Arch Linux

tedd

Member

Registered: 2013-02-21

Posts: 26

easy-rsa upgrade to 3.0.6 existing file structure not upgraded [Solved

In the upgrade of easy-rsa to 3.0.6 the revoked certificates are moved to a separate directory.

I have an existing file structure, which hasn't changed to match what 3.0.6 expects. As a consequence, easy-rsa doesn't work with my certificates and I don't know how to change it to fix.

I suspect the fact that my certificates are stored in a separate, encrypted partition may be why it's not working. The partition is decrypted and mounted to /root/ca whenever I need to work with it. openssl-easyrsa.cnf is also stored in there.

I also had to copy the configuration files from /root/ca/ssl/ to /root/ca/ssl/pki/

The exact error on upgrade and after copying the configuration files to ./pki/ is:

#easyrsa gen-crl

Using SSL: openssl OpenSSL 1.1.1a  20 Nov 2018

Easy-RSA error:

Missing expected CA dir: revoked/certs_by_serial (perhaps you need to run build-ca?)
Run easyrsa without commands for usage and command help.

Is there an automated upgrade utility?

Last edited by tedd (2019-02-23 04:04:20)

gregory.nain

Member

Registered: 2019-02-22

Posts: 1

Re: easy-rsa upgrade to 3.0.6 existing file structure not upgraded [Solved

Hi,
I just ran into this issue and gave it a try. I have no revoked nor renewed certificates yet, so I just created the structure so easy-rsa is happy.

1) I first copied openssl-easyrsa.cnf in pki

cd /etc/easy-rsa
cp openssl-easyrsa.cnf pki/

2) then created the structure as described in the first post here: https://github.com/OpenVPN/easy-rsa/pull/63

cd /etc/easy-rsa/pki/
mkdir revoked; chmod 700 revoked/
cd revoked/
mkdir certs_by_serial; mkdir private_by_serial; mkdir reqs_by_serial; chmod 700 *

3) Executed the same for renewed

cd /etc/easy-rsa/pki/
cp -R revoked/ renewed

It then worked.

Hope it can help.

Last edited by gregory.nain (2019-02-22 17:57:23)

tedd

Member

Registered: 2013-02-21

Posts: 26

Re: easy-rsa upgrade to 3.0.6 existing file structure not upgraded [Solved

Hi,
I just ran into this issue and gave it a try. I have no revoked nor renewed certificates yet, so I just created the structure so easy-rsa is happy.

Thank you for your reply. I have performed the actions like you described and 3.0.6 now works. I moved the revoked certificates, private keys and CSRs to the relevant subfolders of revoked/, but I'm not sure if I will need to rename the private keys and the CSRs as the subfolders are called '*_by_serial/". Could I simply use the serial number of the cert?

Time will tell, but as it stands, it's working again. Thanks!

Last edited by tedd (2019-02-23 04:05:40)

huvelyb

Member

From: Hungary

Registered: 2017-07-24

Posts: 2

Website

Re: easy-rsa upgrade to 3.0.6 existing file structure not upgraded [Solved

Hi,

Confirm this, the same issue was today for me, the quoted directory structure creation helped me out, the "easy-rsa sign-req client clientname" is working again.
Thanks for the infos, cheers: Balázs

Hi,
I just ran into this issue and gave it a try. I have no revoked nor renewed certificates yet, so I just created the structure so easy-rsa is happy.

1) I first copied openssl-easyrsa.cnf in pki

cd /etc/easy-rsa
cp openssl-easyrsa.cnf pki/

2) then created the structure as described in the first post here: https://github.com/OpenVPN/easy-rsa/pull/63

cd /etc/easy-rsa/pki/
mkdir revoked; chmod 700 revoked/
cd revoked/
mkdir certs_by_serial; mkdir private_by_serial; mkdir reqs_by_serial; chmod 700 *

3) Executed the same for renewed

cd /etc/easy-rsa/pki/
cp -R revoked/ renewed

It then worked.

Hope it can help.