Results 1 to 5 of 5

Thread: Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

  1. #1
    Join Date
    Mar 2009
    Location
    Nova Scotia, Canada
    Beans
    8
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Lightbulb Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

    I have been trying to set up OpenVPN on my fresh installation of Ubuntu Server 12.04. Following the instructions on https://help.ubuntu.com/12.04/server...nvpn-pki-setup I kept running into the errors when attempting to execute:
    Code:
    Nicholas@server:/etc/openvpn/easy-rsa$ source vars
    **************************************************************
      No /etc/openvpn/easy-rsa/openssl.cnf file could be found
      Further invocations will fail
    **************************************************************
    I'll be the first to admit I'm a relative n00b when it comes to the CLI so this explanation may seem obvious to some but I figure there will probably be others like me with a similar issue. This took me several hours to figure out and I hope I'll be able to save someone this trouble.

    I noticed there were several versions of openssl.cnf in the directory. Running
    Code:
    dpkg -s openssl
    I determined my version was 1.0.1 so modified the following line in the vars file to the closest match:
    Code:
    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=`$EASY_RSA/openssl-1.0.0.cnf $EASY_RSA`
    This ended up giving me a new error:
    Code:
    Nicholas@server:/etc/openvpn/easy-rsa$ source vars
    -bash: /etc/openvpn/easy-rsa/openssl-1.0.0.cnf: Permission denied
    I should note that I ran
    Code:
    chown -R Nicholas /etc/openvpn/easy-rsa/
    after copying the easy-rsa folder to /etc/openvpn/ in order to avoid the need for sudo all the time.

    At this point I tried many different methods for trying to get past this error including allowing the openssl-1.0.0.cnf file to be executable, running the command with sudo. Nothing worked. I had almost given up and was going to generate the CA and related files using my client laptop running Windows 7 when I noticed that in the Windows version, part of the vars file was different.

    Modifying the vars file on my server to remove the single quotes and the second $EASY_RSA reference allowed the source vars command to complete successfully and I was able to continue the setup without incident.
    Code:
    # This variable should point to
    # the openssl.cnf file included
    # with easy-rsa.
    export KEY_CONFIG=$EASY_RSA/openssl-1.0.0.cnf #<-This format works

  2. #2
    Join Date
    Nov 2005
    Location
    Oregon
    Beans
    42
    Distro
    Ubuntu Development Release

    Thumbs up Re: Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

    Thank you so much, this fixed everything!

  3. #3
    Join Date
    Dec 2009
    Location
    Siegen, Germany
    Beans
    88

    Smile Re: Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

    Thank you sir! That solved my problem in Linux Mint 13 Maya i386 Mate.

  4. #4
    Join Date
    Oct 2007
    Beans
    26
    Distro
    Ubuntu Development Release

    Re: Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

    I was about to try the above workaround... but before that I decided to simply try the following:

    cd /etc/openvpn/easy-rsa
    sudo ln -s openssl-1.0.0.cnf openssl.cnf

    And it worked perfectly.

    (This created a link to openssl-1.0.0.cnf with the name openssl.cnf in the same directory)

  5. #5
    Join Date
    Feb 2013
    Beans
    1

    Re: Error in setting up CA during OpenVPN configuration on Ubuntu Server 12.04 x64

    Just stumbled on this looking for another issue and while the OP's solution and Cameigons solution will both allow the variables to be set, I did want to point out where the problem exists for those interested in learning.

    The original line in the vars file contained backticks (aka backward quotes, backquotes, etc), not single quotes. Backticks are used to execute enclosed commands and substitiute the output into that location.

    What this line should do is run the "whichopensslcnf" script, and that should output the correct openssl*.cnf file for the installed version of OpenSSL (prepended with the path $EASY_RSA). If it fails to match the version of OpenSSL, it looks for a default openssl.cnf file.

    So, the problem is in the "whichopensslcnf" script. Odds are on these systems, they would get output similar to one of my *nix machines:
    Code:
    [me@localhost place]$ openssl version
    OpenSSL 1.0.0-fips 29 Mar 2010
    Looking in the original "whichopensslcnf" script, I find this:
    Code:
    elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
                    cnf="$1/openssl-1.0.0.cnf"
    This doesn't match my OpenSSL version output on the system because it doesn't allow for the dash ("-").

    A side note: The parentheses really don't do anything in that line at present. My guess would be that they are a "relic" of old code in that line or an allowance for an OR match in the future.

    If you replace that piece of code with the below, it should work as intended (leave the parentheses if you want):
    Code:
    elif $OPENSSL version | grep -E "1\.0\.[[:digit:]]-{0,1}[[:alnum:]]" > /dev/null; then
                    cnf="$1/openssl-1.0.0.cnf"
    This simply adds to allow 0 or 1 occurances of a dash ("-") between the third digit and the next alphanumeric character and it will now match my OpenSSL version, which in turn allows the script to finish without error and set the variable with my "openssl*.cnf" file correctly.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •