Libressl, Expected to find openssl command at: openssl

[technonerd33]

I am trying to get easy-rsa3 to work with libressl on gentoo

openssl version

LibreSSL 2.2.3

./easyrsa init-pki

...
"$EASYRSA_OPENSSL" version
++ openssl version
1385875132:error:0E065068:configuration file routines:STR_COPY:variable has no value:/var/tmp/portage/dev-libs/libressl-2.2.3/work/libressl-2.2.3/crypto/conf/conf_def.c:573:line 3

• local val=
• case "${val%% *}" in
• die 'Missing or invalid OpenSSL
  Expected to find openssl command at: openssl'
• print '

Changing EASYRSA_OPENSSL to /usr/bin/openssl produces the same error.

[sseekamp]

I'm having the same issue with OpenBSD 5.8 and Libre 2.2.2

[ecrist]

There has been no testing with LibreSSL at this time. I'm certainly open to feed back and bug testing, however.

[ppunosevac]

Easy-rsa works with LibreSSL for me on OpenBSD 5.8. However one has to hard-code info into openssl.cnf as $ENV is not allowed to be passed to libressl. I just open another issue with that.

[ecrist]

EasyRSA has only been written to support OpenSSL at this point. Inclusion of another SSL library and set of utilities will be complicated and regression testing will be tough. Moving this to 4.x. Honestly, I don't see it happening unless someone else steps in.

[comio]

4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.

[ecrist]

Can you cite sources?

Eric

On Sep 1, 2016, at 2:32 AM, comio [email protected] wrote:

4.x? LibreSSL is going to be the default for a lot of distros.
I hope to see the support before the 4.x.

—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub, or mute the thread.

[gtozzi]

Same issue here on OpenBSD 6.0

[rebbdohr]

Any updates on this thread? Im using OpenBSD 6.0 and the newest easy-rsa version from github, in the easy-rsa script I recognize, that LibreSSL is mentioned, but it still doesnt work. In other OpenBSD related threads they say its because the use of the $ENV variable is deprecated and should not be used...

# Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then local val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in OpenSSL|LibreSSL) ;; *) die "\ Missing or invalid OpenSSL Expected to find openssl command at: $EASYRSA_OPENSSL" esac fi

For all interested in this topic: the pkg version of easy-rsa on OpenBSD 6.0 is working properly!

[rebbdohr]

See also #76

[ecrist]

Hello, I have not had a chance to look at this. Unfortunately, the person that wrote 3.0 isn’t active any longer and I’ll need to do a larger review. Hind sight is 20/20. I’ll try to get to it soon. Eric

…

On Feb 21, 2017, at 07:35:30, Randolf Kevin Meier ***@***.***> wrote: See also #76 <#76> — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#74 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABt4P_ToLfDIy5sogai2wIUWpassjf8Uks5reugigaJpZM4F_ePA>.

[neilabdev]

+1 FreeBSD 11.1 :)

[hiroyuki-sato]

+1 macOS high Sierra (10.13) #155

[noizo]

As a workaround for MacOS Sierra/High Sierra add to your ENV this:

export EASYRSA_OPENSSL="/usr/local/Cellar/openssl/1.0.2l/bin/openssl"

[hiroyuki-sato]

@noizo Thank you for your reply.

[neuhalje]

To make the fix of @noizo "permanent" create or edit the vars file and add set_var EASYRSA_OPENSSL "/usr/local/Cellar/openssl/1.0.2l/bin/openssl" (reference: vars.example ).

[dwt]

Same problem on OS X - I workarounded it by adding this to my vars file:

# workaround for https://github.com/OpenVPN/easy-rsa/issues/74 libressl doesn't support passing in values via ENV
if [ ! -z $(brew --prefix) ] ; then 
    export EASYRSA_OPENSSL="$(brew list openssl|grep 'openssl$')"
fi

To retain usability on multiple machines / platforms (not great, but at least it doesn't break immediately.

[ilium007]

Still getting errors on OSX High Sierra even with the EASYRSA_OPENSSL env var declared. The pki/extensions.temp file referred to in the error doesn't even exist.

04:25 pm xxxx@MBA72986 ~/support/tmp/easy-rsa/easyrsa3
$ ./easyrsa build-server-full server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........+++
..........................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server.key.IhiGDNWXaT'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
04:25 pm xxxx@MBA72986

Using easyrsa v3.0.4:

$ git status
On branch v3.0.4
Your branch is up-to-date with 'origin/v3.0.4'.

