New branch win-write-access: Initial commit

[TinCanTech]

Use 'set -x'

Expect 'mkdir' to fail for commands 'init-pki' and 'build-ca'

[TinCanTech]

For the record:
Using a fully authenticated Windows command prompt, easyrsa works almost perfectly.

Here, testing is aimed at starting Windows menu item Start EasyRSA Shell (Non-admin) as a Admin user and not being faced with a complete failure.

Currently, init-pki fails to complete for a Admin user in Non-admin mode.

Windows UAC is the culprit.
We do not want to force UAC activation for Non-admin mode but, instead, we switch to the Users home directory.

That is my understanding of the problem.

Fixing the admin user should also fix the standard user case.

[lstipakov]

Here you go:

Using no-admin mode

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa


EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [  =  ]
+ is_empty=1
+ [  ]
+ is_empty=1
+ break
+ cmd=
+ [  ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ cmd_help

Easy-RSA 3 usage and overview

Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

For a list of utility commands, use:
  ./easyrsa help util

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  write <type> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: C:/Users/lev/easy-rsa
         PKI: C:/Users/lev/easy-rsa/pki
   vars-file: Missing or undefined
  x509-types: C:/Program Files/OpenVPN/easy-rsa/x509-types
   CA status: CA has not been built


EasyRSA Shell
# easyrsa init-pki

Still hangs.

[TinCanTech]

Can you please open a full administrator command prompt and then start with EasyRSA-Start.bat (Not no-admin mode) and test again.

[lstipakov]

Can you please open a full administrator command prompt and then start with EasyRSA-Start.bat (Not no-admin mode) and test again.

Yes, in Admin prompt it works:

c:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: c:/Program Files/OpenVPN/easy-rsa


EasyRSA Shell
# easyrsa
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=
+ val=
+ [  =  ]
+ is_empty=1
+ [  ]
+ is_empty=1
+ break
+ cmd=
+ [  ]
+ unset -v require_pki require_ca quiet_vars
+ quiet_vars=1
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ cmd_help

Easy-RSA 3 usage and overview

Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

For a list of utility commands, use:
  ./easyrsa help util

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  write <type> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: c:/Program Files/OpenVPN/easy-rsa
         PKI: c:/Program Files/OpenVPN/easy-rsa/pki
   vars-file: Missing or undefined
  x509-types: c:/Program Files/OpenVPN/easy-rsa/x509-types
   CA status: OK
  CA subject:
    commonName                = Easy-RSA CA


EasyRSA Shell
# easyrsa init-pki
+ EASYRSA_version=~VER~
+ NL=

+ print DEBUG: EasyRSA: Windows protected write access
DEBUG: EasyRSA: Windows protected write access
+ [  ]
+ umask 077
+ trap cleanup $? EXIT
+ trap exit 1 1
+ trap exit 2 2
+ trap exit 3 3
+ trap exit 6 6
+ trap exit 15 15
+ detect_host
+ unset -v verify_ssl_lib_ok secured_session working_safe_ssl_conf working_safe_org_conf makesafeconf alias_days prohibit_no_pass invalid_vars do_build_full error_build_full_cleanup internal_batch mv_temp_error easyrsa_exit_with_error error_info legacy_file_over_write
+ prompt_restore=0
+ :
+ unset -v opt val is_empty empty_ok number_only zero_allowed
+ opt=init-pki
+ val=init-pki
+ [ init-pki = init-pki ]
+ is_empty=1
+ [ init-pki ]
+ break
+ cmd=init-pki
+ [ init-pki ]
+ shift
+ unset -v require_pki require_ca quiet_vars
+ :
+ select_vars
+ verbose No Easy-RSA 'vars' configuration file exists!
+ default_vars
+ validate_default_vars
+ mutual_exclusions
+ locate_support_files
+ verify_ssl_lib
+ [  ]
+ verify_working_env
+ init_pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* c:/Program Files/OpenVPN/easy-rsa/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* c:/Program Files/OpenVPN/easy-rsa/pki


Using Easy-RSA configuration:
* undefined
+ [ 0 = 0 ]
+ cleanup ok

EasyRSA Shell
#

[TinCanTech]

And finally, please, can you copy the \easy-rsa folder to C:/Users/lev/easy-rsa and test again, without enabling non-admin mode. Just to be sure that still works.

[lstipakov]

Copied the content of easy-rsa folder from OpenVPN installation directory to c:\Users\lev\easy-rsa and ran under Admin command prompt. Got a hang:

C:\Users\lev\easy-rsa>dir
 Volume in drive C is Windows
 Volume Serial Number is 3CEF-379D

 Directory of C:\Users\lev\easy-rsa

07.02.2024  22.08    <DIR>          .
07.02.2024  17.04    <DIR>          ..
07.02.2024  22.08    <DIR>          bin
14.10.2023  00.27            11 430 ChangeLog
14.10.2023  00.27             1 256 COPYING.html
14.10.2023  00.27             1 305 COPYING.md
07.02.2024  22.08    <DIR>          doc
07.02.2024  10.13           173 404 easyrsa
02.02.2024  09.34               210 EasyRSA-Start.bat
07.02.2024  22.08    <DIR>          Licensing
14.10.2023  00.27             5 145 openssl-easyrsa.cnf
07.02.2024  22.08    <DIR>          pki
14.10.2023  00.27             4 256 README-Windows.txt
14.10.2023  00.27             2 464 README.html
14.10.2023  00.27             3 477 README.quickstart.html
14.10.2023  00.27             9 085 vars.example
07.02.2024  22.08    <DIR>          x509-types
              10 File(s)        212 032 bytes
               7 Dir(s)  213 506 449 408 bytes free

C:\Users\lev\easy-rsa>EasyRSA-Start.bat

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa


EasyRSA Shell
# easyrsa init-pki

[TinCanTech]

Thanks for testing.

Looks like it will have to be Admin-Only for Windows..

[TinCanTech]

07.02.2024 10.13 173 404 easyrsa

This appears to be the wrong file.

The byte count for the file I want to be checked is 166,709. It should have the set -x in the file.

https://github.com/TinCanTech/easy-rsa/blob/win-write-access/easyrsa3/easyrsa

Please test command easyrsa and easyrsa init-pki; in a non-elevated window; in the copy of easy-rsa that you have made in your user directory.

[lstipakov]

I fetched the PR. The size difference is due to line endings (0D 0A vs 0A).

[lstipakov]

Does it work for you? Are you able to reproduce the problem?

[TinCanTech]

I only have Win10 for testing.

• Full admin command prompt, everything works.
• I can reproduce the problem with mkdir -p, for non-admin. (Fixed)
• I cannot reproduce init-pki hang, for non-admin.

The strange thing about Win11 NOT hanging for easyrsa but then hanging for easyrsa init-pki is that, for the latter, the set -x does not even fire. There is no output from the script what-so-ever.

I cannot explain or reproduce this.

[TinCanTech]

There is one tiny clue of possibility.

@lstipakov In this comment you explain that you run only easyrsa, which completes. However, while it starts with set -x enabled, it does not complete the same way. Somehow, set -x has been disabled.

There is no set +x within easyrsa ..

This is then followed by you calling easyrsa init-pki and that does not enable set -x, even though it should do.

You also run easyrsa init-pki first and it still hangs.

Probably a dead end..

[TinCanTech]

Something else you could try is:

Line:6479

# Hand off to the function responsible
# ONLY verify_working_env() for valid commands
case "$cmd" in
	init-pki|clean-all)
		#verify_working_env
		init_pki "$@"
		;;

Comment out verify_working_env for init-pki, clutching at straws now ..

[TinCanTech]

If this is some limitation on the size of the script being loaded then I can make a PR to remove the here-doc expansion for the support files. This would be about 330 lines.

[TinCanTech]

aa22695 deliberately fails UT - So should manually testing easyrsa init-pki, instead of hanging. Please test with non-admin prompt.

[TinCanTech]

According to @lstipakov , this still hangs for Easy-RSA no-admin mode at init-pki.

[TinCanTech]

@lstipakov according to this discussion so far, the underlying problem seems to be related to sh:read, which W11 does not seem to respond to in non-admin mode.

Can you please try once more but delete any existing pki folder prior to testing init-pki.

Update: Deleting a pre-existing PKI manually has no effect on W11 behavior, according to @lstipakov

[TinCanTech]

Windows 11 behavior with MKSH:sh.exe remains, stubbornly, unchanged.
For that reason, I am going to pursue the busybox.exe solution.

A new PR will follow. #1077 #1078