You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
That said, I ran into a problem creating a client cert/key pair when explicitly specifying the Start and End dates, that I wanted to make you aware of.
req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf"
00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31
I investigated the error and found that the problem seems to be caused by line 31 of pki/openssl-easyrsa.cnf, and I could get thing to work by changing line 31 from:
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
to:
default_days = 1 # how long to certify for
Sample Run
I am including the following sample run to provide context regarding what exactly I did to cause this error (I appologise if this is too long, I'm just trying to be helpful)...
Script started on Fri Apr 5 14:21:40 2024
root@hostname: # which easy-rsa
/usr/local/bin/easy-rsa
root@hostname: # easy-rsa --version
EasyRSA Version Information
Version: 3.1.7
Generated: Fri Oct 13 17:27:51 CDT 2023
SSL Lib: OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit: 3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
root@hostname: # easy-rsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /root/test/pki
Using Easy-RSA configuration:
* undefined
root@hostname: # easy-rsa make-vars > pki/vars
root@hostname: # easy-rsa --days=365 build-ca
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars
Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Enter New CA Key Passphrase:
Confirm New CA Key Passphrase:
.+....+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+.....+......+.+........+......+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+........+.........+......+.........+......+.+...........+......................+..+......+.........+...+.+.....+.......+...+.....+....+............+........+.+..+...+.+...+..+.+..+...+.............+............+.......................+.+......+..+...+....+.........+............+.....+...............+.......+..+......+.........+......+..................+..........+..+...+....+..+.+........+.........+.+..+...+......+...+..........+..+....+............+..+...+....+...+.....+.+..+...+.+.....................+...+.....+.+........+.......+...+.....+...+...+.......+...+.....+....+..+.+.........+...+..+.............+...+...+.....+....+......+.....+......+.+.....+.........+..............................+...+.+..+.......+.....+...+............+.+..+..........+..+.......+.....+.+...+..+...+......+.+..+......+..........+..............+............+......+....+........+............................+........................+......+...............+..+...+.........+..........+...+...+.....+.........+.+...+.....+.+...........+...+.+.....+.............+......+..............+...+....+........+..........+.....+......+.+...+...+..+.+......+......+............+..+.........+.......+.....+.........+...+............+...+...+............+...+....+........+......+..........+.....+.+...+.......................+...+..........+..+.......+......+......+...+...+...+......+....................+.+...+......+..............+.....................+......+....+.....+...+.+.....+....+......+..+....+...+..+..................+.......+...+..+......+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:test
Notice
------
CA creation complete. Your new CA certificate is at:
* /root/test/pki/ca.crt
root@hostname: # echo Now attempt to build-client-full with specified start and end dates
Now attempt to build-client-full with specified start and end dates
root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars
Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf"
00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31
Easy-RSA error:
easyrsa_openssl - Command has failed:
* openssl req -utf8 -new -newkey rsa:2048 -keyout /root/test/pki/6f16c7b1/temp.1.1 -out /root/test/pki/6f16c7b1/temp.2.1 -noenc -batch
EasyRSA Version Information
Version: 3.1.7
Generated: Fri Oct 13 17:27:51 CDT 2023
SSL Lib: OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit: 3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | FreeBSD | /bin/tcsh
root@hostname: # echo Change line 31 of pki/openssl-easyrsa.cnf
Change line 31 of pki/openssl-easyrsa.cnf
root@hostname: # vi pki/openssl-easyrsa.cnf
~~~ snipped ~~~
Changed line 31 of pki/openssl-easyrsa.cnf...
From:
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
To:
default_days = 1 # how long to certify for
~~~ snipped ~~~
root@hostname: # echo Now Try Again
Now Try Again
root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars
Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
.......+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+........+......+......+.......+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...........+.......+......+...........+...+.+......+.....+...+.......+.........+..+...+....+......+.................+...+.........+...+..........+...+.....+.+......+...+......+.....+......+.........+.+........+............+.............+......+...+........+............+......+.+.....+.........................+.....+...............+.+...+......+...+.....+.+..+...+.......+...+..............+.+.....+......+......+....+........+...+.......+........+............+...+.......+.....+................+...........+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+..+...+..........+..+.+...+.....+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+......+.....+...+...+.........+.+.....+.......+..+......+....+...+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /root/test/pki/reqs/testcrt.req
* key: /root/test/pki/private/testcrt.key
You are about to sign the following certificate:
Request subject, to be signed as a client certificate
until date '20240411000000Z':
subject=
commonName = testcrt
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /root/test/pki/openssl-easyrsa.cnf
Enter pass phrase for /root/test/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'testcrt'
Certificate is to be certified until Apr 11 00:00:00 2024 GMT (5 days)
Write out database with 1 new entries
Database updated
Notice
------
Certificate created at:
* /root/test/pki/issued/testcrt.crt
Notice
------
Inline file created:
* /root/test/pki/inline/testcrt.inline
root@hostname: # easy-rsa show-cert testcrt
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars
Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Notice
------
Showing 'cert' details for: 'testcrt'
This file is stored at:
* /root/test/pki/issued/testcrt.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:ec:a0:ed:57:03:6c:d2:f9:53:d6:f0:88:f4:5f:93
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = test
Validity
Not Before: Apr 10 00:00:00 2024 GMT
Not After : Apr 11 00:00:00 2024 GMT
Subject:
commonName = testcrt
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F2:8B:FD:69:23:10:90:08:B4:27:1C:2C:A3:CB:D8:20:B4:65:98:03
X509v3 Authority Key Identifier:
keyid:C1:33:5F:CB:1B:52:48:1B:FC:C9:6F:3E:85:51:A4:F0:A3:5C:D1:4D
DirName:/CN=test
serial:0B:6F:86:CF:64:32:AE:27:B6:71:E8:4C:E9:E0:F8:9F:5A:24:BF:76
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
root@hostname: # exit
exit
Script done on Fri Apr 5 14:26:15 2024
The text was updated successfully, but these errors were encountered:
Thank you for Easy-RSA, it's a real time saver!
That said, I ran into a problem creating a client cert/key pair when explicitly specifying the Start and End dates, that I wanted to make you aware of.
When I entered:
I received this error:
Work Around
I investigated the error and found that the problem seems to be caused by line 31 of pki/openssl-easyrsa.cnf, and I could get thing to work by changing line 31 from:
to:
Sample Run
I am including the following sample run to provide context regarding what exactly I did to cause this error (I appologise if this is too long, I'm just trying to be helpful)...
The text was updated successfully, but these errors were encountered: