Windows server permissions issue.

[Nephilimi]

I appear to be having file system permissions issues while working with EasyRSA on some windows server edition systems but I'm not quite putting the pieces together. Using the EasyRSA bundled in OpenVPN 2.6.0. I'm an administrator, using administrator cmd prompt, and I'm seeing the file system for EasyRSA folder has full control for administrators. win server 2019 ver 1809

Reference; https://forums.openvpn.net/viewtopic.php?p=110773#p110773

These are the commands I'm trying to run and the locations I'm encountering problems at;

easyrsa init-pki
easyrsa build-ca
SAVE the ca passphrase you make up in LastPass!!
easyrsa build-server-full server nopass #original issue fails here, discussion link above. Could not read CA private key from C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key
easyrsa build-client-full client1 nopass
easyrsa build-client-full client2 nopass
easyrsa build-client-full client3 nopass
easyrsa build-client-full client4 nopass
easyrsa build-client-full client5 nopass
easyrsa build-client-full client6 nopass
easyrsa gen-dh
Should not take that long with a 2048 bit dh
cd pki
openvpn --genkey secret ta.key #if I copy EasyRSA folder to C:\Temp\easy-rsa; everything works fine and I can get through the entire procedure. ALSO if I do all the above on my windows 10 desktop everything works.

[TinCanTech]

Reading your forum post as well:

• The problem with 2.5 is most likely an unquoted space in Program Files.

To work around that, Open an Administrator command prompt and change directory cd to \Progra~1\openvpn\easy-rsa and then open EasyRSA-Start.bat.

I'm not sure about the problem with 2.6, perhaps try the same thing above for that.

[TinCanTech]

I notice in your vars file:

# In how many days should the root CA key expire; 20 years
set_var EASYRSA_CA_EXPIRE	7300

Windows date.exe is limited to 2037 cut-off date. So you cannot build your CA for twenty years, using Windows.

Windows date.exe is only used for fixed-date certificates.

I'll have to test this myself.

Tested and working fine for both CA and certificates with end date in 2043.

I don't think you need to bother with busybox but I'll leave the comment here anyway.

Additionally:
I was working on busybox for Windows but that has stalled for the time being.

If you would like to try busybox then a binary is downloadable from: #878

Direct link:
https://github.com/OpenVPN/easy-rsa/blob/80f6f837099414ff618adc21d53d8cf5b2d4d503/distro/dev/busybox-v4.7z

You should be able to unzip busybox.exe to openvpn/easy-rsa.
Then run busybox sh and then use ./easyrsa as normal.

[Nephilimi]

I believe you are on the correct track with the unquoted space somewhere. I can move it to C:\Temp and it works. What is confusing to me is the server editions I'm experiencing this on vs the win 10 pro it works fine on. Next opportunity I will try \Progra~1\openvpn\easy-rsa. I haven't nailed down the entire thing consistently yet.

We've been over the date question a couple times in the past, but I'm thinking that would throw very different errors?

[TinCanTech]

I updated my comment above; date.exe does not interfere with 20 year certs. Only using fixed-dates uses date.exe.

[TinCanTech]

FTR: Because you are using a password for your CA, easyrsa writes the password to a temp-file. It then reads that temp-file to build the CA with the password. If you use easyrsa while in \Program Files, the password file-name will have an unquoted space.

Use a path without any spaces and it should work fine.

I recommend that you use a user account to build your PKI with. Copy EasyRSA from the \Program Files to \Users\$your_user and run it from there.

That way, at least, your CA key is not world readable, it can only be seen by your user or an admin account.

[TinCanTech]

@Nephilimi - Closing this as completed.

Please re-open, if necessary.

Thank you for your feedback.

[Nephilimi]

OK, doing this again today on another server using OpenVPN-2.6.3-I001-amd64 and I got the same problem in Program Files. I moved it to C:\temp and still got the same problem. Moved it to my desktop in C:\temp and installed above openvpn version on this computer so openssl tools are here and in path and I'm still getting the same problem.

private CA Key details

C:\Temp\easy-rsa>EasyRSA-Start

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# easyrsa init-pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* C:/Temp/easy-rsa/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes


* SECOND WARNING!!!

* This will remove everything in your current PKI directory.
  To keep your current settings use 'init-pki soft' instead.
  Using 'init-pki soft' is recommended.

