Ok. I've re-rolled the v3.0.8 release with a revert of the last commit. v3.0.8 now uses the older 1.1.0j OpenSSL binary and libs. This appears to be working in my testing.

[cron2]

Is root cause diagnostic of the problem going on somewhere? We ("OpenVPN") would like to bundle easy-rsa 3, but we're not thrilled by the idea of bundling a second openssl binary, and doubly-not-thrilled by packing something that is end-of-support already...

[lstipakov]

I tried the command above ./easyrsa build-server-full test0 nopass with openssl (also 1.1.1g) bundled with openvpn installer and it just works. OpenVPN's openssl filesize is 1.3Mb, while easyrsa's one is 700kb. Apparently something got stripped out during build process.

[ecrist]

I've been trying to figure this one out. We have been using a recompiled binary and I wasn't aware it may be the issue.

[lstipakov]

openssl ciphers -v output is identical. Here is version -f output comparison:

c:\Program Files\OpenVPN\bin>openssl version -f
compiler: x86_64-w64-mingw32-gcc -m64 -Wl,--dynamicbase,--nxcompat -static-libgcc -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DUNICODE -D_UNICODE -DWIN32_LEAN_AND_MEAN -D_MT -DNDEBUG

C:\Users\lev\Projects\easy-rsa\dist-staging\win64\EasyRSA-3.0.7\broken_openssl>openssl.exe version -f
compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM

[ecrist]

This appears to be related to the build we are using from overbyte.eu. I've tried another build from bintray.com that appears to work fine. I'll push that version into master and wait to see if there are other bugs.

[nickbeee]

The OpenSSL builds at https://bintray.com/vszakats/generic/openssl are no longer updating and the repo is marked DEPRACATED. This now refers to the curl Windows builds at https://curl.se/windows/ - where OpenSSL 1.1.1h is available.