openvpn / easy-rsa Goto Github PK

easy-rsa - Simple shell based CA utility

License: Other

Shell 99.26% Batchfile 0.74%

easy-rsa's Introduction

Overview

easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

Downloads

If you are looking for release downloads, please see the releases section on GitHub. Releases are also available as source checkouts using named tags.

Documentation

For 3.x project documentation and usage, see the README.quickstart.md file or the more detailed docs under the doc/ directory. The .md files are in Markdown format and can be converted to html files as desired for release packages, or read as-is in plaintext.

Getting help using easy-rsa

Currently, Easy-RSA development co-exists with OpenVPN even though they are separate projects. The following resources are good places as of this writing to seek help using Easy-RSA:

The openvpn-users mailing list is a good place to post usage or help questions.

You can also try libera.chat IRC network, in channels #openvpn for general support or #easyrsa for development discussion.

Branch structure

The easy-rsa master branch is currently tracking development for the 3.x release cycle. Please note that, at any given time, master may be broken. Feel free to create issues against master, but have patience when using the master branch. It is recommended to use a release, and priority will be given to bugs identified in the most recent release.

The prior 2.x and 1.x versions are available as release branches for tracking and possible back-porting of relevant fixes.

Branch layout is:

master             <- Active: v3.2.x - Rolling.
v3.<N>.<N>-<LABEL>    Active: Development branches.
testing               Sandbox: Subject to change without notice.
v3.1.8                Sunset: Bugfix only for v3.1.7

The following are NOT compatible with OpenSSL version 3:

v3.0.6                Inactive: Archived.
v3.0.5                Inactive: Archived.
v3.0.4                Inactive: Archived.
release/3.0           Inactive: Archived.
release/2.x           Inactive: Archived.
release/1.x           Inactive: Unmaintained.

LICENSING info for 3.x is in the COPYING.md file

Contributing

Please refer to: doc/EasyRSA-Contributing.md

Code style, standards

We are attempting to adhere to the POSIX standard, which can be found here:

https://pubs.opengroup.org/onlinepubs/9699919799/

easy-rsa's People

Contributors

Stargazers

Watchers

Forkers

ngharo k-yoshimura miiphaa cdaemon ghozliafif andykimpe darrenchau hubase iatechsm seizaing adu1 vminin60 ivantomas yongzhiz bravekardia egroeper ab harleyless eileenorsini ismit hypnoticcow distrotech tilakr azam1362 arlion mjoyce014 monmonadn sknny wrenchead77 nikorasu89 max1123 someoneagain insomniac20101 deed02392 thvs2 afflatusx pmccarren lapistano netsectutorials kandy000999 khason junior750 crypto2k2 mndambuki arisguntara pborky yagamishi v-jqiang toplinuxsir tebakane reymond24 takah0918 adampualyons markdecheser twalpole vanoseva rakotomandimby mengf maxmotta78 biderbek ksttest janorn cetinerk sirporl s3ncha christophecach neostar63 dbalasundaram nightsuspect yaircaballero tgharoutunian danielllr samilani edfvanschendel tintinweb descobrindo rvasquez125 ssung1014 pavel-air theoriginalreflex naumsc ztnq garthoff incc rafciq mrshay syzzer luizluca queuingkoala freakster84 lanqicheng jackiebian xecthor sefeller manh12a3 bivens75 swliujr puma2 pinchelokote773 bdacode

easy-rsa's Issues

Incorrect variable name in vars.example

set_var EASYRSA_TEMP_FILE "$PKI_DIR/extensions.temp"

However PKI_DIR is not defined, EASYRSA_PKI is. This results to inability to create keys with "access denied" error while trying to create "/extensions.temp".

Default encryption of private key

If I build a new certificate for an user:
./easyrsa build-client-full mytest

The private key will look like this (same for the ca.key, ...):
-----BEGIN ENCRYPTED PRIVATE KEY-----
...

If I understand it right this is pkcs #8 format with the default encryption (only 56 bit -> weak).
See NOTES section of this manpage:
https://www.openssl.org/docs/apps/pkcs8.html

I'm not entirely sure if this information is outdated (or I simply misunderstood something).
But if the encryption is weak, this should be changed.

Similar problem with "set-rsa-pass"
./easyrsa set-rsa-pass mytest

This results in:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5B3CC5B2D24BC686
...

I'm not sure how secure des3 currently is, but I think aes256 is the better choice here:
https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/easyrsa#L864
local crypto="-des3"
should be:
local crypto="-aes256"

Unknown cert type 'ca' or 'server' or 'client'

My system
FreeBSD gw.1ok 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 19:31:38 UTC 2015 [email protected]:/usr/obj/usr/src/sys/GENERIC i386

My openVPN version

openvpn --version
OpenVPN 2.3.10 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr  3 2016
library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

I generate Ca-key and Ca-cert

./easyrsa.real sign-req ca CA

Note: using Easy-RSA configuration from: ./vars

Easy-RSA error:

**Unknown cert type 'ca'**

./easyrsa.real sign-req 'server' vpn.1-ok.com

Note: using Easy-RSA configuration from: ./vars

Easy-RSA error:

Unknown cert type 'server'

How can fix it?

Allow the CA to be inspected by easyrsa show-cert

The show-cert command only allows inspection of cerificates under pki/issued, so to inspect the CA certificate, it needs to be linked or copied into pki/issued at creation time.

(Given that it's possible to include a directory separator (ie '', '/') in the free form distinguished name of the CA, it might be best to just link or copy to "ca.crt" or "CA.crt".)

gen-req and build-client-full fail on OSX

./easyrsa init-pki
./easyrsa gen-req my-osx-computer

fails on OSX after asking for "Common Name", but before creating the .req file. The error message is "Error Loading extension section req_extra". The build-client-full command fails with the same error.

The gen-req command worked correctly on a Linux machine.

README doesn't say what this project is/does

A shell-based CA utility that does what? Thanks.

Unable to generate CSR on same PKI as the CA

I sent an email to the mailing list and made a post on the forums about this with no solution in sigh, so I'm opening an issue here.

Using Easy-RSA 3 I can't generate a CSR on a system where I also have a CA and server certificate. As soon as I try, I get an error. Here are the steps I followed:

(all variables were properly defined and all commands were executed as root)

./easyrsa init-pki
./easyrsa build-ca nopass

./easyrsa gen-req $HOSTNAME nopass
./easyrsa sign-req server $HOSTNAME

# This works
./easyrsa gen-req someUser nopass
# This doesn't
/easyrsa sign-req client someUser
Using configuration from /home/easyrsa/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'IDF'
localityName          :PRINTABLE:'Paris'
organizationName      :PRINTABLE:'Something'
organizationalUnitName:PRINTABLE:'Private Signing Authority'
commonName            :PRINTABLE:'vps93298.somedomain.io'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 26 16:46:10 2024 GMT (3650 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

I ran this on CentOS 6.5, fully up to date (easy-rsa master branch checkout from April 26th).

plans to support openssl pass phrase options?

Any plans to support openssl pass phrase options, like these:

-passout pass:mydirtysecret
-passin env:MYPASSVAR
-password file:/root/secrets/ca

Ref: man openssl, section PASS PHRASE ARGUMENTS.

I trigger easyrsa from a web frontend, so there no easy way to enter passwords on STDIN.

I have some rough patches for that, but I use self defined env vars which won't meet easyrsa conventions. Hardest part was figuring out which openssl command needs "-passin", "-passout", -password" or several of them.

How about additional env vars like this?

EASYRSA_PASSOUT=pass:mydirtysecret
EASYRSA_PASSIN=env:MYPASSVAR
EASYRSA_PASSWORD=file:/root/secrets/ca

Definitely no patches for a release candidate. But for a later release? Thoughts?

support from password read from ENV

Hi,

I needed to automate some paasword related tasks.EasyRSA supports only password from STDIN. I did small patch to support ENV, at least for set-rsa-pass and set-ec-pass.

@@ -883,10 +883,12 @@ See help output for usage details."
        # parse command options
        shift 2
        local crypto="-aes256"
+       local env=""
        while [ -n "$1" ]; do
                case "$1" in
                        nopass) crypto= ;;
                        file)   file="$raw_file" ;;
+                       env)    env="-passin env:EASYRSA_KEY_PASSWORD_IN -passout env:EASYRSA_KEY_PASSWORD_OUT";;
                        *)      warn "Ignoring unknown command option: '$1'" ;;
                esac
                shift
@@ -900,7 +902,7 @@ $file"
 If the key is currently encrypted you must supply the decryption passphrase.
 ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"

-       "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\
+       "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto $env || die "\
 Failed to change the private key passphrase. See above for possible openssl
 error messages."

Usage is as follows

export EASYRSA_KEY_PASSWORD_IN=${PASSWD_IN}
export EASYRSA_KEY_PASSWORD_OUT=${PASSWD_OUT}
${EASYRSA_BIN} set-rsa-pass ${FILE} env
RESULT=$?
unset EASYRSA_KEY_PASSWORD_OUT
unset EASYRSA_KEY_PASSWORD_IN

The implemetation of this feature could be more abstract to support any ot fhe password input types, see man 1 openssl.

creating client certificate after revoking with same entity name

When you revoke access to an entity it creates under ./pki the files:

index.txt.old
index.txt.attr.old

if you create another entity with the same name as the one you just revoked access to and try to sign a certificate with:

./easyrsa sign-req client EntityName

it will give you an error like this:


Certificate is to be certified until Aug 14 18:41:45 2026 GMT (3650 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

if you delete this 2 files mentioned above it will allow you to create the certificates without problems.

How can I verify the release archive?

I tried to download the release 2.2.2 and gpg sign key. But I can't find the public key.
Where is it? I have tried key 0x606fd463. It didn't match!

SAN (subjectAlternativeName) additions?

Hi there,

How would I go about to add SAN entries to a certificate where is is already included in a CSR?
Any directions would be appreciated, as I'm trying to get this "fixed" for a few internal websites I'd like to use EasyRSA for.

subjectAltName support

Found an old patch for easy-rsa 2 at http://www.msquared.id.au/articles/easy-rsa-subjectaltname/

Is there any plan to add this feature in easy-rsa 3?

Correct behaviour of make-cadir --help

It currently seems to print the output of mkdir, chmod, ln invoked with --help. It should print a --help message.

experienced with 2.2.2-1 on Ubuntu 15.04

Default to issuing under 36 month certificates

https://support.servertastic.com/neterr_cert_validity_too_long-the-server-certificate-has-a-validity-period-that-is-too-long/

LibreSSL exposes misuse of $ENV

I am a heavy easy-rsa user for my OpenVPN gateways but also for my LDAP servers. I also happen to use OpenBSD as my OS of choice.

