openssl version not compatible with easy-rsa - Stretch

[XueHai8]

The lastest Raspbian build (Stretch) includes openssl version

Code: Select all

OpenSSL 1.1.0f  25 May 2017

But the script whichopensslcnf does not recognize that version. It only goes up to 1.0:

Code: Select all

#!/bin/sh

cnf="$1/openssl.cnf"

if [ "$OPENSSL" ]; then
    if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-0.9.6.cnf"
    elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-0.9.8.cnf"
    elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
        cnf="$1/openssl-1.0.0.cnf"
    else
        cnf="$1/openssl.cnf"
    fi
fi

echo $cnf

if [ ! -r $cnf ]; then
    echo "**************************************************************" >&2
    echo "  No $cnf file could be found" >&2
    echo "  Further invocations will fail" >&2
    echo "**************************************************************" >&2
fi

exit 0

So, you get that nice warning at the end about No openssl .cnf file could be found...

How to fix?

Thank you.

[XueHai8]

My post spent a day in purgatory waiting to be approved, and so appeared on the second page when it was release. So I'm trying to bump it back to the top to hopefully get some answers.
Thanks you.

P.S. Would this work or just really muck things up? :

Code: Select all

cp /etc/ssl/openssl.cnf /etc/openvpn/easy-rsa/openssl-1.1.0.cnf

[XueHai8]

Another note. I posted this on the Debian forum hoping for some enlightenment and a user there told me to go away and pound sand as that issue didn't belong on their forum - even though its Debian Sketch and broke there as well...
Can't find any help in the OpenVPN.net forums as well.
I'm having to tell all my users not to install Sketch because it is broken.

[jojopi]

There is a Debian bug report about this issue: https://bugs.debian.org/cgi-bin/bugrepo ... bug=851059

The bug report is not perfect, but it is in the right place. The fact that such an obvious problem has not been addressed could indicate that the easy-rsa package is not being actively maintained in Debian, and perhaps also that nobody is using it. I also suspect that the easy-rsa 2.x branch is very out of date, and Debian missed the opportunity to switch to 3.x before stretch was released.

I do not understand the purpose of the "whichopensslcnf" test. In particular, there are zero significant differences between the provided openssl-0.9.8.cnf and openssl-1.0.0.cnf files, so why bother checking?

You could try using the openssl-1.0.0.cnf file with 1.1.0f. Alternatively, purge the Debian/Raspbian package and install easy-rsa from github.

[XueHai8]

Thank you for your reply!
I read the Debian bug report before and it amazed me that it was from 8 months ago with no resolution or response.
It's also very odd that EASY-RSA 3.0 has been out since 2015, but not incorporated into Debian yet...
I will try just using 1.0.0.cnf as 1.1.0.cnf and cross my fingers. If I can find a real openssl-1.1.0.cnf file somewhere, I'll compare across versions to see what changed, but I'm operating in the dark with this.
I'm not sure why it's checking versions with whichopensslcnf, but didn't want make things worse by overriding it.
Quick question: if say nobody is using EASY-RSA anymore, what do you use to generate certificates instead?
Thanks again!

[FixedCoil]

For what it is worth as this problem seems to be a long running PitA.

Following this article "https://www.bbc.com/news/technology-33548728" to set up a Pi VPN server I gave up when "whichopensslcnf" could not find the correct config file. Searching various forums did not offer a clear explanation of the problem or the way forward.

I then tried following this article:
"http://www.pihome.eu/2017/10/19/how-to- ... pberry-pi/"
it failed at "./build-ca" with this error:
"req: Error on line 198 of config file "/etc/openvpn/easy-rsa/openssl.cnf""

Eventually I found this bug report which explained and solved the problem:
"https://bugs.launchpad.net/serverguide/+bug/1504676"
which simply requires the addition of this line to the var file:

export KEY_ALTNAMES="something" below,
export KEY_OU=MyVPN

After saving this edit re-run "./source vars", "./clean-all" and "./build-ca" should work.

In the course of my internet wandering I read a comment that said the country in the var file should reflect your location to void a mismatch with your IP address domain. I do not know enough about openssl to know if this is so but have edited my var file just in case it is.

I assume many have gone before me, to a successful conclusion, but not written their solutions up. I offer this post as pointer to the benighted who may follow.