[ilium007]

I removed the pki directory and ran it all again and got a different error:

$ ./easyrsa build-server-full server1 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......+++
.............................................................+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server1.key.bdtZ2XZ2ok'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/extensions.temp'
140735596974984:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
140735596974984:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140735596974984:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:201:
140735596974984:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:351:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)

[ilium007]

Exactly the same think happened when I ran this on a raspberry pi (Raspbian GNU/Linux 9 (stretch))

root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3# ./easyrsa sign-req server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /apps/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Can't open /apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr for reading, No such file or directory
1996400032:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/apps/openvpn/easy-rsa/easyrsa3/pki/index.txt.attr','r')
1996400032:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
ca: Error on line 16 of config file "/apps/openvpn/easy-rsa/easyrsa3/pki/extensions.temp"
1996400032:error:0E079065:configuration file routines:def_load_bio:missing equal sign:../crypto/conf/conf_def.c:300:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
root@raspberrypi:/apps/openvpn/easy-rsa/easyrsa3#

[ilium007]

Definitely a bug here - just tried on an O/S (14.04.3 LTS, Trusty Tahr) that I have used EasyRSA on in the past and it fails with the same error.

xxxx@xxxx:~/easy-rsa/easyrsa3$ ./easyrsa build-server-full server nopass
Generating a 2048 bit RSA private key
.............................................................................................................................+++
....................................+++
writing new private key to '/home/xxxx/easy-rsa/easyrsa3/pki/private/server.key.aGeIRduxeo'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /home/xxxx/easy-rsa/easyrsa3/pki/private/ca.key:
ERROR: on line 16 of config file '/home/xxxx/easy-rsa/easyrsa3/pki/extensions.temp'
3074406076:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/home/xxxx/easy-rsa/easyrsa3/pki/index.txt.attr','rb')
3074406076:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3074406076:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
3074406076:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:362:line 16

Easy-RSA error:

signing failed (openssl output above may have more detail)
xxxx@xxxx:~/easy-rsa/easyrsa3$ uname -a
Linux xxxx 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:27:48 UTC 2015 i686 i686 i686 GNU/Linux
xxxx@xxxx:~/easy-rsa/easyrsa3$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

[ilium007]

Problem is in the pki/extensions.temp file that is written during cert creation:

Line 16 in that file:

default_server_san /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server06.req

The error pointed to a missing "=" sign. I tried adding this so it was like the other x509 declarations made in the same file but I got more errors:

$ ./easyrsa build-server-full server11 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
.....+++
writing new private key to '/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/server11.key.enzOJXHKD4'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server11'
ERROR: adding extensions in section default
140735596974984:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=default_server_san, value=/Users/xxxx/support/tmp/easy-rsa/easyrsa3/pki/reqs/server11.req

Easy-RSA error:

signing failed (openssl output above may have more detail)

I then initiated creating another server cert and before entering the CA signing password I deleted the line all-together in pki/extensions.temp and it issued the cert as expected.

There is something wrong with the x509 default_server_san extension declaration.

You can see also from the easyrsa help text that the string easyrsa is trying to add in the default_server_san field is nothing like what is expected:

$ ./easyrsa help altname

Note: using Easy-RSA configuration from: ./vars

  --subject-alt-name=SAN_FORMAT_STRING
      This global option adds a subjectAltName to the request or issued
      certificate. It MUST be in a valid format accepted by openssl or
      req/cert generation will fail. Note that including multiple such names
      requires them to be comma-separated; further invocations of this
      option will REPLACE the value.

      Examples of the SAN_FORMAT_STRING shown below:
        DNS:alternate.example.net
        DNS:primary.example.net,DNS:alternate.example.net
        IP:203.0.113.29
        email:[email protected]

[ilium007]

If I specify --subject-alt-name during server cert creation the code seems to work (ie. adds the "=") but there is something with the x509 extension that fails:

$ ./easyrsa --subject-alt-name=test12 build-server-full server12 nopass

Note: using Easy-RSA configuration from: ./vars
Error Loading request extension section req_extra
140735596974984:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:541:
140735596974984:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=test12

Easy-RSA error:

Failed to generate request

[ilium007]

So after wasting a whole afternoon on this I found the fix in a fork of this code:

TinCanTech@6914461

Tested and works.

[nikordaris]

So none of the above worked for me. I had to modify vars and replace:

 export OPENSSL="openssl"

with

export OPENSSL="/usr/local/Cellar/openssl/1.0.2o_1/bin/openssl"

[bhall7]

I'm also struggling to get easy-rsa to work on macOS 10.13.4 which is bundled with LibreSSL. The only problem is that /usr/local/Cellar/openssl/1.0.2l/bin/openssl doesn't seem to exist (nor does the folder /usr/local/Cellar on my machine, for that matter, running macOS 10.13.4). I even tried installing the latest version of OpenSSL, but that failed also. There's got to be a better, easier way to generate OpenVPN certs and keys.

[ecrist]

I’ll take a look at this. I do much of the latest development on OS X. Eric Crist

…

On May 15, 2018, at 9:18 PM, Brian Hall ***@***.***> wrote: I'm also struggling to get easy-rsa to work on macOS 10.13.4 which is bundled with LibreSSL. The only problem is that /usr/local/Cellar/openssl/1.0.2l/bin/openssl doesn't seem to exist (nor does the folder /usr/local/Cellar on my machine, for that matter, running macOS 10.13.4). I even tried installing the latest version of OpenSSL, but that failed also. There's got to be a better, easier way to generate OpenVPN certs and keys. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

[SundialServices]

ericst, now that High Sierra has switched to Libre, and many Linux distress are apparently now doing the same, it has become critical that EasyRSA must have a way to support it.

[ecrist]

This should be resolved in 93b0f2e