-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca' #725
Comments
The problem here is caused by: Lines 1318 to 1324 in 2083fb2
You need to update your copy of |
I am using the
Meanwhile, in a different system, same release, it is fine:
I will troubleshoot later as I do not have time right now, but I suspect there is a bug with the latest release. I am definitively not using an old configuration file. |
Thanks for the extra details, I am testing. |
Sorry. I cannot replicate the issue here. @Nyr My first guess would be that you follow development here quite closely and so you have already tested the new |
This issue is happening on a 100% clean system. To be specific it happens in a clean Debían 11 image at Linode, while it does not happen in my also clean Debían 11 WSL image. I will take a look later, but this is absolutely on a clean, just installed system. |
Then perhaps Linode have the same issue. They may have an old version of easyrsa installed by default. |
I could have made the check above only issue a warning but I would prefer to see all old |
This could be related to and even fixed by #723 |
@Nyr Thanks to your feedback, I have just pushed a change to Easy-RSA unit-test which will allow it to be run on the downloaded/extracted release tar-ball. Download easyrsa-unit-tests.sh to the extracted EasyRSA-xxx directory and run it from there. |
Found the issue, it is not a problem with the latest easy-rsa. But keep the issue open, I will update soon with further information. |
First of all, sorry for wasting your time on this, I should have troubleshooted more before opening an issue. The problem was occurring for systems which had the So the issue is indeed related to the new One can of course do |
Main thing which contributed to the confusion is that the |
@Nyr Thank you for your help. This is entirely my fault for over-looking such an obvious use case. I am re-opening this issue for better visibility. |
For the record, I am drawing Easy-RSA toward the more Unix style use of separating application from data-in and output files. However, due to Windows support, the old method has to continue to work. The combination of having the OpenVPN install include EasyRSA, plus data-in files found in the wrong order, plus making the error fatal is just a step too far. It is unfortunate but I may have shot myself in the foot here.. Workable solutions for |
It is not a fast nor guaranteed approach, but if the Debian package is the only one from the main distros recommending Additional information within the error message could also help, but will probably not be enough for inexperienced users. |
--no-install-recommends is now required for Debian: OpenVPN/easy-rsa#725
I've adjusted the EasyRSA timeline to push an early bug-fix out for this specific issue. @Nyr Again, thank you for your help. And timely reminder to test more thoroughly Regarding Debian, this feels like my error not theirs. My initial approach was a shade too severe, on this occasion. |
For future reference: This is the cause of the problem: Lines 1318 to 1324 in 2083fb2
Temporary work-around: In
|
With this change the PKI becomes the 'preferred' location for data-files. All other supported locations are searched by specific order. While this new order is the correct 'preferred' order, the associated code install_data_to_pki() needs to be simplified. Closes: OpenVPN#725 Closes: OpenVPN#723 Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The work-around above is not a solution. The solution is #727 |
I did not know this either. I just copy the currently installed |
@xinthose if you can outline the problem then this issue can be reopened. |
Bug in the latest v3.1.1 release:
The text was updated successfully, but these errors were encountered: