easy-rsa no ./easyrsa.real init-pki in pkg install

Hi,

I am new to openvpn and am trying to configure it on a Freebsd 124 vmware workstation 17 host. I am following this configuration guide/example

https://kifarunix.com/install-and-confi ... reebsd-12/

However when I get to this section (below in bold), no './easyrsa.real init-pki' can be found when I try to run the command:

Easy-RSA ships with certificate generation script called easyrsa.real. To generare the certificate files, navigate to /usr/local/etc/openvpn/easy-rsa/ directory and proceed as follows;

Initialize the PKI

cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki



my /usr/local/etc/openvpn/easy-rsa has the following structure
.
..
openssl-easyrsa.cnf
openssl-easyrsa.cnf.example
vars
x509-types

All the documentation I can find refers to './easyrsa.real init-pki' and './easyrsa init-pki', but both do not exist in my '/usr/local/etc/openvpn/easy-rsa folder.

pkg info shows info for openvpn and easy-rsa
pkg install states that the latest versions are installed
locate cannot find easyrsa.real or init-pki

Any help would be greatly appreciated

Many thanks

Regards

dw07
 
There's no such thing as easyrsa.real...

Stop following tutorials by random people. Just go with the official OpenVPN documentation, which is excellent, correct as well as OS independent.

Hi,

I get to the . ./vars section and permission is denied for the root user. Do I need to change any permissions? or create a new user? The guide doesn't mention having to change any permissions.

root@rancid:/usr/local/etc/openvpn/easy-rsa # . ./vars
/usr/local/bin/.: Permission denied.
root@rancid:/usr/local/etc/openvpn/easy-rsa # ls -lah
total 80
drwxr-xr-x 3 root wheel 512B Mar 26 16:19 .
drwxr-xr-x 4 root wheel 512B Mar 26 15:21 ..
-rw-r--r-- 1 root wheel 4.9K Mar 26 15:26 openssl-easyrsa.cnf
-rw-r--r-- 1 root wheel 4.9K Mar 26 15:26 openssl-easyrsa.cnf.example
-rw-r--r-- 1 root wheel 9.2K Mar 26 15:51 vars
drwxr-xr-x 2 root wheel 512B Mar 26 15:26 x509-types
root@rancid:/usr/local/etc/openvpn/easy-rsa #


I tried to execute the command from a user prompt and receive the following error/warning

$ cd /usr/local/etc/openvpn/easy-rsa
$ ls
openssl-easyrsa.cnf vars
openssl-easyrsa.cnf.example x509-types
$ . ./vars
You appear to be sourcing an Easy-RSA *vars* file.
This is no longer necessary and is disallowed. See the section called
*How to use this file* near the top comments for more details.
$
 

# read README.quickstart.md
$EDITOR /usr/local/share/doc/easy-rsa/README.quickstart.md

cd /usr/local/etc/openvpn/

easyrsa init-pki # init your pki directory
easyrsa gen-ca # generate a CA
easyrsa gen-server # generate your OpenVPN server cert
easyrsa gen-client # generate a cert for an OpenVPN client


Voilà 🙂

easyrsa is also cool if you need ssl certs for other services. Because the official openssl application is an inconsistent mess 🫤

Also, looking into /usr/local/share/ is often worth it, if you need help with software.
 

# read README.quickstart.md
$EDITOR /usr/local/share/doc/easy-rsa/README.quickstart.md

cd /usr/local/etc/openvpn/

easyrsa init-pki # init your pki directory
c
# generate a cert for an OpenVPN client


Voilà 🙂

easyrsa is also cool if you need ssl certs for other services. Because the official openssl application is an inconsistent mess 🫤

Also, looking into /usr/local/share/ is often worth it, if you need help with software.

Thanks for your reply,

I must have missed the reference to this readme in the guide you provided.

These commands do not exist and generate an error

easyrsa gen-ca
easyrsa gen-server
easyrsa gen-client

easyrsa build-ca worked

As per the readme I assume I just need to follow the entity request section now, section 3?. If I run section 2 easyrsa init-pki it will rewrite the vars file setting everything back to default. Im not sure because the reference has changed from server and client, to entities.

If I just jump to section 3 onwards do I need to repeat section 4 for a server cert? the guidance is very vague. Or do I just neen to create client certs?



Setup and signing the first request
-----------------------------------

Here is a quick run-though of what needs to happen to start a new PKI and sign
your first entity certificate:

1. Choose a system to act as your CA and create a new PKI and CA:

./easyrsa init-pki
./easyrsa build-ca
your first entity certificate:

1. Choose a system to act as your CA and create a new PKI and CA:

./easyrsa init-pki
./easyrsa build-ca

2. On the system that is requesting a certificate, init its own PKI and generate
a keypair/request. Note that init-pki is used _only_ when this is done on a
separate system (or at least a separate PKI dir.) This is the recommended
procedure. If you are not using this recommended procedure, skip the next
import-req step.

