Easy-rsa 3.0 refusing to acknowledge edits to vars

jbodhorn · 2016-12-29 23:26:16

I'm setting up a personal vpn and haven't been able to get easy-rsa to acknowledge the few edits I've made to my vars file. When I issue the command

easyrsa init-pki

I get stuck with defaults, I'm trying to change the following values in my vars file:

set_var EASYRSA_REQ_COUNTRY
set_var EASYRSA_REQ_PROVINCE
set_var EASYRSA_REQ_CITY
set_var EASYRSA_REQ_ORG
set_var EASYRSA_REQ_EMAIL
set_var EASYRSA_REQ_OU
set_var EASYRSA_KEY_SIZE

I can't seem to find any info on how to make easy-rsa actually accept my edits...

Here is my edited vars

# Easy-RSA 3 parameter settings

# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.

# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.

# NOTES FOR WINDOWS USERS
#
# Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# A little housekeeping: DON'T EDIT THIS SECTION
# 
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
	echo "This is no longer necessary and is disallowed. See the section called" >&2
	echo "'How to use this file' near the top comments for more details." >&2
	return 1
fi

# DO YOUR EDITS BELOW THIS POINT

# This variable should point to the top level of the easy-rsa tree. By default,
# this is taken to be the directory you are currently in.

#set_var EASYRSA	"$PWD"

# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.

#set_var EASYRSA_OPENSSL	"openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# Edit this variable to point to your soon-to-be-created key directory.
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)

#set_var EASYRSA_PKI		"$EASYRSA/pki"

# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format

#set_var EASYRSA_DN	"cn_only"

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

set_var EASYRSA_REQ_COUNTRY	"US"
set_var EASYRSA_REQ_PROVINCE	"New York"
set_var EASYRSA_REQ_CITY	"Buffalo"
set_var EASYRSA_REQ_ORG	        "Blah Blah Blah Inc"
set_var EASYRSA_REQ_EMAIL	"bobsmithlovesinfo@gmail.com"
set_var EASYRSA_REQ_OU		"The Bob Squad"

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

set_var EASYRSA_KEY_SIZE	4096

# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
#  * rsa
#  * ec

#set_var EASYRSA_ALGO		rsa

# Define the named curve, used in ec mode only:

#set_var EASYRSA_CURVE		secp384r1

# In how many days should the root CA key expire?

#set_var EASYRSA_CA_EXPIRE	3650

# In how many days should certificates expire?

#set_var EASYRSA_CERT_EXPIRE	3650

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.

#set_var EASYRSA_CRL_DAYS	3650

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT	"no"

# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.

#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"

# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.

#set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"

# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!

# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command.  The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"

# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"

# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.

#set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-1.0.cnf"

# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.

#set_var EASYRSA_REQ_CN		"ChangeMe"

# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512

#set_var EASYRSA_DIGEST		"sha256"

# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.

#set_var EASYRSA_BATCH		""

R00KIE · 2016-12-30 01:11:55

Before the change in easy-rsa the instructions said to source the file manually (with '. vars') before calling the easy-rsa commands.

There is logic to try to find the vars file but it seems to depend either on specific environment variables or the path where the executable (the bash script actually) file is, which is /usr/bin and not your current path.

fsckd · 2016-12-30 01:28:44

jbodhorn, you reported ROOKIE's post instead quoting them. No worries, it happens every now and then.

jbodhorn wrote:

Apparently there is a bug, I found a bug report a bit after posting.

If I may request, please share a link to that bug report. Thanks.

jbodhorn · 2016-12-30 01:29:52

I guess there's a bug, I found this shortly after posting: https://github.com/OpenVPN/easy-rsa/issues/111

for what it's worth, after examining the easyrsa script, it seems it's preferring flags over the vars file instead of arranging a sort of priority system between defaults|vars|cmdline args.
which the documentation/vars file does not reflect.
easyrsa init-pki --keysize=4096 --digest=sha512
easyrsa --keysize=4096 --digest=sha512 build-ca nopass
DOES, in fact, create the desired PKI. so it looks like it may ignore the vars file entirely, and relies on the commandline switches instead:
[root@g bdisk]# openssl rsa -in pki/private/ca.key -noout -text | head -n1                                                                                                                                         
Private-Key: (4096 bit)
[root@g bdisk]# openssl x509 -in pki/ca.crt -noout -text | grep 'Signature Algorithm'                                                                                                                              
    Signature Algorithm: sha512WithRSAEncryption
    Signature Algorithm: sha512WithRSAEncryption
and for DH params, it needs to be "easyrsa --keysize=4096 dh-gen".... all in all, the argument positioning seems to be not quite consistent (or at least consistently reporting warnings/errors).
hope this helps you.

jbodhorn · 2016-12-30 01:31:01

There's a link to the bug report on the github https://community.openvpn.net/openvpn/ticket/788

jbodhorn · 2016-12-30 01:31:46

How do I un-report? Sorry about that... fat fingers on a small touchscreen, I was wondering why my "post" didn't show up

Last edited by jbodhorn (2016-12-30 01:33:24)

MawKKe · 2017-01-14 19:20:41

I had similar problems. It seems that the vars file must be given explicitly via easyrsa --vars=./vars. On every command.

https://github.com/OpenVPN/easy-rsa/blo … dvanced.md

Last edited by MawKKe (2017-01-14 19:24:27)

jbodhorn · 2017-01-14 21:55:45

MawKKe wrote:

I had similar problems. It seems that the vars file must be given explicitly via easyrsa --vars=./vars. On every command.
https://github.com/OpenVPN/easy-rsa/blo … dvanced.md

Thanks for that, I was trying to pass arguments to easy-rsa to run 4096bit encryption on my personal openvpn server but ended up confusing myself and going with default values just so I could get it up and running. I've been playing around with openvpn recently and still have so much to learn, the amount of documentation can be overwhelming. I'm still quite newb, so when there's a bug like this I get confused easily thinking I'm doing something wrong, thankfully I haven't had that happen to often.

MawKKe · 2017-01-15 13:18:07

jbodhorn wrote:

MawKKe wrote:
I had similar problems. It seems that the vars file must be given explicitly via easyrsa --vars=./vars. On every command.
https://github.com/OpenVPN/easy-rsa/blo … dvanced.md
Thanks for that, I was trying to pass arguments to easy-rsa to run 4096bit encryption on my personal openvpn server but ended up confusing myself and going with default values just so I could get it up and running. I've been playing around with openvpn recently and still have so much to learn, the amount of documentation can be overwhelming. I'm still quite newb, so when there's a bug like this I get confused easily thinking I'm doing something wrong, thankfully I haven't had that happen to often.

Oh, in that case I would like to suggest that you try and create a working setup with just a static key. And if your setup works, only then try to integrate the easyrsa/pki.

As openvpn configuration and a PKI are two separate concerns, this way you would have only one thing at a time that can go wrong

jbodhorn · 2017-01-15 13:42:56

MawKKe wrote:

jbodhorn wrote:
MawKKe wrote:
I had similar problems. It seems that the vars file must be given explicitly via easyrsa --vars=./vars. On every command.
https://github.com/OpenVPN/easy-rsa/blo … dvanced.md
Thanks for that, I was trying to pass arguments to easy-rsa to run 4096bit encryption on my personal openvpn server but ended up confusing myself and going with default values just so I could get it up and running. I've been playing around with openvpn recently and still have so much to learn, the amount of documentation can be overwhelming. I'm still quite newb, so when there's a bug like this I get confused easily thinking I'm doing something wrong, thankfully I haven't had that happen to often.
Oh, in that case I would like to suggest that you try and create a working setup with just a static key. And if your setup works, only then try to integrate the easyrsa/pki.
As openvpn configuration and a PKI are two separate concerns, this way you would have only one thing at a time that can go wrong

I was able to get all my pki stuff working, just using the default values instead of moving up to the 4096bit that I had planned on using. For now it doesn't really matter as I'm still learning and just need it to work right, I can improve later on.

I made another post about accessing network resources remotely through my VPN server, I'm currently reading about work arounds for setting up client to client VPN configuration when you can't add a route to the vpn server from your default gateway.

Our current router/cable modem does not have the option to add static routes... I'm half thinking of setting up a second router that has the option to add a static route before I start playing with work arounds.

With a different router I could set it up how it's usually done and learn the basics a bit easier. I have so much to learn...

Arch Linux

#1 2016-12-29 23:26:16

Easy-rsa 3.0 refusing to acknowledge edits to vars

#2 2016-12-30 01:11:55

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#3 2016-12-30 01:28:44

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#4 2016-12-30 01:29:52

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#5 2016-12-30 01:31:01

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#6 2016-12-30 01:31:46

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#7 2017-01-14 19:20:41

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#8 2017-01-14 21:55:45

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#9 2017-01-15 13:18:07

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

#10 2017-01-15 13:42:56

Re: Easy-rsa 3.0 refusing to acknowledge edits to vars

Board footer