Error when trying to create client certificate

[keljoundi]

I am running on a Raspberry Pi 3 (raspian) and have followed the install guide exactly. Everything seems to be working correctly - all info on main status page is populated, logs displaying, and server.conf will update correctly. The only issue is that I am getting an error when trying to create a new client certificate. After clicking create a red alert is displayed and reads "exit status 1" without any other details. Any help would be appreciated!

[bnhf]

@keljoundi

I've had a report or two recently of people having issues when they created a client certificate through the PiVPN command line not showing up in OpenVPN Admin Plus. Further, this may keep new certificates from being created. If you think this may apply to you, try revoking any certificates created from the command line and restart OpenVPN and then OpenVPN Admin Plus.

[keljoundi]

Thanks for the quick reply. This is a fresh install, the only client certificate is the one created by default for the server itself. I was trying to hold off on using the command line until I got this resolved

[bnhf]

@keljoundi

If you feel comfortable doing it, would you mind installing "tree" and posting the output of /etc/openvpn here? That would give me an idea if all of the files are in the expected locations. Also, what OpenVPN version are you showing on the status page?

[keljoundi]

no problem. I changed the cert filenames here, they're correct on the machine

pi@raspberrypi:~ $ sudo tree /etc/openvpn
/etc/openvpn
├── ccd
├── client
├── crl.pem
├── easy-rsa
│   ├── ChangeLog
│   ├── COPYING.md
│   ├── doc
│   │   ├── EasyRSA-Advanced.md
│   │   ├── EasyRSA-Readme.md
│   │   ├── EasyRSA-Upgrade-Notes.md
│   │   ├── Hacking.md
│   │   └── Intro-To-PKI.md
│   ├── easyrsa
│   ├── gpl-2.0.txt
│   ├── mktemp.txt
│   ├── openssl-easyrsa.cnf
│   ├── pki
│   │   ├── ca.crt
│   │   ├── certs_by_serial
│   │   │   └── 5D9757DDF2ED9FA242XXXXXXXXXXXX.pem
│   │   ├── crl.pem
│   │   ├── Default.txt
│   │   ├── index.txt
│   │   ├── index.txt.attr
│   │   ├── index.txt.attr.old
│   │   ├── index.txt.old
│   │   ├── issued
│   │   │   └── raspberrypi_bddc1f44-d43f-4ebc-bc72-XXXXXXXXX.crt
│   │   ├── openssl-easyrsa.cnf
│   │   ├── private
│   │   │   ├── ca.key
│   │   │   └── raspberrypi_bddc1f44-d43f-4ebc-bc72-XXXXXXXX.key
│   │   ├── reqs
│   │   │   └── raspberrypi_bddc1f44-d43f-4ebc-bc72-XXXXXXXXX.req
│   │   ├── revoked
│   │   │   ├── certs_by_serial
│   │   │   ├── private_by_serial
│   │   │   └── reqs_by_serial
│   │   ├── safessl-easyrsa.cnf
│   │   ├── serial
│   │   ├── serial.old
│   │   ├── ta.key
│   │   ├── vars
│   │   └── vars.example
│   ├── README.md
│   ├── README.quickstart.md
│   ├── vars.example
│   └── x509-types
│   ├── ca
│   ├── client
│   ├── code-signing
│   ├── COMMON
│   ├── email
│   ├── kdc
│   ├── server
│   └── serverClient
├── ipp.txt
├── openvpn.log
├── server
├── server.conf
├── server.conf.bak
└── update-resolv-conf

15 directories, 47 files

[bnhf]

@keljoundi

So, I'm not seeing a "vars" file under /etc/openvpn/easy-rsa. There's one under /etc/openvpn/easy-rsa/pki, which is the "new" location PiVPN uses -- but we're continuing to use the original location for backwards compatibility. Can you confirm that the file doesn't exist under easy-rsa?

You should be able to create it manually, and the content would look like this:

# if [ -z "$EASYRSA_CALLER" ]; then
# 	echo "Nope." >&2
# 	return 1
# fi
set_var EASYRSA            "/etc/openvpn/easy-rsa"
set_var EASYRSA_PKI        "$EASYRSA/pki"
set_var EASYRSA_CRL_DAYS   3650
set_var EASYRSA_ALGO       ec
set_var EASYRSA_CURVE      prime256v1
set_var EASYRSA_DN         org

set_var EASYRSA_REQ_COUNTRY   " "
set_var EASYRSA_REQ_PROVINCE  " "
set_var EASYRSA_REQ_CITY      " "
set_var EASYRSA_REQ_ORG       " "
set_var EASYRSA_REQ_EMAIL     " "
set_var EASYRSA_REQ_OU        " "

Put the same values you used for COUNTRY, PROVINCE, CITY, ORG, EMAIL and OU from your Portainer stack in-between the quotes. Restart OpenVPN or reboot before testing. Any idea how this file might have gone missing? Also, out of curiosity, what does the contents of the file under easy-rsa/pki look like?

[keljoundi]

Not sure why that wasn't there, but I did manually create and set permissions to 644 with owner root. I am still getting the error on certificate creation.
Ignoring all the comments, by default this is the content of easy-rsa/pki/vars:

if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "*How to use this file* near the top comments for more details." >&2
        return 1
fi
set_var EASYRSA_ALGO ec
set_var EASYRSA_CRL_DAYS 3650

not much in there at all

[bnhf]

@keljoundi

I'll do a test installation shortly to see what's up. It looks like something may have changed with PiVPN based on the easy-rsa/pki/vars file you posted above. Mine has nothing but comments in it. I'll let you know what I figure out.

[bnhf]

@keljoundi

I did a fresh installation of PiVPN and OpenVPN-Admin-Plus on a RaspberryPi 3B+, and everything went as expected. I was able to create a test certificate:

So when you try to create a new certificate what shows up in the Portainer log for the openvpn-admin-plus container? Mine looks like this right after creating a new cert:

	{
		"EntryType": "V",
		"Expiration": "330612181320Z",
		"ExpirationT": "2033-06-12T18:13:20Z",
		"Revocation": "",
		"RevocationT": "0001-01-01T00:00:00Z",
		"Serial": "[redacted]",
		"FileName": "unknown",
		"Details": {
			"Name": "[redacted]",
			"CN": "server",
			"Country": "",
			"Organisation": "",
			"Email": ""
		}
	},
	{
		"EntryType": "V",
		"Expiration": "250917184117Z",
		"ExpirationT": "2025-09-17T18:41:17Z",
		"Revocation": "",
		"RevocationT": "0001-01-01T00:00:00Z",
		"Serial": "[redacted]",
		"FileName": "unknown",
		"Details": {
			"Name": "test",
			"CN": "",
			"Country": "[redacted]",
			"Organisation": "[redacted]",
			"Email": "[redacted]"
		}
	}
] 
[ORM]2023/06/15 12:46:53  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `login`, `name`, `email`, `password`, `lastlogintime`, `created`, `updated` FROM `user` WHERE `id` = ? ] - `1`
[ORM]2023/06/15 12:46:53  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `profile`, `m_i_address`, `m_i_network`, `o_v_config_path`, `server_address`, `created`, `updated` FROM `settings` WHERE `profile` = ? ] - `default`
[ORM]2023/06/15 12:46:53  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `profile`, `m_i_address`, `m_i_network`, `o_v_config_path`, `server_address`, `created`, `updated` FROM `settings` WHERE `o_v_config_path` = ? ] - `/e

I suspect yours may have some error information that could be useful. Please try to add a certificate and post the last part of the container log here.

[keljoundi]

I see the error is with easy-rsa, not sure what string its referring to, and 2 bytes seems awfully short whatever it is.

[ORM]2023/06/15 17:05:36  -[Queries/default] - [  OK / db.QueryRow /     0.1ms] - [SELECT `id`, `login`, `name`, `email`, `password`, `lastlogintime`, `created`, `updated` FROM `user` WHERE `id` = ? ] - `1`
2023/06/15 17:05:36.987 [W] [certificates.go:88]  Undefined entry:  
2023/06/15 17:05:36.987 [D] [utils.go:49]  [
	{
		"EntryType": "V",
		"Expiration": "330609130439Z",
		"ExpirationT": "2033-06-09T13:04:39Z",
		"Revocation": "",
		"RevocationT": "0001-01-01T00:00:00Z",
		"Serial": "5D9757DDF2ED9FA242502A286E9460E1",
		"FileName": "unknown",
		"Details": {
			"Name": "raspberrypi_bddc1f44-d43f-4ebc-bc72-ba2220262757",
�
			"CN": "",
			"Country": "",
			"Organisation": "",
			"Email": ""
		}
	}
] 
[ORM]2023/06/15 17:05:46  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `login`, `name`, `email`, `password`, `lastlogintime`, `created`, `updated` FROM `user` WHERE `id` = ? ] - `1`
2023/06/15 17:05:46.138 [W] [certificates.go:88]  Undefined entry:  
2023/06/15 17:05:46.138 [D] [utils.go:49]  [
	{
		"EntryType": "V",
		"Expiration": "330609130439Z",
		"ExpirationT": "2033-06-09T13:04:39Z",
		"Revocation": "",
		"RevocationT": "0001-01-01T00:00:00Z",
		"Serial": "5D9757DDF2ED9FA242502A286E9460E1",
		"FileName": "unknown",
		"Details": {
			"Name": "raspberrypi_bddc1f44-d43f-4ebc-bc72-ba2220262757",
�
			"CN": "",
			"Country": "",
			"Organisation": "",
			"Email": ""
		}
	}
] 
2023/06/15 17:00:21.074 [D] [certificates.go:128]  * WARNING:
  Move your vars file to your PKI folder, where it is safe!
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/55dc5669/temp.8ad7c48b'
-----
string is too long, it needs to be no more than 2 bytes long
problems making Certificate Request
Easy-RSA error:
Failed to generate request
Host: nix | Linux | 
 
2023/06/15 17:00:21.074 [E] [certificates.go:129]  exit status 1 
2023/06/15 17:00:21.074 [E] [certificates.go:169]  exit status 1 
2023/06/15 17:00:21.075 [W] [certificates.go:88]  Undefined entry:  
2023/06/15 17:00:21.075 [D] [utils.go:49]  [
	{
		"EntryType": "V",
		"Expiration": "330609130439Z",
		"ExpirationT": "2033-06-09T13:04:39Z",
		"Revocation": "",
		"RevocationT": "0001-01-01T00:00:00Z",
		"Serial": "5D9757DDF2ED9FA242502A286E9460E1",
		"FileName": "unknown",
		"Details": {
			"Name": "raspberrypi_bddc1f44-d43f-4ebc-bc72-ba2220262757",
�
			"CN": "",
			"Country": "",
			"Organisation": "",
			"Email": ""
		}
	}
] 

also noticed you dont have a server certificate listed like I do - not sure if thats significant

[keljoundi]

Ugh.. I figure it out.. Such a simple mistake, had "USA" for some reason as the country code. I should know better than that, but also blame poor error logs with easy-rsa and openvpn hah. thanks for the help though, I wouldn't have know about the portainer logs, just getting in to Docker recently

[bnhf]

@keljoundi

Glad you figured it out! I'll add clarification to the documentation about that. If you still can see the server certificate listed as a client certificate, edit easy-rsa/pki/index.txt so it looks similar to this (keeping your specific data of course):

V	330612181320Z		03E8726D3E031F0889B39145E2217E6A	unknown	/CN=raspberrypi12_6230ae1e-5894-4e14-9611-196b04856969/name=server

The "name=server" keeps that certificate from being displayed and/or accidentally revoked. Make sure the server name follows "CN=" as shown.

So maybe the USA vs US thing caused a couple of "first run" issues including the vars file not being created and index.txt not being modified to tag the server certificate. I'll look at that next time I'm updating the code, and in the meantime I'll add to the documentation.