Opened 7 years ago

Closed 6 years ago

#125 closed Bug / Defect (fixed)

Build CA is broken in Windows on version 2.2 release

Reported by: mvuong Owned by: mattock
Priority: minor Milestone: release 2.2.1
Component: Certificates Version: OpenVPN 2.2.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: install


From Windows Command window, I did the following:

init-config - there is an error because "openssl.cnf.sample" is missing from 2.2 install package but since openssl.cnf existed so it still worked.

vars - after editing it of course
build-ca.bat gives:

C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
WARNING: can't open config file: c:\openssl/ssl/openssl.cnf error on line 150 of openssl.cnf 3940:error:0E065068:configuration file routines:STR_COPY:variable has no value:. \crypto\conf\conf_def.c:618:line 150

Change History (7)

comment:1 Changed 7 years ago by dazo

  • Keywords install added
  • Milestone release 2.2 deleted
  • Owner set to mattock
  • Priority changed from major to minor
  • Status changed from new to assigned
  • Version changed from 2.2-beta / 2.2-RC to 2.2.0

We should probably copy in the easy-rsa/2.0/openssl.cnf into the Windows package when wrapping it all together.

Also consider if we should do the copy of openssl.cnf.sample to openssl.cnf in init-config. Seems like a rather pointless operation.

comment:2 Changed 7 years ago by dazo

  • Milestone set to release 2.2.1

comment:3 Changed 7 years ago by mvuong

openssl.cnf in version 2.2 for Windows contains two entries that fixed the error below when remote-cert-tls server is used in the client configuration file:

ERROR: "OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

If you decide to copy 2.0 version of openssl.cnf over, please don't loss these two entries below under the [ server ] :
keyUsage = digitalSignature, keyEncipherment


comment:4 Changed 7 years ago by samuli

Dazo: agreed, it's pointless to move stuff around.

Mvuong: I'm fixing this bug for upcoming 2.2.1 release. Could you replace the openssl.cnf with this one and see what happens. It seemed to work fine in my limited testing.

comment:5 Changed 7 years ago by dazo

  • Resolution set to fixed
  • Status changed from assigned to closed


I have applied the following patches:

commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
commit 6989cbde616a00380acf3a390959987765a5325b (release/2.2)
Author: Samuli Seppänen <>
Date:   Mon Jun 20 10:49:41 2011 +0300

    Add new openssl.cnf to easy-rsa/Windows
    This is required for patch "Fix a build-ca issue on Windows" to work
    Signed-off-by: Samuli Seppänen <>
    Acked-by: David Sommerseth <>

commit 38108434db7b2d574133dd645d01df03848532d6 (master)
commit 09282a688bd16d1572a7cc4fd20d3785fb2b4c1e (release/2.2)
Author: Samuli Seppänen <>
Date:   Fri Jun 17 12:18:02 2011 +0300

    Fix a build-ca issue on Windows
    Fixes Trac ticket #125
    Signed-off-by: Samuli Seppänen <>
    Acked-by: David Sommerseth <>
    Signed-off-by: David Sommerseth <>

I see that 'extendedKeyUsage=serverAuth' is not set. I am not 100% sure if that is needed or not, or just "nice to have". So I'm accepting the openssl.cnf patch as it is now, and we can rather fix this later on if it is not enough.

comment:6 Changed 7 years ago by samuli

  • Resolution fixed deleted
  • Status changed from closed to reopened

Previous patches don't fix this issue -> reopening. A new patch is available here.

comment:7 Changed 6 years ago by samuli

  • Resolution set to fixed
  • Status changed from reopened to closed

Fixed in 2.2.1 release.

Note: See TracTickets for help on using tickets.