Input/output error: Cannot create openssl-easyrsa.cnf

[Ceejus]

New to Easy-RSA so newb warning. I'm going to assume the error I'm getting is a user error but unfortunately I can't find any information on what I'm doing wrong. I'm getting this on both Windows machines I have OpenVPN and Easy-RSA installed on (one on Windows 10 and the other on Windows 11). Suggestions?

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# ./easyrsa init-pki
./easyrsa[7439]: cannot create C:/Program Files/OpenVPN/easy-rsa/pki/openssl-easyrsa.cnf: Input/output error

Easy-RSA error:

install_data_to_pki - Missing: 'openssl-easyrsa.cnf'

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:53 CDT 2023
SSL Lib:     OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

Edited formatting.

[TinCanTech]

@Ceejus Thank you for this report.

I cannot replicate the problem here.

For testing, does ./easyrsa help work ?

Also, after running (and failing to complete) init-pki, is the pki directory created with the sub-directories of private, reqs and inline ?

If the pki is created, can you try to build the CA: ./easyrsa --npass build-ca.

Also, try copying the file openssl-easyrsa.cnf to the pki manually and then try to build the CA again.

[Ceejus]

Thanks.
Yes, ./easyrsa help does work.
No, the pki sub-directory isn't created. Should I create this folder manually?

[TinCanTech]

Try using the --verbose option: ./easyrsa --verbose init-pki

[Ceejus]

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# ./easyrsa --verbose init-pki
  > source_vars: EASYRSA_NO_VARS
  > Using Windows-System-Folders for your PKI is NOT SECURE!
Your Easy-RSA PKI CA Private Key is WORLD readable.

To correct this problem, it is recommended that you either:
* Copy Easy-RSA to your User folders and run it from there, OR
* Define your PKI to be in your User folders. EG:
  'easyrsa --pki-dir="C:/Users/<your-user-name>/easy-rsa/pki" <command>'
  > mutual_exclusions: COMPLETED
  > install_data_to_pki: x509-types-only - COMPLETED
  > verify_working_env: COMPLETED
./easyrsa[7439]: cannot create C:/Program Files/OpenVPN/easy-rsa/pki/openssl-easyrsa.cnf: Input/output error

Easy-RSA error:

install_data_to_pki - Missing: 'openssl-easyrsa.cnf'

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:53 CDT 2023
SSL Lib:     OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

  > Exit: Final Fail = true

[TinCanTech]

Please try this command:

openssl dgst -sha256 ./easyrsa

[Ceejus]

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# openssl dgst -sha256 ./easyrsa
SHA2-256(./easyrsa)= ecb827bbda82a2832fed8c7ac0e632c1f03fdb99ec5fd1409431245ae71cfc8a

[TinCanTech]

Please try this:

* Copy Easy-RSA to your User folders and run it from there

The problem is that Windows is being too secure.

Either use run-as-admin easy-rsa/EasyRSA-Start.bat, or copy easy-rsa/ folder to your home directory and run it from there.

[Ceejus]

That worked. I saw the suggestion in a lot of different threads and should have just tried that from the get-go but the specific error message I was getting didn't seem to indicate it had anything to do with Windows (or Winblows as it's known as on here) security so I assumed I would just run into the same issue.

Quick question while we're on the topic though: would it more secure to run EasyRSA on an external SSD and perform this process on it as opposed to my C: drive?

[TinCanTech]

Thanks for testing.

In fact, Windblows is causing mkdir -p foo to behave in the exact opposite manner to that described in the manual.

[TinCanTech]

Quick question while we're on the topic though: would it more secure to run EasyRSA on an external SSD and perform this process on it as opposed to my C: drive?

All certificates are public.
All keys are private.
The CA key is paramount.

How you prefer to secure your data is your decision.
I am not suitably qualified to advise on such broad topics.
The OpenVPN-Users mailing list is the recommended place to ask.

[TinCanTech]

Follow-up: #1072 #1078