Input/output error: Cannot create openssl-easyrsa.cnf about easy-rsa HOT 11 CLOSED

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# openssl dgst -sha256 ./easyrsa
SHA2-256(./easyrsa)= ecb827bbda82a2832fed8c7ac0e632c1f03fdb99ec5fd1409431245ae71cfc8a

from easy-rsa.

@Ceejus Thank you for this report.

I cannot replicate the problem here.

For testing, does ./easyrsa help work ?

Also, after running (and failing to complete) init-pki, is the pki directory created with the sub-directories of private, reqs and inline ?

If the pki is created, can you try to build the CA: ./easyrsa --npass build-ca.

Also, try copying the file openssl-easyrsa.cnf to the pki manually and then try to build the CA again.

from easy-rsa.

Thanks.
Yes, ./easyrsa help does work.
No, the pki sub-directory isn't created. Should I create this folder manually?

from easy-rsa.

Try using the --verbose option: ./easyrsa --verbose init-pki

from easy-rsa.

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# ./easyrsa --verbose init-pki
  > source_vars: EASYRSA_NO_VARS
  > Using Windows-System-Folders for your PKI is NOT SECURE!
Your Easy-RSA PKI CA Private Key is WORLD readable.

To correct this problem, it is recommended that you either:
* Copy Easy-RSA to your User folders and run it from there, OR
* Define your PKI to be in your User folders. EG:
  'easyrsa --pki-dir="C:/Users/<your-user-name>/easy-rsa/pki" <command>'
  > mutual_exclusions: COMPLETED
  > install_data_to_pki: x509-types-only - COMPLETED
  > verify_working_env: COMPLETED
./easyrsa[7439]: cannot create C:/Program Files/OpenVPN/easy-rsa/pki/openssl-easyrsa.cnf: Input/output error

Easy-RSA error:

install_data_to_pki - Missing: 'openssl-easyrsa.cnf'

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:53 CDT 2023
SSL Lib:     OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

  > Exit: Final Fail = true

from easy-rsa.

Please try this command:

openssl dgst -sha256 ./easyrsa

from easy-rsa.

Please try this:

* Copy Easy-RSA to your User folders and run it from there

The problem is that Windows is being too secure.

Either use run-as-admin easy-rsa/EasyRSA-Start.bat, or copy easy-rsa/ folder to your home directory and run it from there.

from easy-rsa.

That worked. I saw the suggestion in a lot of different threads and should have just tried that from the get-go but the specific error message I was getting didn't seem to indicate it had anything to do with Windows (or Winblows as it's known as on here) security so I assumed I would just run into the same issue.

Quick question while we're on the topic though: would it more secure to run EasyRSA on an external SSD and perform this process on it as opposed to my C: drive?

from easy-rsa.

Thanks for testing.

In fact, Windblows is causing mkdir -p foo to behave in the exact opposite manner to that described in the manual.

from easy-rsa.

Quick question while we're on the topic though: would it more secure to run EasyRSA on an external SSD and perform this process on it as opposed to my C: drive?

All certificates are public.
All keys are private.
The CA key is paramount.

How you prefer to secure your data is your decision.
I am not suitably qualified to advise on such broad topics.
The OpenVPN-Users mailing list is the recommended place to ask.

from easy-rsa.

Follow-up: #1072 #1078

from easy-rsa.