Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error using --startdate/--enddate #1110

Closed
nobody-important-23 opened this issue Apr 6, 2024 · 2 comments
Closed

Error using --startdate/--enddate #1110

nobody-important-23 opened this issue Apr 6, 2024 · 2 comments
Labels
duplicate See Links Version 3.1.7

Comments

@nobody-important-23
Copy link

Thank you for Easy-RSA, it's a real time saver!

That said, I ran into a problem creating a client cert/key pair when explicitly specifying the Start and End dates, that I wanted to make you aware of.

When I entered:

easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass

I received this error:

req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf"
00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31

Easy-RSA error:

easyrsa_openssl - Command has failed:

  • openssl req -utf8 -new -newkey rsa:2048 -keyout /root/test/pki/6f16c7b1/temp.1.1 -out /root/test/pki/6f16c7b1/temp.2.1 -noenc -batch

Work Around

I investigated the error and found that the problem seems to be caused by line 31 of pki/openssl-easyrsa.cnf, and I could get thing to work by changing line 31 from:

default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for

to:

default_days = 1 # how long to certify for

Sample Run

I am including the following sample run to provide context regarding what exactly I did to cause this error (I appologise if this is too long, I'm just trying to be helpful)...

Script started on Fri Apr  5 14:21:40 2024

root@hostname: # which easy-rsa
/usr/local/bin/easy-rsa

root@hostname: # easy-rsa --version
EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa

root@hostname: # easy-rsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /root/test/pki

Using Easy-RSA configuration:
* undefined

root@hostname: # easy-rsa make-vars > pki/vars
root@hostname: # easy-rsa --days=365 build-ca
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Enter New CA Key Passphrase: 

Confirm New CA Key Passphrase: 
.+....+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+.....+......+.+........+......+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+........+.........+......+.........+......+.+...........+......................+..+......+.........+...+.+.....+.......+...+.....+....+............+........+.+..+...+.+...+..+.+..+...+.............+............+.......................+.+......+..+...+....+.........+............+.....+...............+.......+..+......+.........+......+..................+..........+..+...+....+..+.+........+.........+.+..+...+......+...+..........+..+....+............+..+...+....+...+.....+.+..+...+.+.....................+...+.....+.+........+.......+...+.....+...+...+.......+...+.....+....+..+.+.........+...+..+.............+...+...+.....+....+......+.....+......+.+.....+.........+..............................+...+.+..+.......+.....+...+............+.+..+..........+..+.......+.....+.+...+..+...+......+.+..+......+..........+..............+............+......+....+........+............................+........................+......+...............+..+...+.........+..........+...+...+.....+.........+.+...+.....+.+...........+...+.+.....+.............+......+..............+...+....+........+..........+.....+......+.+...+...+..+.+......+......+............+..+.........+.......+.....+.........+...+............+...+...+............+...+....+........+......+..........+.....+.+...+.......................+...+..........+..+.......+......+......+...+...+...+......+....................+.+...+......+..............+.....................+......+....+.....+...+.+.....+....+......+..+....+...+..+..................+.......+...+..+......+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:test

Notice
------
CA creation complete. Your new CA certificate is at:
* /root/test/pki/ca.crt

root@hostname: # echo Now attempt to build-client-full with specified start and end dates
Now attempt to build-client-full with specified start and end dates

root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
req: Error on line 31 of config file "/root/test/pki/openssl-easyrsa.cnf"
00206137CA240000:error:07000068:configuration file routines:str_copy:variable has no value:/usr/src/crypto/openssl/crypto/conf/conf_def.c:768:line 31

Easy-RSA error:

easyrsa_openssl - Command has failed:
* openssl req -utf8 -new -newkey rsa:2048 -keyout /root/test/pki/6f16c7b1/temp.1.1 -out /root/test/pki/6f16c7b1/temp.2.1 -noenc -batch

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | FreeBSD | /bin/tcsh

root@hostname: # echo Change line 31 of pki/openssl-easyrsa.cnf
Change line 31 of pki/openssl-easyrsa.cnf
root@hostname: # vi pki/openssl-easyrsa.cnf
~~~ snipped ~~~
Changed line 31 of pki/openssl-easyrsa.cnf...
From:
default_days    = $ENV::EASYRSA_CERT_EXPIRE     # how long to certify for
To:
default_days    = 1     # how long to certify for
~~~ snipped ~~~

root@hostname: # echo Now Try Again
Now Try Again

root@hostname: # easy-rsa --startdate=20240410000000Z --enddate=20240411000000Z build-client-full testcrt nopass
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
.......+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+........+......+......+.......+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...........+.......+......+...........+...+.+......+.....+...+.......+.........+..+...+....+......+.................+...+.........+...+..........+...+.....+.+......+...+......+.....+......+.........+.+........+............+.............+......+...+........+............+......+.+.....+.........................+.....+...............+.+...+......+...+.....+.+..+...+.......+...+..............+.+.....+......+......+....+........+...+.......+........+............+...+.......+.....+................+...........+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+..+...+..........+..+.+...+.....+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+......+.....+...+...+.........+.+.....+.......+..+......+....+...+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /root/test/pki/reqs/testcrt.req
* key: /root/test/pki/private/testcrt.key 

You are about to sign the following certificate:
Request subject, to be signed as a client certificate 
until date '20240411000000Z':

subject=
    commonName                = testcrt

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /root/test/pki/openssl-easyrsa.cnf
Enter pass phrase for /root/test/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testcrt'
Certificate is to be certified until Apr 11 00:00:00 2024 GMT (5 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /root/test/pki/issued/testcrt.crt

Notice
------
Inline file created:
* /root/test/pki/inline/testcrt.inline

root@hostname: # easy-rsa show-cert testcrt
Using Easy-RSA 'vars' configuration:
* /root/test/pki/vars

Using SSL:
* openssl OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Notice
------
Showing 'cert' details for: 'testcrt'

This file is stored at:
* /root/test/pki/issued/testcrt.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:ec:a0:ed:57:03:6c:d2:f9:53:d6:f0:88:f4:5f:93
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = test
        Validity
            Not Before: Apr 10 00:00:00 2024 GMT
            Not After : Apr 11 00:00:00 2024 GMT
        Subject:
            commonName                = testcrt
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F2:8B:FD:69:23:10:90:08:B4:27:1C:2C:A3:CB:D8:20:B4:65:98:03
            X509v3 Authority Key Identifier: 
                keyid:C1:33:5F:CB:1B:52:48:1B:FC:C9:6F:3E:85:51:A4:F0:A3:5C:D1:4D
                DirName:/CN=test
                serial:0B:6F:86:CF:64:32:AE:27:B6:71:E8:4C:E9:E0:F8:9F:5A:24:BF:76
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

root@hostname: # exit
exit

Script done on Fri Apr  5 14:26:15 2024
@TinCanTech
Copy link
Collaborator

TinCanTech commented Apr 6, 2024
edited
Loading

This has been fixed in current master branch, to be v3.2.0.

Instead of your work around, the correct solution is to comment out:

default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for

from openssl-easyrsa.cnf.

First reported: #1056

@nobody-important-23
Copy link
Author

Thank-you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate See Links Version 3.1.7
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TinCanTech @nobody-important-23