Opened 12 years ago

Closed 11 years ago

#125 closed Bug / Defect (fixed)

Build CA is broken in Windows on version 2.2 release

Reported by: Muot Owned by: Samuli Seppänen
Priority: minor Milestone: release 2.2.1
Component: Certificates Version: OpenVPN 2.2.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: install


From Windows Command window, I did the following:

init-config - there is an error because "openssl.cnf.sample" is missing from 2.2 install package but since openssl.cnf existed so it still worked.

vars - after editing it of course
build-ca.bat gives:

C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
WARNING: can't open config file: c:\openssl/ssl/openssl.cnf error on line 150 of openssl.cnf 3940:error:0E065068:configuration file routines:STR_COPY:variable has no value:. \crypto\conf\conf_def.c:618:line 150

Change History (7)

comment:1 Changed 12 years ago by David Sommerseth

Keywords: install added
Milestone: release 2.2
Owner: set to Samuli Seppänen
Priority: majorminor
Status: newassigned
Version: 2.2-beta / 2.2-RC2.2.0

We should probably copy in the easy-rsa/2.0/openssl.cnf into the Windows package when wrapping it all together.

Also consider if we should do the copy of openssl.cnf.sample to openssl.cnf in init-config. Seems like a rather pointless operation.

comment:2 Changed 12 years ago by David Sommerseth

Milestone: release 2.2.1

comment:3 Changed 12 years ago by Muot

openssl.cnf in version 2.2 for Windows contains two entries that fixed the error below when remote-cert-tls server is used in the client configuration file:

ERROR: "OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

If you decide to copy 2.0 version of openssl.cnf over, please don't loss these two entries below under the [ server ] :
keyUsage = digitalSignature, keyEncipherment


comment:4 Changed 12 years ago by Samuli Seppänen

Dazo: agreed, it's pointless to move stuff around.

Mvuong: I'm fixing this bug for upcoming 2.2.1 release. Could you replace the openssl.cnf with this one and see what happens. It seemed to work fine in my limited testing.

comment:5 Changed 12 years ago by David Sommerseth

Resolution: fixed
Status: assignedclosed


I have applied the following patches:

commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
commit 6989cbde616a00380acf3a390959987765a5325b (release/2.2)
Author: Samuli Seppänen <>
Date:   Mon Jun 20 10:49:41 2011 +0300

    Add new openssl.cnf to easy-rsa/Windows
    This is required for patch "Fix a build-ca issue on Windows" to work
    Signed-off-by: Samuli Seppänen <>
    Acked-by: David Sommerseth <>

commit 38108434db7b2d574133dd645d01df03848532d6 (master)
commit 09282a688bd16d1572a7cc4fd20d3785fb2b4c1e (release/2.2)
Author: Samuli Seppänen <>
Date:   Fri Jun 17 12:18:02 2011 +0300

    Fix a build-ca issue on Windows
    Fixes Trac ticket #125
    Signed-off-by: Samuli Seppänen <>
    Acked-by: David Sommerseth <>
    Signed-off-by: David Sommerseth <>

I see that 'extendedKeyUsage=serverAuth' is not set. I am not 100% sure if that is needed or not, or just "nice to have". So I'm accepting the openssl.cnf patch as it is now, and we can rather fix this later on if it is not enough.

comment:6 Changed 12 years ago by Samuli Seppänen

Resolution: fixed
Status: closedreopened

Previous patches don't fix this issue -> reopening. A new patch is available here.

comment:7 Changed 11 years ago by Samuli Seppänen

Resolution: fixed
Status: reopenedclosed

Fixed in 2.2.1 release.

Note: See TracTickets for help on using tickets.