The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'

[Nyr]

Bug in the latest v3.1.1 release:

./easyrsa --batch build-ca

Easy-RSA error:

The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
* /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Please update openssl-easyrsa.cnf to the latest official release.

EasyRSA Version Information
Version:     3.1.1
Generated:   Thu Oct 13 06:37:48 CDT 2022
SSL Lib:     OpenSSL 1.1.1n  15 Mar 2022
Git Commit:  2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 1.1.1n  15 Mar 2022

[TinCanTech]

@Nyr

The problem here is caused by:

easy-rsa/easyrsa3/easyrsa

Lines 1318 to 1324 in 2083fb2

	# Check for insert-marker in ssl config file
	if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
	die "\
	The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
	* $EASYRSA_SSL_CONF
	Please update openssl-easyrsa.cnf to the latest official release."
	fi

You need to update your copy of openssl-easyrsa.cnf.

[Nyr]

I am using the openssl-easyrsa.cnf built with the latest release, something is going on:

root@localhost:~# tar xzf EasyRSA-3.1.1.tgz
root@localhost:~# cd EasyRSA-3.1.1/
root@localhost:~/EasyRSA-3.1.1# ./easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /root/EasyRSA-3.1.1/pki

* Using Easy-RSA configuration:

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.

* Using x509-types directory: /root/EasyRSA-3.1.1/x509-types

root@localhost:~/EasyRSA-3.1.1# ./easyrsa --batch build-ca nopass

Easy-RSA error:

The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
* /root/EasyRSA-3.1.1/pki/openssl-easyrsa.cnf
Please update openssl-easyrsa.cnf to the latest official release.

EasyRSA Version Information
Version:     3.1.1
Generated:   Thu Oct 13 06:37:48 CDT 2022
SSL Lib:     OpenSSL 1.1.1n  15 Mar 2022
Git Commit:  2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.1 | nix | Linux | /bin/bash | OpenSSL 1.1.1n  15 Mar 2022

Meanwhile, in a different system, same release, it is fine:

nyr@DESKTOP-3V4BVLV:~$ tar xzf EasyRSA-3.1.1.tgz
nyr@DESKTOP-3V4BVLV:~$ cd EasyRSA-3.1.1
nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/nyr/EasyRSA-3.1.1/pki

* Using Easy-RSA configuration:

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.

* Using x509-types directory: /home/nyr/EasyRSA-3.1.1/x509-types

nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa --batch build-ca nopass
........+++++
..........+++++
nyr@DESKTOP-3V4BVLV:~/EasyRSA-3.1.1$ ./easyrsa --version
EasyRSA Version Information
Version:     3.1.1
Generated:   Thu Oct 13 06:37:48 CDT 2022
SSL Lib:     OpenSSL 1.1.1n  15 Mar 2022
Git Commit:  2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa

I will troubleshoot later as I do not have time right now, but I suspect there is a bug with the latest release. I am definitively not using an old configuration file.

[TinCanTech]

Thanks for the extra details, I am testing.

[TinCanTech]

Sorry. I cannot replicate the issue here.

@Nyr My first guess would be that you follow development here quite closely and so you have already tested the new data-dir locations, such as /usr/local/share/easy-rsa. If so then perhaps the script picked up an old copy from such a place.

[Nyr]

This issue is happening on a 100% clean system.

To be specific it happens in a clean Debían 11 image at Linode, while it does not happen in my also clean Debían 11 WSL image.

I will take a look later, but this is absolutely on a clean, just installed system.

[TinCanTech]

To be specific it happens in a clean Debían 11 image at Linode

Then perhaps Linode have the same issue. They may have an old version of easyrsa installed by default.

[TinCanTech]

I could have made the check above only issue a warning but I would prefer to see all old openssl-easyrsa.cnf replaced. Even at this level of inconvenience.

[TinCanTech]

This could be related to and even fixed by #723

[TinCanTech]

@Nyr Thanks to your feedback, I have just pushed a change to Easy-RSA unit-test which will allow it to be run on the downloaded/extracted release tar-ball.

Download easyrsa-unit-tests.sh to the extracted EasyRSA-xxx directory and run it from there. ./easyrsa-unit-tests.sh -v

[Nyr]

Found the issue, it is not a problem with the latest easy-rsa.

But keep the issue open, I will update soon with further information.

[Nyr]

First of all, sorry for wasting your time on this, I should have troubleshooted more before opening an issue.

The problem was occurring for systems which had the easy-rsa package installed. Those systems were clean other than an apt-get install openvpn, but I was unaware that the easy-rsa was still among the "recommends" for the openvpn package. I was under the assumption that this was no longer the case and I did not check, very sorry about that.

So the issue is indeed related to the new data-dir locations. This is not a technical issue but I think it is an UX issue, as people doing an apt-get install openvpn will run into it.

One can of course do --no-install-recommends (as I will), but the average user will run into this.

[Nyr]

Main thing which contributed to the confusion is that the easy-rsa package is a "recommend" in Debian, but only a "suggest" in Ubuntu.

[TinCanTech]

@Nyr Thank you for your help.

This is entirely my fault for over-looking such an obvious use case.

I am re-opening this issue for better visibility.

[TinCanTech]

For the record, I am drawing Easy-RSA toward the more Unix style use of separating application from data-in and output files. However, due to Windows support, the old method has to continue to work.

The combination of having the OpenVPN install include EasyRSA, plus data-in files found in the wrong order, plus making the error fatal is just a step too far.

It is unfortunate but I may have shot myself in the foot here..

Workable solutions for v3.1.1 very welcome.

[Nyr]

It is not a fast nor guaranteed approach, but if the Debian package is the only one from the main distros recommending easy-rsa (I have not thoroughly, but it seems to be) you could potentially talk with the maintainers about a change.

Additional information within the error message could also help, but will probably not be enough for inexperienced users.

[TinCanTech]

I've adjusted the EasyRSA timeline to push an early bug-fix out for this specific issue.

@Nyr Again, thank you for your help. And timely reminder to test more thoroughly ;-).

Regarding Debian, this feels like my error not theirs.
Regarding the error message and even improving it, I agree that it would not be enough.

My initial approach was a shade too severe, on this occasion.

[TinCanTech]

For future reference: This is the cause of the problem:

easy-rsa/easyrsa3/easyrsa

Lines 1318 to 1324 in 2083fb2

	# Check for insert-marker in ssl config file
	if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
	die "\
	The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
	* $EASYRSA_SSL_CONF
	Please update openssl-easyrsa.cnf to the latest official release."
	fi

Temporary work-around: In easyrsa Change line 1320 From die To warn.

git diff:

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 4f76077..f8ad74a 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1317,7 +1317,7 @@ Missing X509-type 'COMMON'"
 
        # Check for insert-marker in ssl config file
        if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
-               die "\
+               warn "\
 The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
 * $EASYRSA_SSL_CONF
 Please update openssl-easyrsa.cnf to the latest official release."

[TinCanTech]

The work-around above is not a solution.

The solution is #727

[xinthose]

First of all, sorry for wasting your time on this, I should have troubleshooted more before opening an issue.

The problem was occurring for systems which had the easy-rsa package installed. Those systems were clean other than an apt-get install openvpn, but I was unaware that the easy-rsa was still among the "recommends" for the openvpn package. I was under the assumption that this was no longer the case and I did not check, very sorry about that.

So the issue is indeed related to the new data-dir locations. This is not a technical issue but I think it is an UX issue, as people doing an apt-get install openvpn will run into it.

One can of course do --no-install-recommends (as I will), but the average user will run into this.

I did not know this either. I just copy the currently installed easy-rsa to my openvpn directory: https://askubuntu.com/a/780302/296502.

[TinCanTech]

@xinthose if you can outline the problem then this issue can be reopened.