EasyRSA on win server 22? Suddenly having lots of trouble.

[Nephilimi]

EDIT; I am so annoyed with Redmond's activism in windows.
First experience with win server 2022.

Hit windows key and type cmd. Nothing found. Delete it and repeat & there it is. Win search issue, not first time it not work on new VM. Continue on with something else, need cmd again, same problem but notice a advert for powershell this time, cute but that's not what I want. Go for three times in a row and again cmd missing first time. This is deliberate behavior? I’m getting more and more PO with Redmond every update. I thought I was safe on server but clearly not.

But wait It gets better; select administrator.

Type cmd a couple times to finally get it, right click to run as admin and don't notice "select administrator" in title bar. All my EasyRSA commands are failing. Spend a a our or so investigating including reverting versions because 2.6.0 is new and posting to GIT.

Open a couple more cmd prompts same way I just did before and they aren't "select". Suddenly EasyRSA works...

WTF is this random select administrator bullshit?

-------------original post---------------

Before you read any further is the EasyRSA bundled in OpenVPN 2.6.0, 2.5.8, or 2.5.7 supposed to work on Win server 2022 21H2?? I'm at a complete roadblock. Used 2.5.7 and I think 2.5.8 on many 2019 servers no issue. I've even upgraded some to OpenVPN 2.6.0 but the upgrade doesn't involve my doing anything in EasyRSA. Admin command prompt for all the below.

--------------vars bat location issue?------------------

Previously I was putting my vars.bat in [u]C:\Program Files\OpenVPN\easy-rsa[/u], note this is where the vars.example file is. But that now throws note;

 The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Order of operations question here;
If I move vars.bat to the "right" location and start the process over with init-pki that of course blows away the vars.bat I just put in there? Best advice for this would be just to ignore that note? It needs to be in place as you launch start.bat for the environment variables right?

-----------It gets worse--------------

I can't get my server keys built at all with the vars.bat in either location. I'm copying and pasting my CA passphrase so it can't be wrong, certainly not three attempts in a row. Admin CMD prompt for this, I don't see file access errors.

EasyRSA Shell
# easyrsa init-pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* C:/Program Files/OpenVPN/easy-rsa/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes


* SECOND WARNING!!!

* This will remove everything in your current PKI directory.
  To keep your current settings use 'init-pki soft' instead.
  Using 'init-pki soft' is recommended.

Type the word 'yes' to continue, or any other input to abort.
  Remove current 'vars' file? yes


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* C:/Program Files/OpenVPN/easy-rsa/pki

* Using Easy-RSA configuration: C:/Program Files/OpenVPN/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: C:/Program Files/OpenVPN/easy-rsa/x509-types


EasyRSA Shell
# easyrsa build-ca

* Using SSL: openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

* Using Easy-RSA configuration: C:/Program Files/OpenVPN/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>


Enter New CA Key Passphrase:

Confirm New CA Key Passphrase:
Using configuration from C:/Program Files/OpenVPN/easy-rsa/pki/79c07121/temp.0e1fa098
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:acnofmychoosing

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
C:/Program Files/OpenVPN/easy-rsa/pki/ca.crt


EasyRSA Shell
# easyrsa build-server-full server nopass

* Using SSL: openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

* Using Easy-RSA configuration: C:/Program Files/OpenVPN/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: C:/Program Files/OpenVPN/easy-rsa/pki/reqs/server.req
key: C:/Program Files/OpenVPN/easy-rsa/pki/private/server.key

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 7300 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

**Using configuration from C:/Program Files/OpenVPN/easy-rsa/pki/913d5a91/temp.ef41d12d
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:
Could not read CA private key from C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key
B00C0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
B00C0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers\implementations\ciphers\ciphercommon_block.c:124:
B00C0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto\pkcs12\p12_decr.c:86:maybe wrong password**

Easy-RSA error:

Signing failed (openssl output above may have more detail)


EasyRSA Version Information
Version:     3.1.2
Generated:   Fri Jan 13 15:49:33 CST 2023
SSL Lib:     OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Git Commit:  354c20d82bdc5db364e197aa1290e84b46abe487
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.2 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

EasyRSA Shell
#

So now I revert to 2.5.8. Different errors and I don't get very far.

EasyRSA Shell
# easyrsa init-pki

Note: using Easy-RSA configuration from: C:/Program Files/OpenVPN/easy-rsa/vars
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-1196.a02508/tmp.XXXXXX
lpPathBuffer = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\
szTempName = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmpA71.tmp
path = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmpA71.tmp
fd = 3

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: C:/Program Files/OpenVPN/easy-rsa/pki



EasyRSA Shell
# easyrsa build-ca

Note: using Easy-RSA configuration from: C:/Program Files/OpenVPN/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1s  1 Nov 2022
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-4272.a07228/tmp.XXXXXX
lpPathBuffer = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\
szTempName = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp3F4D.tmp
path = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp3F4D.tmp
fd = 3
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-4272.a07228/tmp.XXXXXX
lpPathBuffer = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\
szTempName = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp4131.tmp
path = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp4131.tmp
fd = 3
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-4272.a07228/tmp.XXXXXX
lpPathBuffer = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\
szTempName = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp4373.tmp
path = C:\Users\SCOTTJ~1.HIS\AppData\Local\Temp\tmp4373.tmp
fd = 3

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Extra arguments given.
genrsa: Use -help for summary.

Easy-RSA error:

Failed create CA private key


EasyRSA Shell

So now I revert to 2.5.7 and I KNOW I've used that version on other servers. Same error as above. I even tried with a CA Secret I used on another server because maybe one of the characters isn't being escaped on CLI? Didn't change anything.

[TinCanTech]

@Nephilimi hello.

I'll have to deal with this in parts.

First experience with win server 2022

Good luck.

-----------It gets worse--------------

Here you are using EasyRSA v3.1.2. Good.

It looks like you entered the wrong password for your CA. See:
cipherfinal error:crypto\pkcs12\p12_decr.c:86:maybe wrong password**

now I revert to 2.5.8

The version of easyRSA in use is known to have issues. I don't know exactly what is wrong at your site ..

Request subject, to be signed as a server certificate for 7300 days:

subject=
commonName = server

7300 days = 20 years -> Target year 2043. Windows date.exe is confined to year 2037, although this should not be an issue for creating a certificate but it depends on what other changes you have made.

Moving forward:

Copy the Easy-RSA folder to your user folder and try it from there.

You could also try the git/master version of easyrsa

There is also an experimental version of busybox.exe which you could try.
See link in #878

[Nephilimi]

Thank you again @TinCanTech

Point 1; After getting the "real" administrator CMD prompt it worked under 2.6.0. Windows was the entire problem here.

Point 2; I thought so too but I'm pasting it into CLI from our vault. It's just a bad error message, real problem is no admin access, I assume to files on disk? It might be nice to make that more clear.

Point 3; good tip.

Point 4; I'm aware of the time frame. I wasn't aware of the windows issue, but I assume they will fix it before then. 60+ other win 2016, 2019, and now one 2022 server appear fine with this. I also know I can revoke one of these certs, update CRL and that client can't connect any more. All seems working as designed here.

Forward; As it was a permission issue that would have fixed it too. Only problem is I didn't realize what "select administrator" is because I've never seen it before. All I know is it isn't a group or user in windows, this is some windows 11 protect you from yourself garbage that has trickled down to server.

[TinCanTech]

@Nephilimi sounds like you have things under control now 👍

FYI: The date.exe program which is shipped with EasyRSA is limited by the 2037 cut off. Something to do with 32bit numbers.

Windblows itself is fine date-wise, although, I understand your pain for the rest. ;-)

Thank you for persevering with EasyRSA and letting us know that you got it working. If you have any more issues with v3.1.2 then please let us know.