-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Error when CA-Root-PW to short #1030
Comments
The version of EasyRSA which @angristan An update is required. |
I installed on a plain system. So openssl was installed by the script, or not? |
Hi @petterpet, I found that the problem was a duplicated "vars" file ("/etc/openvpn/easy-rsa/vars" : old location, "/etc/openvpn/easy-rsa/pki/vars" : new location). So I tweaked the script to store the variables in /tmp and then overwrite the "pki/vars" with it. I do not create a pull request because you may want to make it cleaner or change the arrangement of this section.
I now have my client generated normally, with latest easy rsa and openssl version (tested on ubuntu:20.04) ! |
@Abyss-W4tcher's fix works perfectly for me on Debian bookworm (testing)! Here's the diff from the original, not including a whitespace change, if that's an easier format to review (it was for me): --- openvpn-install.sh.ref 2022-08-31 15:50:25.983213571 +0000
+++ openvpn-install.sh 2022-08-31 15:51:50.058884463 +0000
@@ -702,7 +702,7 @@
# Install the latest version of easy-rsa from source, if not already installed.
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
- local version="3.0.7"
+ local version="3.1.0"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir -p /etc/openvpn/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
@@ -711,11 +711,11 @@
cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in
1)
- echo "set_var EASYRSA_ALGO ec" >vars
- echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
+ echo "set_var EASYRSA_ALGO ec" >/tmp/vars
+ echo "set_var EASYRSA_CURVE $CERT_CURVE" >>/tmp/vars
;;
2)
- echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
+ echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >/tmp/vars
;;
esac
@@ -725,10 +725,11 @@
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
- echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
+ echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>/tmp/vars
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
+ mv /tmp/vars pki
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then |
Glad it worked ! It was really annoying, as this project was exactly what I was looking for ... Yeah it was not really clean, I should have thought to make a diff x) |
FTR: EasyRSA EasyRSA |
Sorry for the delay, this is fixed in 2f76bb5 |
What is the bug?
While the script is running it creates a root ca using easy-rsa. It asks for a passphrase to encrypt the private key of the ca. If the password is too short or skipped by the user, there will be errors while creating clients.
There should be a hint in the README and in the script.
Relevant log output
The text was updated successfully, but these errors were encountered: