On Sun, 05 Mar 2023 15:26:47 +0000, tincantech via Openvpn-users
<openvpn-users@lists.sourceforge.net> wrote:
>
>please remember to copy the mailing list.
Will do, I thought that you wanted it off the list until sorted...
>
>Comment below.
>
>
>------- Original Message -------
>On Sunday, March 5th, 2023 at 09:53, Bo Berglund <bo.bergl...@gmail.com> wrote:
>
>
>> Hi,
>> I tried to figure out why the CA check failed by reading what easyrsa does
>> when it issues the error message...
>> It looks like it tries to verify the content of ca.crt against the vars file
>> using the easyrsa_openssl() function.
>>
>> # Match the current CA elements to the vars file settings
>> CA_vars_match=1
>> [ "$CA_countryName" = "$KEY_COUNTRY" ] || CA_vars_match=0
>> [ "$CA_stateOrProvinceName" = "$KEY_PROVINCE" ] || CA_vars_match=0
>> [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0
>> [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0
>> [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0
>> [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0
>>
>> if [ "$CA_vars_match" -eq 1 ]
>> then
>> CURRENT_CA_IS_VERIFIED="partially"
>> else
>> up23_fail_upgrade "CA certificate does not match vars file settings"
>> fi
>>
>> So I issued the extraction command on the command line as follows to check
>> what is actually in ca.crt:
>>
>> ~/openvpn/EasyRSA-3.1.2/keys$ openssl x509 -subject -nameopt
>> utf8,sep_multiline,space_eq,lname,align -noout -in ca.crt
>> subject=
>> countryName = SE
>> stateOrProvinceName = Stockholm
>> localityName = Stockholm
>> organizationName = Private
>> organizationalUnitName = Dev
>> commonName = BosseOVPN
>> name = server
>> emailAddress = <my home email>
>>
>> My vars file has this:
>>
>> # These are the default values for fields
>> # which will be placed in the certificate.
>> # Don't leave any of these fields blank.
>> export KEY_COUNTRY="SE"
>> export KEY_PROVINCE="--" # <= Notice difference
>> export KEY_CITY="Stockholm"
>> export KEY_ORG="Private"
>> export KEY_EMAIL="<my home email>"
>> export KEY_OU="Dev"
>>
>> # X509 Subject Field
>> export KEY_NAME="server"
>>
>> Since easyrsa is checking the 6 items I modified the KEY_PROVINCE var to
>> also contain Stockholm and reran the command.
>> But I got the exact same output this time too.
>>
>> Since the commonName is also there but not checked by easyrsa at that point
>> I left that in place...
>>
>> At wits end...
>>
>> /Bo B
>>
>
>
>Sorry, I cannot see why there is a mismatch. However, we can omit that check.
>
>Find this code below the code you copied above:
>
> if [ "$CA_vars_match" -eq 1 ]
> then
> CURRENT_CA_IS_VERIFIED="partially"
> else
> up23_fail_upgrade "CA certificate does not match vars file
> settings"
> fi
>
>Change 'up23_fail_upgrade' to 'warn', this will warn but not fail.
>
>See how that goes.
>
>Sorry for all these difficulties, it always worked for me.
>R
>
So (for list readers) this is using the easyrsa script file downloaded from
GitHub trunk.
I followed your advice to warn rather than fail and edited the easyrsa file as
follows:
if [ "$CA_vars_match" -eq 1 ]
then
CURRENT_CA_IS_VERIFIED="partially"
else
#up23_fail_upgrade "CA certificate does not match vars file settings"
warn "CA certificate does not match vars file settings"
fi
Then I ran the command:
EASYRSA_TEMP_DIR="$HOME/openvpn/EasyRSA-3.1.2/tmp/" ./easyrsa upgrade pki
again and now it did *not* throw previous error:
ERROR: CA certificate does not match vars file settings
Instead this:
.....
Easyrsa upgrade version: v1.0a (2020/01/08)
=========================================================================
This upgrade will TEST that the upgrade works BEFORE making any changes.
Type the word 'yes' to continue, or any other input to abort.
* EasyRSA **TEST** upgrade (Changes will NOT be written): yes
WARNING
=======
CA certificate does not match vars file settings
-------------------------------------------------------------------------
Easy-RSA error:
easyrsa_mktemp - Temporary session undefined
EasyRSA Version Information
Version: ~VER~
Generated: ~DATE~
SSL Lib: OpenSSL 1.1.1f 31 Mar 2020
Git Commit: ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | nix | Linux | /bin/bash
This new error output comes from this function in easyrsa:
----------------------------------------------------------
easyrsa_mktemp() {
[ "$#" = 1 ] || die "easyrsa_mktemp - invalid input"
# session directory must exist
[ "$secured_session" ] || die "\
easyrsa_mktemp - Temporary session undefined" # <== HERE, but why????
# Update counter
mktemp_counter="$(( mktemp_counter + 1 ))"
# Assign internal temp-file name
t="${secured_session}/temp.${mktemp_counter}"
# Create temp-file or die
for i in x y z; do
shotfile="${t}.0"
target="$t.$i"
if [ -e "$shotfile" ]; then
break
else
printf "" > "$shotfile" || break
# atomic:
if mv "$shotfile" "$target"; then
# Assign external temp-file name
force_set_var "$1" "$target" && return
fi
fi
done
die "easyrsa_mktemp failed"
} # => easyrsa_mktemp()
-----------------------------------------
The tmp dir defined on the command line as
EASYRSA_TEMP_DIR="$HOME/openvpn/EasyRSA-3.1.2/tmp/"
does exist and is drwxrwxr-x and empty.
So there is something still about usage here maybe...
Does it need the tmp dir to exist prior to starting the script or is that an
error because it wants to create it as part of the process?
--
Bo Berglund
Developer in Sweden
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