On Sunday I spent 30 minutes playing with easy-rsa which is shipped broken on OpenBSD 5.8 until I realized what was going on. Our developer sthen has already reverted easy-rsa to OpenSSL run dependency per comment

switch easy-rsa to using openssl to unbreak; libressl doesn't allow
$ENV:: in config files and easy-arrrrsa uses this heavily.

This is the discussion that followed on ports @openbsd.

http://marc.info/?l=openbsd-ports&m=144578740817527&w=2

To summarize discussion in one sentence I was wondering if you guys can think of the better way of communicating to libraries instead of using environment variables?

disable unique_subject or document it

For re-issuing expired certificates, unique_subject in index.txt.attr needs to be "no". This is neither default, nor documented, while the tool issues certificates with a limited lifetime by default.

set password on command line

please have a look, if it would be OK for you to add password support on command line for some functions (set_pass and export-p12), below you can find a diff between your current version (master) and my patched one.

133a134
>         pass:secret-password - set password to given 'secret-password'
145a147
>         pass:secret-password - set password to given 'secret-password'
811a814
>       local pkcs_opts=
815a819
>                       pass:*) pkcs_opts="-passin pass:${1#*:} -passout pass:${1#*:}";;
821d824
<       local pkcs_opts=
889a893
>                       pass:*) crypto="-aes256 -passout pass:${1#*:}";;

Thanks in advance

cert signed by easyrsa3 seems missed SAN in original request

Hi,

I have a cert request which contains the subjectAltName (SAN) extension, which is visible to the easyrsa3 tool:

[u@ubuntu:~/ca]$ easyrsa show-req qpidd.221

Showing req details for 'qpidd.221'.
This file is stored at:
/home/u/ca/pki/reqs/qpidd.221.req

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject:
            countryName               = cn
            commonName                = 10.69.6.90
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:ubuntu-12, DNS:10.69.6.90

I can sign this as "server" type without issue, However, when I checked the output .crt file, it has no SAN extensions:

[u@ubuntu:~/ca]$ easyrsa show-cert qpidd.221

Showing cert details for 'qpidd.221'.
This file is stored at:
/home/u/ca/pki/issued/qpidd.221.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = yf test ca
        Validity
            Not Before: May 12 22:00:52 2015 GMT
            Not After : May  9 22:00:52 2025 GMT
        Subject:
            countryName               = cn
            commonName                = 10.69.6.90
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                18:53:A5:B8:68:A4:42:31:03:FB:CA:02:C8:41:96:60:02:C4:2B:17
            X509v3 Authority Key Identifier:
                keyid:7B:5B:2C:13:83:C0:C4:2D:0D:95:C9:F9:0B:C1:70:B3:F6:65:0E:AA
                DirName:/CN=yf test ca
                serial:FF:47:28:66:2F:DD:53:C5

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment

When I applied this as a SSL server, and used the SAN to address it, client complains that server subject doesn't match host-name.

Can you give some hints?

Regards,
yf

Release Version 3.0.1 missing mksh/Win32 shell

The release package for Windows does not contain bin\sh.exe.

PKI conversion tool for v2 to v3

It would be nice to have a tool script to convert a v2 PKI layout to a v3 layout in a new dir for users wishing to upgrade.

ERROR: adding extensions in section default

I get the following error by using --subject-alt-name

./easyrsa --subject-alt-name="DNS:test.example.com" build-server-full www.example.com nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 4096 bit RSA private key
................................................................................................................................................................................................................................................................................................................................................................................++
........................................................................................................................................................................++
writing new private key to '/root/easy-rsa/easyrsa3/pki/private/www.example.com.key'
-----
Using configuration from /root/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'www.example.com'
ERROR: adding extensions in section default
140222199342760:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:124:
140222199342760:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=req_extensions, value=req_extra

Easy-RSA error:

signing failed (openssl output above may have more detail)

Alternative passphrase input support

OpenSSL supports multiple input methods for passwords, such as stdin, files, pipes, etc. This feature can offer improved flexibility and allow batching multiple operations requiring passphrase input.

state should not be abbreviated

In relation to #64

Screenshot:

Why does the tool say the standard is one thing, but you're saying the standard is something else? Which is the standard?

Support for crlDistributionPoints?

Is there a way to specify crlDistributionPoints in easyrsa?

[feature request] Make easy-rsa work in terms of user-level OpenVPN setup

I propose to add one more interface layer to easy-rsa, which will help simple users to achieve simple practical goals.

For example, one goal is to connect Android phone client to DD-WRT router as OpenVPN server.

Android app 'OpenVPN Connect' suggests these options for import:

Import Private Tunnel Profile
Import Access Server Profile
Import Profile from SD Card
Import PKCS#12 from SD Card

DD-WRT server in turn asks for these values:

Public Server Cert
Private Server Key
DH PEM
Additional Config
TLS Auth Key
Certificate Revoke List

For example, new option can be added to easy-rsa: connect . Choices for client can be desktop/android/ios, and choices for server can be router/desktop.

easy-rsa should arrive at the answer which option to choose on the Android client side. It should be able to generate .ovpn file for desktop client side (openvpn program itself).

Currently, despite 'easy' in its name, easy-rsa still works in a very technical terms (signing/pki/etc), and isn't accessible to lesser sophisticated users. So there are multiple howtos floating around online, trying to help users with easy-rsa. Some of those howtos are for the older versions of easy-rsa. This makes for a very confusing situation for the users. And the most natural solution is to remove the need for these howtos and make easy-rsa itself sufficient for most practical needs.

I can't easily renew certificate for any user. What's the point of "EASY" in the name of this product?

advice in issue #40 is to modify openssl.conf and index.txt.attr and index.attr.old

why me as an end-user of the product I have to resort to these hacks instead of having a renew-cert tool available?

why does openssl natively allow renewing a certificate using existing key while "easy" rsa makes it anyway BUT "EASY" this process?

Separate key/request generation

Separating the backend process of key and request generation allows additional flexibility and workflows.

De-coupling these steps allows more abstraction in how each one is performed. In particular, this may be a benefit with future PKCS11 smart card integration or other advanced workflows. Another possible use-case is creating an updated request from an existing keypair.

Add --version argument to make-cadir

Although it's just a script it helps to troubleshoot and get support/file issues faster.

basename: invalid option -- 's' while building on CentOS release 6.7 (Final)

Trying to build on CentOS release 6.7 (Final):

# ./build/build-dist.sh --version=3.2.1

Result:

basename: invalid option -- 's'
Try `basename --help' for more information.
/usr/bin/python: No module named markdown
basename: invalid option -- 's'
Try `basename --help' for more information.
/usr/bin/python: No module named markdown
basename: invalid option -- 's'
Try `basename --help' for more information.
/usr/bin/python: No module named markdown
basename: invalid option -- 's'
Try `basename --help' for more information.
/usr/bin/python: No module named markdown
basename: invalid option -- 's'
Try `basename --help' for more information.
/usr/bin/python: No module named markdown
/usr/bin/python: No module named markdown
build-dist NOTE: tarball created at: ./EasyRSA-3.2.1.tgz
build-dist NOTE: zip file created at: ./EasyRSA-3.2.1.zip

easyrsa is built as expected, but these errors could be avoided, at least the basename one.

# basename --help
Usage: basename NAME [SUFFIX]
  or:  basename OPTION
Print NAME with any leading directory components removed.
If specified, also remove a trailing SUFFIX.

      --help     display this help and exit
      --version  output version information and exit

Examples:
  basename /usr/bin/sort       Output "sort".
  basename include/stdio.h .h  Output "stdio".

# basename --version
basename (GNU coreutils) 8.4
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David MacKenzie.

Allow make-cadir's target directory to exist if it's empty

There's no reason to fail if the directory exists, but is empty.

experienced with 2.2.2-1 on Ubuntu 15.04

EasyRSA-3.0.1.tgz corrupt?

When running "tar" on the downloaded EasyRSA-3.0.1.tgz from the Releases page at https://github.com/OpenVPN/easy-rsa/releases/tag/3.0.1, I get errors about trailing garbage:

$ tar tvf EasyRSA-3.0.1.tgz
drwxrwxr-x ecrist/staff      0 2015-10-26 14:47 EasyRSA-3.0.1/
-rw-rw-r-- ecrist/staff   2415 2015-09-03 09:54 EasyRSA-3.0.1/ChangeLog
-rw-rw-r-- ecrist/staff   1270 2015-09-03 09:10 EasyRSA-3.0.1/COPYING
drwxrwxr-x ecrist/staff      0 2015-10-26 14:47 EasyRSA-3.0.1/doc/
-rwxrwxr-x ecrist/staff  34910 2015-09-10 09:18 EasyRSA-3.0.1/easyrsa
-rw-rw-r-- ecrist/staff  18093 2015-09-03 09:10 EasyRSA-3.0.1/gpl-2.0.txt
-rw-rw-r-- ecrist/staff   4560 2015-09-03 09:10 EasyRSA-3.0.1/openssl-1.0.cnf
-rw-rw-r-- ecrist/staff   3350 2015-09-03 09:10 EasyRSA-3.0.1/README.quickstart.md
gzip: -rw-rw-r-- ecrist/staff   8126 2015-09-03 09:10 EasyRSA-3.0.1/vars.example
drwxrwxr-x ecrist/staff      0 2015-09-03 09:10 EasyRSA-3.0.1/x509-types/
(stdin): trailing garbage ignored-rw-rw-r-- ecrist/staff    426 2015-09-03 09:10 EasyRSA-3.0.1/x509-types/ca

-rw-rw-r-- ecrist/staff    192 2015-09-03 09:10 EasyRSA-3.0.1/x509-types/client
-rw-rw-r-- ecrist/staff    300 2015-09-03 09:10 EasyRSA-3.0.1/x509-types/COMMON
-rw-rw-r-- ecrist/staff    208 2015-09-03 09:10 EasyRSA-3.0.1/x509-types/server
-rw-rw-r-- ecrist/staff   5262 2015-10-26 14:47 EasyRSA-3.0.1/doc/EasyRSA-Advanced.md
-rw-rw-r-- ecrist/staff   9566 2015-10-26 14:47 EasyRSA-3.0.1/doc/EasyRSA-Readme.md
-rw-rw-r-- ecrist/staff   2497 2015-10-26 14:47 EasyRSA-3.0.1/doc/EasyRSA-Upgrade-Notes.md
-rw-rw-r-- ecrist/staff   5891 2015-10-26 14:47 EasyRSA-3.0.1/doc/Hacking.md
-rw-rw-r-- ecrist/staff   4920 2015-10-26 14:47 EasyRSA-3.0.1/doc/Intro-To-PKI.md
gtar: Child returned status 1
gtar: Error is not recoverable: exiting now

The problems seems to be at the gzip format:

$ gzip -dc EasyRSA-3.0.1.tgz > EasyRSA-3.0.1.tar
gzip: EasyRSA-3.0.1.tgz: trailing garbage ignored

Then running tar on the uncompressed file runs fine.

cannot fully automate with --batch option

cannot fully automate with --batch option, and cannot enter passphrase from file or inline

The following gives an Error

mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa --batch gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch gen-req server nopass
./easyrsa --batch sign-req server server
./easyrsa --batch import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa --batch sign-req client client1

ERROR

$ ./easyrsa --batch sign-req client client1
Using configuration from ....serverside/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'ChangeMe'
.....
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

workaround don't batch the following line

./easyrsa gen-req server nopass
*** manually press return ***

EASYRSA_EXTRA_EXTS ignored build build-ca

EASYRSA_EXTRA_EXTS='nameConstraints=permitted;DNS:example.com' ./easyrsa build-ca nopass

creates a ca.crt that doesn't include the nameConstraints extension. The only way I found to add name constraints to the CA was to edit openssl-1.0.cnf, adding the contents of EASYRSA_EXTRA_EXTS under [ easyrsa_ca ]

Revoking a key still allows connections to OpenVPN

Perhaps I am doing this incorrectly. I want to revoke a key, per the readme:

cd /etc/easy-rsa
easyrsa revoke targetkey
easyrsa gen-crl

So everything seems to be as I expect, I can also find an entry in /etc/easy-rsa/pki/index.txt that indicates that I revoked the targetkey:

R 260804130324Z 160808185030Z 03  unknown /CN=targetkey

What's unexpected is that I can still connect with this ovpn profile to the OpenVPN server despite the fact that the key has been revoked. Am I misunderstanding something? I believe the above should render the corresponding ovpn profile dead/unable to connect.

EASYRSA_REQ_CN in build-full is overwritten

the --req-cn="<user defind string>" is passed to the commandline, the EASYRSA_REQ_CN is overwrittent in build_full function.

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 088faeb..3b20b38 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -693,7 +693,7 @@ Matching file found at: "
        [ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"

        # create request
-       EASYRSA_REQ_CN="$name"
+       set_var EASYRSA_REQ_CN "$name"
        gen_req "$name" batch $req_opts

        # Sign it

Generate certificates don't work with --remote-cert-tls or --ns-cert-type

Hello,

I'm setting up a new PKI for OpenVPN 2.x and with easy-rsa 3. Apparently, the generated certificates don't work with --remote-cert-tls which, if I'm understanding correctly, should be enabled by default on recent versions of OpenVPN.

My client can't connect because it fails to verify the Key Usage extension thing:

Validating certificate key usage
++ Certificate has key usage  00a0, expects 0080
++ Certificate has key usage  00a0, expects 0008
++ Certificate has key usage  00a0, expects 0088
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
TCP/UDP: Closing socket

Is there anything I'm missing or is this actually something that should be in the script?

7 months since 3.0.0-rc1?!

Are we going to see a release of this anytime soon?

PKI Profile for IKE/IPSec

Pull requests #45, #46 aim to add IPSec compatibility with Easy-RSA. On-point with this goal is RFC4945, and the related informational RFC4809. After a review of the requirements in these RFCs, basic support should be as simple as a new pair of client/server extensions under x509-types.

One issue I'm as yet undecided on is handling of the DN Subject. Per RFC, this value may be blank, as IKE will use the subjectAltName as authoritative (RFC4945 sec. 5.1.2.1 & 5.1.3.6.) Also of note is that RFC4809 (sec. 3.7.2) may choose to use either the DN or subjectAltName fields for verification. Support should exist for requesters to supply thees as-desired, possibly keeping today's existing behavior; attempting to supply an empty CN currently results in a failure.

An RFC4945-compliant CA has additional responsibilities, notably CRL and/or OCSP handling. While Easy-RSA supports these features, it is likely outside the scope to enforce these requirements in the core code. As an option down the road, possibly for an interested implementor, would be a contrib/ style script to aid in the configuration of further IKE-compliance.

Move revoked files away

If I create a certificate with "./easyrsa build-client-full testcert" and then revoke it with "./easyrsa revoke testcert" then I can't recreate a new certificate with the same name ("./easyrsa build-client-full testcert").
I have to manually (re)move the files first.

I have created a patch that moves the files automatically to a revoked folder.
So if I revoke a certificate I lose nothing, and I can reissue a certificate with the same name without manual interactions.

http://pastebin.com/8P2R0yDX

unexpected EOF caused by unsupported quotation in vars file

Hi,

using easy-rsa3 on OSX 10.9.x (with bash from macports) I get this error when using init-pki:

$easyrsa init-pki
./easyrsa: eval: line 1046: unexpected EOF while looking for matching `''
./easyrsa: eval: line 1047: syntax error: unexpected end of file

The directory pki seems to be created, along with the directories reqs and private, but I do not know if something goes wrong 'underneath'.

$bash -version:
GNU bash, Version 4.3.11(1)-release (x86_64-apple-darwin13.1.0)

I do not see this error on linux, and I wonder why. Please ask for any pieces of information you might need...

3.x does not work on SmartOS/Solaris unless shell is changed to /bin/bash

Error with /bin/sh:

./easyrsa[977]: local: not found [No such file or directory]
./easyrsa[980]: local: not found [No such file or directory]
./easyrsa[1059]: local: not found [No such file or directory]
./easyrsa[1061]: local: not found [No such file or directory]
./easyrsa[1062]: eval[1]: export: =hB: is not an identifier

3.x versions work great on SmartOS instances in Joyent Public Cloud, as long as the shell is changed from /bin/sh to /bin/bash.