./easyrsa init-pki
./easyrsa gen-req EntityName

3. Transport the request (.req file) to the CA system and import it. The name
given here is arbitrary and only used to name the request file.

./easyrsa import-req /tmp/path/to/import.req EntityName

4. Sign the request as the correct type. This example uses a client type:

./easyrsa sign-req client EntityName

5. Transport the newly signed certificate to the requesting entity. This entity
may also need the CA cert (ca.crt) unless it had a prior copy.

6. The entity now has its own keypair, signed cert, and the CA.
 
Exactly.
Sounds like you got it.
I don't think I have

Can you confirm if I need to create both client and server certs? The example only shows client. If I do then what is the command? is it the same command but just with server instead of client? Or has the process changed and server certs are no required? Sorry if these are stupid questions
 
Exactly.
Sounds like you got it.
also,

2. On the system that is requesting a certificate, init its own PKI and generate
a keypair/request. Note that init-pki is used _only_ when this is done on a
separate system (or at least a separate PKI dir.) This is the recommended
procedure. If you are not using this recommended procedure, skip the next
import-req step.

'skip the next import-req step' should this be 'skip the TO THE next import-req step' ?

does it mean to implement section 2, and then skip section 3? it says 'skip the next import-req step' the only import-req I see is section 3.



2. On the system that is requesting a certificate, init its own PKI and generate
a keypair/request. Note that init-pki is used _only_ when this is done on a
separate system (or at least a separate PKI dir.) This is the recommended
procedure. If you are not using this recommended procedure, skip the next
import-req step.

./easyrsa init-pki
./easyrsa gen-req EntityName

3. Transport the request (.req file) to the CA system and import it. The name
given here is arbitrary and only used to name the request file.

./easyrsa import-req /tmp/path/to/import.req EntityName
 
There's no such thing as easyrsa.real...

Stop following tutorials by random people. Just go with the official OpenVPN documentation, which is excellent, correct as well as OS independent.
Hi,

The official guide you directed me to and the README are different. Which one is correct?

They list completely different commands to generate client and server certs. Which one is recommended? I assume from your statement, the official guide is excellent, correct and OS independent, that this guide is the one to follow. But the commands presented in the guide are different, with no reference to the commands in the README as follows

Generate certificate & key for server​

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

./build-key-server server
On Windows:

build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for 3 clients​

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client1
./build-key client2
./build-key client3
On Windows:

build-key client1
build-key client2
build-key client3
If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
 
I think you need to use easyrsa version 1 from that repository. That one works.

Anyway those scripts execute openssl(1) to create an ordinary PKI.

1. Create a directory and copy the attached file openssl.conf to it.

2. Create DH parameters and certificate authority with CA password:

Bash:
openssl dhparam -out dh2048.pem 2048
openssl req -nodes -new -x509 -keyout ca.key -out ca.crt \
    -days 3654 -config openssl.conf
openssl rsa -aes256 -in ca.key -out ca.key.new
mv ca.key.new ca.key
chmod 440 ca.key
> index.txt
echo 01 > serial

3. Create server certificate:

Bash:
openssl req -nodes -new -keyout server.key -out server.csr \
    -extensions server -config openssl.conf
chmod 400 server.key

Sign the server certificate (password prompted is the CA password):

Bash:
openssl ca -out server.crt -in server.csr -extensions server \
     -config openssl.conf

4. For every client create client certificate:

Bash:
openssl req -nodes -new -keyout client.key -out client.csr \
    -config openssl.conf

Sign the client certificate:

Bash:
openssl ca -out client.crt -in client.csr -config openssl.conf
 

Attachments

  • openssl.conf
    2.1 KB · Views: 66
I think you need to use easyrsa version 1 from that repository. That one works.

Anyway those scripts execute openssl(1) to create an ordinary PKI.

1. Create a directory and copy the attached file openssl.conf to it.

2. Create DH parameters and certificate authority with CA password:

Bash:
openssl dhparam -out dh2048.pem 2048
openssl req -nodes -new -x509 -keyout ca.key -out ca.crt \
    -days 3654 -config openssl.conf
openssl rsa -aes256 -in ca.key -out ca.key.new
mv ca.key.new ca.key
chmod 440 ca.key
> index.txt
echo 01 > serial

3. Create server certificate:

Bash:
openssl req -nodes -new -keyout server.key -out server.csr \
    -extensions server -config openssl.conf
chmod 400 server.key

Sign the server certificate (password prompted is the CA password):

Bash:
openssl ca -out server.crt -in server.csr -extensions server \
     -config openssl.conf

4. For every client create client certificate:

Bash:
openssl req -nodes -new -keyout client.key -out client.csr \
    -config openssl.conf

Sign the client certificate:

Bash:
openssl ca -out client.crt -in client.csr -config openssl.conf

Its ok i fixed it
 
Back
Top