openvpn openssl.cnf file missing

Sory - thats is porely explained.

The problem is the openvpn package needs a openssl.cnf file for the correct version of openssl which is 1.0.1.
As it does not have one, it defaults to openssl.cnf which does not exist.
Creating a link openssl.cnf >> openssl-1.0.0.cnf seems to solve the problem.
Hope that explains it a bit better.

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/998918/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

Hello
Can you try to reinstall openssl, i've got the file and the link under
/etc/ssl
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

so have I, but the script whichopensslcnf (in the easy-rsa directory of openvpn) expects to find an openssl.cnf file in the same directory as itself

I hope this helps clarify things. Below are the instructions on how to set up an openvpn server from the ubuntu help page (ill keep them brief) located here - https://help.ubuntu.com/community/OpenVPN.

Following the instructions are my results.

Create the CA:

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Results:

Using CA Common Name: changeme
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
username@vpnserver001:/etc/openvpn/easy-rsa$ ./pkitool --server server
Using Common Name: changeme
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
username@vpnserver001:/etc/openvpn/easy-rsa$ cd keys
username@vpnserver001:/etc/openvpn/easy-rsa/keys$ openvpn --genkey --secret ta.key
username@vpnserver001:/etc/openvpn/easy-rsa/keys$ sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
cp: cannot stat `server.crt': No such file or directory
cp: cannot stat `server.key': No such file or directory
cp: cannot stat `ca.crt': No such file or directory

 I am running the above commands on Ubuntu 12.04 64Bit, I installed Ubuntu using the Alternative install.

I appreciate everything that everyone here does to make Ubuntu what it is. Getting this problem fixed is going to allow me to fully migrate over to 12.04. Let me know if I can be of any assistance.

This is exactly the problem I encountered and which needs fixing.

As a work around, I added a link to openssl-1.0.0.cnf with the name of openssl.cnf in the same directory:

cd /etc/openvpn/easy-rsa
sudo ln -s openssl-1.0.0.cnf openssl.cnf

This worked, created the necessary certificate file and it is all working fine now.

But that means that something is wrong with the package, as it seems to be missing a file.
It also strikes me that there may be a missing openssl-1.0.1.cnf file.

I spent a little time debugging this. I don't think it is a matter of a missing config file.

When you 'source vars', one of the things that happens is this:

> # This variable should point to
> # the openssl.cnf file included
> # with easy-rsa.
> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

If you look at whichopensslcnf, you see that the first section includes logic for determining the correct config file to used based on the OpenSSL version installed on the system.

On my system (12.04 lts), 'openssl version' produces the following output:

> # openssl version
> OpenSSL 1.0.1 14 Mar 2012

Which, presumably, should generate a match in this code in whichopensslcnf:

> elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then
> cnf="$1/openssl-1.0.0.cnf"
> else
> cnf="$1/openssl.cnf"
> fi

Instead it is falling through to the default value (tested by running the grep command on its own) , which results in the output noted by others above.

One workaround is to symlink openssl.cnf to the appropriate config file mentioned above. The solution is to fix the pattern matching...

Hi,

I am running into this problem too. The issue, as eas mentioned, is in the pattern matching.

On Ubuntu 12.04.2 LTS (Precise):

> ~# dpkg -l | grep -i openssl
> ii openssl 1.0.1-4ubuntu5.9 Secure Socket Layer (SSL) binary and related cryptographic tools
> ~# openssl version
> OpenSSL 1.0.1 14 Mar 2012

On Debian 7 (Wheezy):

> ~# dpkg -l | grep -i openssl
> ii openssl 1.0.1e-2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
> ~# openssl version
> OpenSSL 1.0.1e 11 Feb 2013

In ./easy-rsa/whichopensslcnf, this line tries to match [[:alnum:]] after [[:digit:]], which is non existent for the Ubuntu package.

> elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])" > /dev/null; then

Running this pattern match manually reproduces this;

On Ubuntu 12.04.2 LTS (Precise):

> ~# openssl version | grep -E "1\.0\.([[:digit:]][[:alnum:]])"
> ~# echo $?
> 1

On Debian 7 (Wheezy):

> ~ # openssl version | grep -E "1\.0\.([[:digit:]][[:alnum:]])"
> OpenSSL 1.0.1e 11 Feb 2013
> ~# echo $?
> 0

The easy fix is to remove [[:alnum:]] from the regex, but I am not sure if that would introduce regressions.

More foolproof solution would be for the script to check if it's running on Debian or Ubuntu and take that into consideration when doing the pattern match.

It will also be interesting to know why the Debian package has "e" in its version number and the Ubuntu package doesn't.

This is really sloppy package management, come on guys, please provide a fix for this.

ps. and people still ask me why I recommend Debian and Fedora over Ubuntu...