Support -startdate option to allow backdating of certificates

When programmatically issuing certificates it can be helpful to backdate them by a few hours or even a day. That way, if the client machine's clock is behind the CA machine's clock it won't have a problem using the newly-issued certificate.

Without some amount of backdating, the certificate will appear to be outside of its validity window on the client machine.

We've encountered lots of Windows machines where the clock appears to be correct, but is off by several hours from the correct UTC time. People set the clock to the correct local time, but don't change the system time zone off of the Windows default of Pacific time.

The openssl 'ca' command has a -startdate option that controls the "not before" time, with the default being the current time. Support for -startdate as-is would be great; even better would be an option that takes a number of minutes or hours and adds that to the current time. Use of a negative number would allow backdating and a positive number would future-date the certificate.

Allow selection of cipher for private keys

OpenSSL supports a variety of symmetric ciphers for private key encryption that some users may wish to use. Exposing this support to Easy-RSA would allow more flexibility in security choices by users.

Mktemp dependency is neither POSIX nor Windows compatible

Source of problem:
#26 Good intentions, but we need to revert it or make i dummy mktemp.

EasyRSA-Readme.md missing command for Signing a request

sign-req <filename_base> is not listed under https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md#signing-a-request

Generating req file from existing SSH RSA key pair

Is it possible to create a CSR from an existing SSH RSA public key?

We're seeing if we can use an existing set of ssh keys to use for a client connection to a OpenVPN server.

Connection reset using easy-rsa 3.0

I can't make an OpenVPN server work with the new easy-rsa 3.0 setup. Worked flawlessly in the past with the bundled 2.0-branch. Tried it on two separate host providers (one with a working legacy config).

# uname -a
Linux server-asia 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

I get a TLS error on my client (OSX 10.10 Viscosity):

Sep 24 01:33:29: Attempting to establish TCP connection with [AF_INET]128.199.237.115:443 [nonblock]
Sep 24 01:33:30: TCP connection established with [AF_INET]128.191.237.215:443
Sep 24 01:33:30: TCPv4_CLIENT link local: [undef]
Sep 24 01:33:30: TCPv4_CLIENT link remote: [AF_INET]128.191.237.215:443
Sep 24 01:33:37: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 24 01:33:37: TLS Error: TLS object -> incoming plaintext read error
Sep 24 01:33:37: TLS Error: TLS handshake failed
Sep 24 01:33:37: Fatal TLS error (check_tls_errors_co), restarting
Sep 24 01:33:37: SIGUSR1[soft,tls-error] received, process restarting

# openssl verify -CAfile ca.crt issued/[email protected] 
issued/[email protected]: OK
# openssl verify -CAfile ca.crt issued/[email protected] 
issued/[email protected]: OK

Full server logs:

Tue Sep 23 19:30:38 2014 us=217227 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Tue Sep 23 19:30:38 2014 us=217468 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Tue Sep 23 19:30:38 2014 us=231950 Diffie-Hellman initialized with 2048 bit key
Tue Sep 23 19:30:38 2014 us=233359 Control Channel Authentication: using 'pki/ta.key' as a OpenVPN static key file
Tue Sep 23 19:30:38 2014 us=233416 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 19:30:38 2014 us=233451 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 19:30:38 2014 us=233512 TLS-Auth MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Sep 23 19:30:38 2014 us=233579 Socket Buffers: R=[87380->131072] S=[87380->131072]
Tue Sep 23 19:30:38 2014 us=233823 ROUTE_GATEWAY 128.199.192.1/255.255.192.0 IFACE=eth0 HWADDR=04:01:28:e5:88:01
Tue Sep 23 19:30:38 2014 us=234334 TUN/TAP device tun0 opened
Tue Sep 23 19:30:38 2014 us=234385 TUN/TAP TX queue length set to 100
Tue Sep 23 19:30:38 2014 us=234446 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Sep 23 19:30:38 2014 us=234511 /sbin/ip link set dev tun0 up mtu 1500
Tue Sep 23 19:30:38 2014 us=238452 /sbin/ip addr add dev tun0 local 10.50.0.1 peer 10.50.0.2
Tue Sep 23 19:30:38 2014 us=242759 /sbin/ip route add 10.50.0.0/24 via 10.50.0.2
Tue Sep 23 19:30:38 2014 us=246760 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 23 19:30:38 2014 us=251290 GID set to nogroup
Tue Sep 23 19:30:38 2014 us=251426 UID set to nobody
Tue Sep 23 19:30:38 2014 us=251529 Listening for incoming TCP connection on [undef]
Tue Sep 23 19:30:38 2014 us=251602 TCPv4_SERVER link local (bound): [undef]
Tue Sep 23 19:30:38 2014 us=251628 TCPv4_SERVER link remote: [undef]
Tue Sep 23 19:30:38 2014 us=251672 MULTI: multi_init called, r=256 v=256
Tue Sep 23 19:30:38 2014 us=251842 IFCONFIG POOL: base=10.50.0.4 size=62, ipv6=0
Tue Sep 23 19:30:38 2014 us=251879 IFCONFIG POOL LIST
Tue Sep 23 19:30:38 2014 us=251955 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Sep 23 19:30:38 2014 us=252047 Initialization Sequence Completed
Tue Sep 23 19:30:43 2014 us=360073 MULTI: multi_create_instance called
Tue Sep 23 19:30:43 2014 us=360148 Re-using SSL/TLS context
Tue Sep 23 19:30:43 2014 us=360198 LZO compression initialized
Tue Sep 23 19:30:43 2014 us=360484 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Sep 23 19:30:43 2014 us=360521 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 23 19:30:43 2014 us=360609 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Sep 23 19:30:43 2014 us=360623 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Sep 23 19:30:43 2014 us=360653 Local Options hash (VER=V4): '9915e4a2'
Tue Sep 23 19:30:43 2014 us=360670 Expected Remote Options hash (VER=V4): '2f2c6498'
Tue Sep 23 19:30:43 2014 us=360713 TCP connection established with [AF_INET]85.168.116.160:41848
Tue Sep 23 19:30:43 2014 us=360735 TCPv4_SERVER link local: [undef]
Tue Sep 23 19:30:43 2014 us=360747 TCPv4_SERVER link remote: [AF_INET]85.168.116.160:41848
Tue Sep 23 19:30:43 2014 us=791973 85.168.116.160:41848 TCPv4_SERVER READ [42] from [AF_INET]85.168.116.160:41848: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Tue Sep 23 19:30:43 2014 us=792066 85.168.116.160:41848 TLS: Initial packet from [AF_INET]85.168.116.160:41848, sid=dee1457d a616639a
Tue Sep 23 19:30:43 2014 us=792137 85.168.116.160:41848 TCPv4_SERVER WRITE [54] to [AF_INET]85.168.116.160:41848: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Tue Sep 23 19:30:44 2014 us=65553 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #2 ] [ 0 ]
Tue Sep 23 19:30:44 2014 us=589910 85.168.116.160:41848 TCPv4_SERVER READ [142] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=1 DATA len=100
Tue Sep 23 19:30:44 2014 us=590089 85.168.116.160:41848 TCPv4_SERVER WRITE [50] to [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
Tue Sep 23 19:30:44 2014 us=590145 85.168.116.160:41848 TCPv4_SERVER READ [142] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
Tue Sep 23 19:30:44 2014 us=590179 85.168.116.160:41848 TCPv4_SERVER WRITE [50] to [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #3 ] [ 2 ]
Tue Sep 23 19:30:44 2014 us=590239 85.168.116.160:41848 TCPv4_SERVER READ [54] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=12
Tue Sep 23 19:30:44 2014 us=598868 85.168.116.160:41848 TCPv4_SERVER WRITE [154] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #4 ] [ 3 ] pid=1 DATA len=100
Tue Sep 23 19:30:44 2014 us=598930 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=100
Tue Sep 23 19:30:44 2014 us=598963 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=3 DATA len=100
Tue Sep 23 19:30:44 2014 us=598994 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=4 DATA len=100
Tue Sep 23 19:30:45 2014 us=205548 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
Tue Sep 23 19:30:45 2014 us=205856 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=5 DATA len=100
Tue Sep 23 19:30:45 2014 us=513674 85.168.116.160:41848 TCPv4_SERVER READ [58] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 3 4 ]
Tue Sep 23 19:30:45 2014 us=514112 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=6 DATA len=100
Tue Sep 23 19:30:45 2014 us=514414 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=7 DATA len=100
Tue Sep 23 19:30:45 2014 us=514687 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=8 DATA len=100
Tue Sep 23 19:30:45 2014 us=816397 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #8 ] [ 5 ]
Tue Sep 23 19:30:45 2014 us=816985 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #12 ] [ ] pid=9 DATA len=100
Tue Sep 23 19:30:46 2014 us=126131 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #9 ] [ 6 ]
Tue Sep 23 19:30:46 2014 us=126617 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #13 ] [ ] pid=10 DATA len=100
Tue Sep 23 19:30:46 2014 us=430853 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #10 ] [ 7 ]
Tue Sep 23 19:30:46 2014 us=431141 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #14 ] [ ] pid=11 DATA len=100
Tue Sep 23 19:30:46 2014 us=431264 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #11 ] [ 8 ]
Tue Sep 23 19:30:46 2014 us=431373 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=12 DATA len=100
Tue Sep 23 19:30:46 2014 us=742011 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #12 ] [ 9 ]
Tue Sep 23 19:30:46 2014 us=742301 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=13 DATA len=100
Tue Sep 23 19:30:47 2014 us=16007 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #13 ] [ 10 ]
Tue Sep 23 19:30:47 2014 us=16299 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #17 ] [ ] pid=14 DATA len=100
Tue Sep 23 19:30:47 2014 us=350147 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #14 ] [ 11 ]
Tue Sep 23 19:30:47 2014 us=350480 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #18 ] [ ] pid=15 DATA len=100
Tue Sep 23 19:30:47 2014 us=350589 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #15 ] [ 12 ]
Tue Sep 23 19:30:47 2014 us=350733 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #19 ] [ ] pid=16 DATA len=100
Tue Sep 23 19:30:47 2014 us=660243 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #16 ] [ 13 ]
Tue Sep 23 19:30:47 2014 us=660552 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #20 ] [ ] pid=17 DATA len=100
Tue Sep 23 19:30:47 2014 us=962036 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #17 ] [ 14 ]
Tue Sep 23 19:30:47 2014 us=962357 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #21 ] [ ] pid=18 DATA len=100
Tue Sep 23 19:30:48 2014 us=278178 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #18 ] [ 15 ]
Tue Sep 23 19:30:48 2014 us=278449 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #22 ] [ ] pid=19 DATA len=100
Tue Sep 23 19:30:48 2014 us=278557 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #19 ] [ 16 ]
Tue Sep 23 19:30:48 2014 us=278665 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #23 ] [ ] pid=20 DATA len=100
Tue Sep 23 19:30:48 2014 us=579654 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #20 ] [ 17 ]
Tue Sep 23 19:30:48 2014 us=580759 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #24 ] [ ] pid=21 DATA len=100
Tue Sep 23 19:30:48 2014 us=891116 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #21 ] [ 18 ]
Tue Sep 23 19:30:48 2014 us=891250 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #25 ] [ ] pid=22 DATA len=100
Tue Sep 23 19:30:49 2014 us=196226 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #22 ] [ 19 ]
Tue Sep 23 19:30:49 2014 us=196537 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #26 ] [ ] pid=23 DATA len=100
Tue Sep 23 19:30:49 2014 us=196651 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #23 ] [ 20 ]
Tue Sep 23 19:30:49 2014 us=196759 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=24 DATA len=100
Tue Sep 23 19:30:49 2014 us=519527 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #24 ] [ 21 ]
Tue Sep 23 19:30:49 2014 us=519869 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #28 ] [ ] pid=25 DATA len=100
Tue Sep 23 19:30:49 2014 us=809538 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #25 ] [ 22 ]
Tue Sep 23 19:30:49 2014 us=809899 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #29 ] [ ] pid=26 DATA len=100
Tue Sep 23 19:30:50 2014 us=119011 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #26 ] [ 23 ]
Tue Sep 23 19:30:50 2014 us=119486 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #30 ] [ ] pid=27 DATA len=100
Tue Sep 23 19:30:50 2014 us=119721 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #27 ] [ 24 ]
Tue Sep 23 19:30:50 2014 us=119965 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #31 ] [ ] pid=28 DATA len=100
Tue Sep 23 19:30:50 2014 us=426847 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #28 ] [ 25 ]
Tue Sep 23 19:30:50 2014 us=427347 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #32 ] [ ] pid=29 DATA len=100
Tue Sep 23 19:30:50 2014 us=730333 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #29 ] [ 26 ]
Tue Sep 23 19:30:50 2014 us=730837 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #33 ] [ ] pid=30 DATA len=100
Tue Sep 23 19:30:50 2014 us=731862 85.168.116.160:41848 Connection reset, restarting [0]
Tue Sep 23 19:30:50 2014 us=732105 85.168.116.160:41848 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Sep 23 19:30:50 2014 us=732363 TCP/UDP: Closing socket

Only advice found so far is to regenerate the CA...

Ansible playbook used to generate the config:

- name: OpenVPN | EasyRSA | Checkout project
  git: repo=https://github.com/OpenVPN/easy-rsa.git accept_hostkey=True
       remote=github version=master
       dest=/etc/openvpn/easyrsa
- name: OpenVPN | EasyRSA | Link project
  file: src=./easyrsa/easyrsa3/pki dest=/etc/openvpn/pki owner=root group=root force=yes state=link

- name: OpenVPN | Deploy vars configuration
  template: src=vars.j2 dest=/etc/openvpn/easyrsa/easyrsa3/vars owner=root group=root mode=0644
  register: result
- name: OpenVPN | Intialize PKI
  shell: echo 'yes' | ./easyrsa init-pki chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build CA
  shell: ./easyrsa build-ca ca@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build Server
  shell: ./easyrsa build-server-full server@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build Clients
  shell: ./easyrsa build-client-full {{ item }}@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
  with_items:
    - admin
    - player
- name: OpenVPN | Build dh.pem
  shell: ./easyrsa gen-dh chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build ta.key
  shell: openvpn --genkey --secret ta.key chdir=/etc/openvpn/easyrsa/easyrsa3/pki
  when: result | changed
- name: OpenVPN | Archive configuration
  shell: tar -cvzf /root/openvpn.tgz * chdir=/etc/openvpn creates=/root/openvpn.tgz
  when: result | changed
- fetch: src=/root/openvpn.tgz dest=fetched
  when: result | changed

fix to support OpenBSD 5.6 (LibreSSL)

Simply change line 291 in easyrsa3/easyrsa:

[ "${val%% *}" = "OpenSSL" ] || die "\
[ "${val%% *}" = "OpenSSL" -o "${val%% *}" = "LibreSSL" ] || die "\

OpenBSD 5.6 is the first release that includes their rewrite of OpenSSL known as LibreSSL.

"openssl version" on OpenBSD 5.6. returns "LibreSSL 2.0". Other than that, the API is identical and easy-rsa works just fine.

Libressl, Expected to find openssl command at: openssl

I am trying to get easy-rsa3 to work with libressl on gentoo

openssl version

LibreSSL 2.2.3

./easyrsa init-pki

...
"$EASYRSA_OPENSSL" version
++ openssl version
1385875132:error:0E065068:configuration file routines:STR_COPY:variable has no value:/var/tmp/portage/dev-libs/libressl-2.2.3/work/libressl-2.2.3/crypto/conf/conf_def.c:573:line 3

local val=
case "${val%% *}" in
die 'Missing or invalid OpenSSL
Expected to find openssl command at: openssl'
print '

Changing EASYRSA_OPENSSL to /usr/bin/openssl produces the same error.