Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for easy-rsa version 3 #216

Closed
ivanfetch opened this issue Nov 20, 2016 · 17 comments
Closed

Support for easy-rsa version 3 #216

ivanfetch opened this issue Nov 20, 2016 · 17 comments
Labels
bug Something isn't working

Comments

@ivanfetch
Copy link

ivanfetch commented Nov 20, 2016
edited
Loading

This module should detect version 3 of easy-rsa, and use the updated vars file and no longer source the vars file before running easyrsa.

FreeBSD uses easy-rsa 3 as a dependency to OpenVPN.
@luxflux luxflux added the bug Something isn't working label Feb 13, 2017
@TeunRoefs
Copy link

Any progress with this? Seems the epel-release has been updated with easy-rsa 3.0.3 instead of 2.0 and this module will now always fail on Red Hat Enterprise Linux 7.4.

@bastelfreak
Copy link
Member

@TeunRoefs are you able to provide a PR for this?

@TeunRoefs
Copy link

TeunRoefs commented Jan 29, 2018
edited
Loading

@bastelfreak I thought it would be as easy as changing 2.0 to 3.0.3 wherever applicable, but I keep getting the following error when running Puppet.

./vars: line 29: /etc/openvpn/aws/easy-rsa/whichopensslcnf: No such file or directory

Is this familiar to you? If you know how to fix it, I can make a PR to update the module to use easy-rsa 3.0.3.

Update: Apparently Easy-RSA 3.0 is a complete rewrite and the whole module needs a rewrite in order to use it.

@jameskirsop
Copy link
Contributor

I've started trying to get something working with v3, but the biggest problem I'm facing is that running ./easyrsa build-ca nopass requires you to enter a Common Name and there's no flag for that variable or a way of automating the entry of that, when prompted, via the puppet manifest.

Unless I'm missing something obvious, I can't see a place to enter this in the ./vars file for easyrsa - so I'm not sure how we'll work around that.

@monkey670
Copy link

monkey670 commented Mar 7, 2018
edited
Loading

For what I was doing the files that need changing are the params.pp to use version 3, the template vars file for the newer variables, server.erb to use the default paths and the client.pp/ca.pp to use the newer commands whilst removing the ./vars call. I've managed to stand up a working openvpn server with these changes on RHEL 7.4 using easy-rsa 3.0.3.

I might be wrong but is this the variable EASYRSA_REQ_CN="ChangeMe" you can use to set the Common Name in the ./vars file or at command runtime?

@monkey670 monkey670 mentioned this issue Mar 9, 2018
Closed
@ElvenSpellmaker
Copy link

@jameskirsop You can echo a Common Name and pipe it in, the newline from echo will act like you've hit enter.

So, echo foo | ./easyrsa build-ca nopass will work.
When I had a brief look at this I couldn't work out what CN was needed here...

@ElvenSpellmaker
Copy link

As mentioned in #269, Epel has now replaced easy-rsa with version 3.x and so this module is now broken for anyone using CentOS (at least EL7).

@jameskirsop
Copy link
Contributor

After a fair bit of hacking around I've got something that creates working server and client configs, but the changes are pretty dirty and will need cleanup before I commit them to my fork and create a PR. I'll try and do this over the next week or so.

I ended up adding a clause specifically for CentOS 7 that uses a different params file so that anything using the pre 3.x easy-rsa still works OK.

I'm not able to get the client to auto deploy config successfully though... but that's probably outside the scope of this thread.

@barrypitman
Copy link

I was able to work around this by manually uninstalling easy-rsa 3 and installing easy-rsa 2 from RPM

@ElvenSpellmaker
Copy link

Odd because I can't find easy-rsa2.x in the epel repo any more...

@TeunRoefs
Copy link

TeunRoefs commented Mar 16, 2018
edited
Loading

@barrypitman That was also my solution for the time being, however the EPEL does not contain easy-rsa 2.0 anymore. I was lucky enough to retrieve it from another server. See my attachment for all the files in the easy-rsa 2.0 folder.

easy-rsa.zip

@jameskirsop
Copy link
Contributor

I've got a branch over at my fork which has changes that fix CA certificate generation under easy-rsa 3.0 on CentOS7. It seems like I can't do a PR for this change though due to insufficient permissions.

I've got some other changes for the server template and client manifest, but I need to clean them up a little more before committing them.

@ElvenSpellmaker
Copy link

Hey @jameskirsop, I thought I'd have a brief look at the diff between yours and the master and I found this line here: https://github.com/voxpupuli/puppet-openvpn/compare/master...jameskirsop:easy-rsa-3.0?expand=1#diff-b386e10e7f4de7981ca1d52c90456a0dR257

Is it meant to have && && like that? Won't that break?

@jameskirsop
Copy link
Contributor

jameskirsop commented Apr 5, 2018 via email

@jameskirsop jameskirsop mentioned this issue Apr 13, 2018
Open
@jsnod
Copy link

jsnod commented May 8, 2018

Yep, this is broken in CentOS 6 now too.

@NoodlesNZ
Copy link

Have added #278 to address this

@Dan33l
Copy link
Member

Dan33l commented Sep 12, 2018

Since PR #292 is merged, this bug should be considered as closed.

Thank you @NoodlesNZ for the work proposed with PR #278 used as a basis.

@Dan33l Dan33l closed this as completed Sep 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests