Difference between revisions of "Talk:Easy-RSA"

From ArchWiki
Jump to: navigation, search
m
Line 42: Line 42:
 
  Easy-RSA error:
 
  Easy-RSA error:
 
  Failed to create PKI file structure (permissions?)
 
  Failed to create PKI file structure (permissions?)
::::This page so complex because it explains how to create a PKI for [[OpenVPN]]. This is not just instruction how to use Easy-RSA. --[[User:Althathwe|Althathwe]] ([[User talk:Althathwe|talk]]) 13:36, 8 November 2016 (UTC)
+
::::This page so complex because it explains how to setup PKI and generate everything for [[OpenVPN]]. This is not just instruction how to use Easy-RSA. --[[User:Althathwe|Althathwe]] ([[User talk:Althathwe|talk]]) 13:36, 8 November 2016 (UTC)

Revision as of 14:09, 8 November 2016

Have the instructions been tested?

Keep getting errors (certificates invalid,, etc.), server key is not copied to /etc/openvpn, .. please test again, and fix the edits when needed. Because at the moment it's not possible to setup OpenVPN. Francoism (talk) 13:09, 28 August 2016 (UTC)

Yes, they have been tested. I cannot reproduce either of the comments you wrote in your accuracy flags this following these steps from start to finish creating the ovpn file. Suggest you try again. Graysky (talk) 17:01, 28 August 2016 (UTC)
Actually, I missed one step (copying the server.key to /etc/openvpn) but that omission does not explain the errors you posted. Again, I think you should just start over and you'll be fine. Graysky (talk) 17:16, 28 August 2016 (UTC)
Hi Graysky, finally found time to start over, turns out your ovpngenAUR and other generators I tried, don't copy the CA-certificate (yeah, should have check this). Maybe this happens because of permission issues. Is it helpful to add this as a note (e.g. what tags should (not) be empty?) Thanks. Francoism (talk) 21:06, 17 October 2016 (UTC)
Did you invoke it as root or via sudo like the readme instructs? The CA Cert is the 2nd token. Graysky (talk) 21:14, 17 October 2016 (UTC)
Don't know for sure to be honest, thought under root. But if this should work fine, it is an issue at my end. The command was executed correctly, didn't receive any error. Is it possible security tools block access (like AppArmor) and just return an empty file instead? Thanks Francoism (talk) 09:00, 18 October 2016 (UTC)
More likely, the needed files are not world-readable (default is 700 for many of them). Run the script as root and you'll be fine in all likelihood. Graysky (talk) 19:29, 18 October 2016 (UTC)
Try version 1.24 of ovpngenAUR which contains some internal checks for file permissions and physical existence. Graysky (talk) 19:53, 18 October 2016 (UTC)
Thanks for the update, will try and report back to you. :) Francoism (talk) 08:45, 19 October 2016 (UTC)

Rewrited page untested and didnt work.

Commands should executed from root and in /etc/easy-rsa. --Althathwe (talk) 10:43, 8 November 2016 (UTC)

Reverted the edits, they didn't respect ArchWiki:Contributing#Do_not_make_complex_edits_at_once either. Old revision in case someone wants to take a closer look: diff, revision -- Alad (talk) 10:50, 8 November 2016 (UTC)
Copy-paste from https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto --Althathwe (talk) 11:21, 8 November 2016 (UTC)
I am sorry for making a complex edit at once. It did feel intrusive, but I did it nonetheless. It did not adhere to ArchWiki:Contributing#Do_not_make_complex_edits_at_once, so that was a mistake.
The current state of this article highly complex and hard to understand, in my opinion. It is actually not helping, it's easier to follow upstream docs. It does not explain complex subjects like PKI, CA and CSR.
Easy-RSA commands should not be executed as root. I find it a terrible idea. You could just as well execute the commands as a non-privileged user and transfer the generated files to /etc/easy-rsa. I expect the user to make that decision for herself.
Overall, I would like this article to be simpler and be more The Arch Way. How do we proceed to do that?
Aude (talk) 12:55, 8 November 2016 (UTC)
Easy-RSA commands should be executed as root and in /etc/easy-rsa:
[user@v-arch-1 ~]$ easyrsa init-pki
WARNING: can't open config file: /home/user/openssl-1.0.cnf
Easy-RSA error:
The OpenSSL config file cannot be found.
Expected location: /home/user/openssl-1.0.cnf
[user@v-arch-1 easy-rsa]$ easyrsa init-pki 
mkdir: cannot create directory ‘/etc/easy-rsa/pki’: Permission denied
Easy-RSA error:
Failed to create PKI file structure (permissions?)
This page so complex because it explains how to setup PKI and generate everything for OpenVPN. This is not just instruction how to use Easy-RSA. --Althathwe (talk) 13:36, 8 November 2016 (UTC)