Type the word 'yes' to continue, or any other input to abort.
  Remove current 'vars' file? yes


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* C:/Temp/easy-rsa/pki

* Using Easy-RSA configuration: C:/Temp/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: C:/Temp/easy-rsa/x509-types


EasyRSA Shell
# easyrsa build-ca

* Using SSL: openssl OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

* Using Easy-RSA configuration: C:/Temp/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


Enter New CA Key Passphrase:

Confirm New CA Key Passphrase:
Using configuration from C:/Temp/easy-rsa/pki/bbd5d3b8/temp.9c73ef2d
..+++++++++++++++++++++++++++++++++++++++*....+..............+...+....+.....+++++++++++++++++++++++++++++++++++++++*.+..........+...+..+.......++++++
....+..+...+..........+...+........+.+.....+..........+....................+.+..+......+.+++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++*.+..+.+..+......+....+..+.........+......+......+.......+...........+...............++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:serverCNhere

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
C:/Temp/easy-rsa/pki/ca.crt


EasyRSA Shell
# easyrsa build-server-full server nopass

* Using SSL: openssl OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

* Using Easy-RSA configuration: C:/Temp/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
.+......+....+........+..........+...........+++++++++++++++++++++++++++++++++++++++*.....+.........+...+++++++++++++++++++++++++++++++++++++++*...+........+...............+....+...+.....+.+...............+..+...+.+..............+......+.+...+.....+....+.....+......+..........+.........+............+.....+...+......+.......+.....+...+....+..................+.........+........+.......+...+...........+......+.............+......+.....+....+.....+.+..+.........+...+............+......+............+...+.......+..+.+..............+..................+......+....+......+..+...+......+.........+.........+............+...+......+.+.....+.+...+..+...+......+....+..+....+...+..+....+..+....+........+.+......+...+..+...+.....................+....+............+...+........+.......+...+...+......+........+.+..............+......+.+.....+.++++++
......+..+......+.+...+.....+...+....+......+.................+.+......+...+..+......+...+.+...+......+..+...+..........+.....+.+.....+....+.....+......+...+...+....+...+..+....+..+++++++++++++++++++++++++++++++++++++++*..........+....+++++++++++++++++++++++++++++++++++++++*......+...+....+...+...+.........+...+...+...+...........+.+.....+.......+..+....+............+.....+...+..........+............+.................+......+....+..+.........+............+....+.........+............+..+.+..+....+...+......+...........+.+..+.+........................+..++++++
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: C:/Temp/easy-rsa/pki/reqs/server.req
key: C:/Temp/easy-rsa/pki/private/server.key

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 7300 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from C:/Temp/easy-rsa/pki/79467853/temp.bfc2f74a
Enter pass phrase for C:/Temp/easy-rsa/pki/private/ca.key:
Could not read CA private key from C:/Temp/easy-rsa/pki/private/ca.key
10350000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
10350000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers\implementations\ciphers\ciphercommon_block.c:124:
10350000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto\pkcs12\p12_decr.c:86:maybe wrong password

Easy-RSA error:

Signing failed (openssl output above may have more detail)


EasyRSA Version Information
Version:     3.1.2
Generated:   Fri Jan 13 15:49:33 CST 2023
SSL Lib:     OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Git Commit:  354c20d82bdc5db364e197aa1290e84b46abe487
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.2 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

EasyRSA Shell
#

[Nephilimi]

Same problem in busybox

screenshot

[Nephilimi]

I believe I fixed the problem. For the record what special characters do I need to avoid in the CA passphrase?

I've been using a password generator and it throws that stuff in there and I've been simply copy/pasting from it. On a hunch I stripped out all the specials and left only upper, lower, and numbers and now it is working as expected. It's interesting it will allow creating the CA with this oddball passphrase, but not allow it to sign. The error message thrown is also quite misleading.

[TinCanTech]

I cannot help with your password generator, however, here is an idea.

Use EasyRSA options --passin and --passout, instead of copy/paste.

EG: easyrsa --passin=pass:<CA-PASS> --passout=pass:<CERT-PASS> build-server-full server2

Replace <CA-PASS> with your CA password and <CERT-PASS> with your new certificate password, if required.

[Nephilimi]

Another good idea, thank you.