Config file hash failure followed by build-tls-crypt-v2 failure

[biyanpian]

Environment is Windows Server 2019
Experience/familiarity level with OpenVPN, EasyRSA, Easy-tls is minimal

I am attempting to follow an OpenVPN setup guide, and am stumped by errors at the easy-tls step.

The initial speed bump was an error message indicating failure to locate openssl.exe... Fortunately, the error disclosed where it was looking (in OpenVPN's bin dir), so I copied the exe and conf file from the EasyRSA dir into that dir. Next, I was confronted with another error message. When attempting any command (example: ./easytls init-tls), errors follow:

EasyRSA Shell
# ./easytls init-tls
Easy-TLS version: 2.6
Failed to hash config-file

ERROR:
validate_hash - test_length
generate_and_validate_file_hash - validate_hash
generate_and_validate_file_hash - generate_and_save_file_hash
config_save_hash - generate_and_save_file_hash

In the course of troubleshooting this error, I happened upon the --why-disable-file-hash option and to test, I used that option to see what else might come up. That command and subsequent commands completed (only when adding that same option)... up to the build-tls-crypt-v2-server command. When running that command (with the above option, in verbose mode), the following error occurs:

EasyRSA Shell
# ./easytls --why-disable-file-hash --verbose build-tls-crypt-v2-server WRE-OpenVPN
* config_verify_hash OK
* config_use OK
* verify_tls_init OK
* verify_master_hash OK

Easy-TLS version: 2.6/1

Error: build_tls_crypt_v2_server

ERROR:
Unknown certificate purpose
=
verify_cert_purpose failed

Assistance? Thoughts?

Thanks

[TinCanTech]

Hi,

first, thanks for trying Easy-TLS.

I hope it is ok for me to edit your post to make the correct formatting for the problem here?

I'll take a very close look at this because something is clearly wrong.

[TinCanTech]

Initial thought: Have you installed OpenVPN from an official installer ?

[biyanpian]

Yes, please feel free to format my post as you see fit... and thank you for taking the time. Some of the wording became large... I didn't intend it to be that way.

I installed from the OpenVPN community downloads, OpenVPN-2.5.3-I601-amd64.msi.

I realize that I should include the basic instructions I was following... available here: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto?__cf_chl_jschl_tk__=pmd_2bd0c84f8f74baa34930396c2a81a72ba0f3fb57-1629316146-0-gqNtZGzNAfijcnBszQgi

[TinCanTech]

Please paste the public certificate for your WRE-OpenVPN server, so that I can verify if it is valid.

The public certificate is public data and there are no security risks to publishing it.

[biyanpian]

-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIRAO7YSisU7ZsuEVvFYAUn7mswDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLV1JFLU9wZW5WUE4wHhcNMjEwODE4MjM0NzI5WhcNMjYwODE3
MjM0NzI5WjAWMRQwEgYDVQQDDAtXUkUtT3BlblZQTjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALRYJYMfZvMGAhTuH/jQhJHruJraMAyerhGCtaiPElt/
E5cDWM+cWSGdDC8XdGMbFC4bSi8rgLk5tUI+zRXodm1e+6gaEed2bY0bgUfLxfRc
3Xzr3iT2Lr5LZCKuO3gaeXdtZgFHgObSFGlZtpt7ZIaQWDHsqtgbkNWDVXE2SQjM
DCiuiT7jQ4b8VLu6aqqK2k9t+tpjuPr8UKqCECmg0x765Mrq6kOnQM9NxCd4tJkw
iLeSoX7d07TGCYYrl7GYZWg+hMIZcwnLZdLnTcrNADPgPnnA7APp+oXu9TMiMlTp
ksEmUbaJEjsHPmpDIq9X8+AFfEkAbNyDDpF5yqhUC0ECAwEAAaOBrzCBrDAJBgNV
HRMEAjAAMB0GA1UdDgQWBBQ1yJnLyFUNT/29Xj6B3y4rMU8HjDBGBgNVHSMEPzA9
gBRtDT8Tth4LvWqdUqhpnDMGEQk2tKEapBgwFjEUMBIGA1UEAwwLV1JFLU9wZW5W
UE6CCQCuLgxovTVIfDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAw
FgYDVR0RBA8wDYILV1JFLU9wZW5WUE4wDQYJKoZIhvcNAQELBQADggEBAJl5cFBl
H8Z9uoiznEiGBiQ0mWEDJ3IEv5w+GhsjSU/Nu7zbUOKr6xIgC0TX5Emm27eKJCCQ
j9Nnp7C7WdLXyS2Kx+VLz3DrldilBBWa1lycPiavyLz2c9r6mVoRixuS9L+LOY6V
3mFkO+Zcb1CytinrjYFNaup9dUe/pwAlc5but9vMHoszMpSkWkByD6CnLh82jEha
Zypl0LsBHV8OKbcB/kImGXNmzRshKPg4rNKB5XBk4jZx5K5DLfN1FFoAoPgvzian
bsMdkFUA6u0h79TSXLKpPBRtnDjWg90UtKfiKNZiSSBYZ5ygf9+9w6cPPGNk9Fhd
lK8RHJNMvmmLG7o=
-----END CERTIFICATE----

[biyanpian]

Interesting that "=" appears in the error message chain, and "=" is also the last character in the certificate string.

[TinCanTech]

Mirrored and formatted:

-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIRAO7YSisU7ZsuEVvFYAUn7mswDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLV1JFLU9wZW5WUE4wHhcNMjEwODE4MjM0NzI5WhcNMjYwODE3
MjM0NzI5WjAWMRQwEgYDVQQDDAtXUkUtT3BlblZQTjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALRYJYMfZvMGAhTuH/jQhJHruJraMAyerhGCtaiPElt/
E5cDWM+cWSGdDC8XdGMbFC4bSi8rgLk5tUI+zRXodm1e+6gaEed2bY0bgUfLxfRc
3Xzr3iT2Lr5LZCKuO3gaeXdtZgFHgObSFGlZtpt7ZIaQWDHsqtgbkNWDVXE2SQjM
DCiuiT7jQ4b8VLu6aqqK2k9t+tpjuPr8UKqCECmg0x765Mrq6kOnQM9NxCd4tJkw
iLeSoX7d07TGCYYrl7GYZWg+hMIZcwnLZdLnTcrNADPgPnnA7APp+oXu9TMiMlTp
ksEmUbaJEjsHPmpDIq9X8+AFfEkAbNyDDpF5yqhUC0ECAwEAAaOBrzCBrDAJBgNV
HRMEAjAAMB0GA1UdDgQWBBQ1yJnLyFUNT/29Xj6B3y4rMU8HjDBGBgNVHSMEPzA9
gBRtDT8Tth4LvWqdUqhpnDMGEQk2tKEapBgwFjEUMBIGA1UEAwwLV1JFLU9wZW5W
UE6CCQCuLgxovTVIfDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAw
FgYDVR0RBA8wDYILV1JFLU9wZW5WUE4wDQYJKoZIhvcNAQELBQADggEBAJl5cFBl
H8Z9uoiznEiGBiQ0mWEDJ3IEv5w+GhsjSU/Nu7zbUOKr6xIgC0TX5Emm27eKJCCQ
j9Nnp7C7WdLXyS2Kx+VLz3DrldilBBWa1lycPiavyLz2c9r6mVoRixuS9L+LOY6V
3mFkO+Zcb1CytinrjYFNaup9dUe/pwAlc5but9vMHoszMpSkWkByD6CnLh82jEha
Zypl0LsBHV8OKbcB/kImGXNmzRshKPg4rNKB5XBk4jZx5K5DLfN1FFoAoPgvzian
bsMdkFUA6u0h79TSXLKpPBRtnDjWg90UtKfiKNZiSSBYZ5ygf9+9w6cPPGNk9Fhd
lK8RHJNMvmmLG7o=
-----END CERTIFICATE----

[TinCanTech]

Your certificate is corrupted.

[biyanpian]

Thank you for looking into that.

Do you know if this corruption could have occurred as a result of my having copied the openssl.exe (and openssl-easyrsa.cnf) files manually from openvpn\easyrsa to openvpn\bin? I have followed those instructions 3 times (removing the contents of \pki each time), with the currrent versions of OpenVPN, EasyRSA (3.0.8-win64), and Easy-tls, so presumably the same cause is leading to corrupted certificates each time.

[TinCanTech]

No .. you have corrupted the file manually.

[biyanpian]

Interesting... not sure how I could have done that, since I haven't touched any of the files created by EasyRSA. Would you mind explaining what you mean?

[TinCanTech]

The certificate has been corrupted by human error. If it was not human then you have some very untrustworthy software on your computer which has edited the file behind your back.

I suggest you start from scratch with Easy-RSA and then Easy-TLS.

[biyanpian]

Thank you for your time and help.

I am using a remote VM-based Windows Server environment and (unless it's been hacked) I am the only one with access. I have Chrome, LogMeIn Hamachi, SoftEther, and Remote Utilities installed, exclusively. If the certificate was edited, it must have happened during a ~1-minute time window between its creation by EasyRSA and its access by Easy-tls

I'll download fresh copies and dig a little deeper into EasyRSA, then try again. I did change the certificate expiration time from the default, 825 (an odd default?), to 1825 (5 years) in EasyRSA configuration, and perhaps I made some other mistake without knowing it.

I'll post my result, and any discovered cause if I find one.

[TinCanTech]

You could try ./easyrsa show-cert for further information.

[biyanpian]

The certificate looks okay according to the show-cert function... I did a little more digging into OpenSSL and noticed that the preinstalled OpenSSL library files in the OpenVPN\bin directory differed from the ones in the OpenVPN\OpenRSA directory (from which I'd copied the OpenSSL exe and cnf)... so, EasyRSA and Easy-tls were referencing different OpenSSL libraries. Upon further experimentation, I discovered that EasyRSA is using OpenSSL v1.1.1j (exe and library files) and OpenVPN preinstalled v1.1.1k (library files).

OpenSSL has published notices of high severity vulnerabilities in the 1.1.1j version: https://www.openssl.org/news/vulnerabilities-1.1.1.html

In the interest of troubleshooting, I experimented.

I first attempted to replace the EasyRSA folder versions with the v1.1.1k exe and lib files, but encountered an error in the build-ca step. I next tried the v.1.1.1j exe with the v1.1.1k lib files, but encountered the same error (the gen-dh function was able to complete with this combination). I finally tried replacing the OpenSSL.exe and lib files in both locations with the v1.1.1j versions packaged with EasyRSA.

The EasyRSA process went smoothly, as expected, and I was able to perform the Easy-tls init-tls function. However, when I executed the build-tls-auth function, I received a Windows error message:

"The procedure entry point RSA_pkey_ctx_ctrl could not be located in the dynamic link library c:\Proga~1\bin\openvpn.exe."

I suspect that OpenVPN is relying upon the OpenSSL files which were packaged with the product (1.1.1k), and having replaced those files with the 1.1.1j versions from the EasyRSA package, for Easy-tls to function, has caused this problem.

My next step would be to restore the OpenSSL files which were packaged with OpenVPN, and direct Easy-tls to look in the EasyRSA folder for its OpenSSL files (rather than in the OpenVPN\bin folder), to see if that combination produces a functional result. I don't know if that is configurable within Easy-tls, but I'll look.

[TinCanTech]

-b|--base-dir=<DIR>    Path to OpenVPN base directory. (Windows Only)
                       Default: C:/Progra~1/OpenVPN
-o|--ovpnbin-dir=<DIR> Path to OpenVPN bin directory. (Windows Only)
                       Default: C:/Progra~1/OpenVPN/bin
-e|--ersabin-dir=<DIR> Path to Easy-RSA3 bin directory. (Windows Only)
                       Default: C:/Progra~1/Openvpn/easy-rsa/bin

[biyanpian]

Confirmation that the certificates are not corrupted seems to have been provided by a functional VPN which uses the same files that returned errors when fed to Easy-tls. The cause of the errors appears to have been mismatched OpenSSL files (between EasyRSA and Easy-tls).

If this does prove to be the cause of the errors, it seems to indicate importance in EasyRSA and Easy-tls using the same (or compatible) OpenSSL files, and likely even that OpenVPN be using the same files if its exe is being used by Open-tls (as is indicated by the Windows error message). OpenVPN and EasyRSA can apparently use different sources... at least, the ones they are currently using differ, and in concert they produce functional VPN files. In that case, also, it might be possible in Easy-tls to work around the use of different OpenSSL sources by adding more options which direct the processes to specific exe files (openssl.exe, openvpn.exe...), in addition to their containers, for more flexibility.

It seems like the -o option would work to further test, as long as that won't interfere with anything else Easy-tls might be expecting to access in the OpenVPN\bin dir. I attempted this test using the same command formatting as I used with --why-disable-file-hash, and it didn't work. I am going to paste the command entered and the error returned here, since a returned error makes it seem likely that my syntax was incorrect, and I apologize in advance for not formatting this correctly (not familiar with procedure):

EasyRSA Shell
# ./easytls --ovpnbin-dir=c:/progra~1/openvpn/easy-rsa init-tls
Easy-TLS version: 2.6

Unknown option: --ovpnbin-dir

(formatted on your behalf)

[TinCanTech]

If you are prepared to keep on testing, which is great for me because you are finding bugs, then I'm happy to help out.

On this occasion, the error is in the script with option --ovpnbin-dir, it should read --openvpn-bin-dir but the short option -o is recognised. I will also correct the source.

[TinCanTech]

Once you run --why-disable-file-hash then all your hashes go out of sync. That is why I named it as I did.

Please start with ./easytls init

And when you need help, please post the correctly formatted terminal output for review.

[biyanpian]

I stopped using the --why-disable-file-hash option a while back, and have not attempted to use anything produced with it while enabled, for obvious reasons. The two options I have recently been referencing are the -o and the -openvpn (deprecated), which designate folder and exe locations, respectively.

./easytls init appears to be functionally the same as ./easytls init-tls and results in the same hash error (when not supplied with the correct directory for the OpenSSL exe via the -o option). Both command-line options (-o and -openvpn) are necessary to proceed with further command functions. In the presence of both of said options, the command prompt window locks up when attempting the build-tls-crypt-v2-client function. I have not yet tried anything further to experiment with that.

-edited for clarity and since I located the "Insert Code" desigator for formatting.

OpenVPN did not ship with the OpenSSL binary, but it did ship with the OpenSSL library files (located in the \bin folder). The problem (for Open-TLS) is that these library files are of a different version (1.1.1k) than that of the binary and library files currently being used by OpenRSA (1.1.1j). Open-TLS is looking to the OpenVPN\bin folder for OpenSSL, hence the need to specify both the location of both the OpenSSL files (the OpenRSA root folder rather than the OpenVPN bin folder) and the OpenVPN exe (the OpenVPN bin folder) distinctly...so long as different OpenSSL file version are being used in the two respective locations.

-added for clarity.

[TinCanTech]

Please don't edit for clarity, please add comments so that people are notified. I would personally ban edits.

You have not found a difference between OpenSSL versions, you have simply not been diligent.

You have also not followed the instructions given ...
if you had done so then perhaps you would have a credible idea of your mistake.

Would you also like me to revert your post back to the incompetent mess that you initially posted ?

[biyanpian]

Sure, revert the posts back to any version you see fit. I was attempting to make things more clear in the latest posts that hadn't received replies, and updating the formatting using the "Insert Code" mode for some earlier posts. I apologize if this interfered with readability or any follow-up you were performing in connection with the earlier versions.

[TinCanTech]

You can only attempt to make things more clear if you are clear in the first place

In order to be clear in the first place, you may like to learn how to use github formatting buttons.

[TinCanTech]

With regard to your server certificate, the file that you have posted and are feeding to Easy-TLS is corrupted. It is not a valid certificate for OpenSSL. You should check your source files. Use ./easyrsa show-cert . I cannot understand how your certificate would be valid in Easy-RSA but not in Easy-TLS when both use the same OpenSSL command for verification.

[TinCanTech]

You can use ./easyrsa show-cert

[biyanpian]

What is significant is that Easy-RSA and Easy-TLS are using the same command for verification (as you said), but not the same executable and libraries (by default). -edited for clarity

I believe the reason EasyRSA is working smoothly, while Easy-tls is not, with the same certificate (created by EasyRSA), is that EasyRSA is using its own OpenSSL.exe and library files (in its root folder), distinct from the OpenSSL library used by OpenVPN (in its bin folder). The EasyRSA version is 1.1.1j, while the OpenVPN version is 1.1.1k. Easy-tls is referencing the OpenVPN bin folder, rather than the EasyRSA folder, for its OpenSSL source, by default. This makes necessary the designation of both the OpenSSL source and the OpenVPN exe for it to function (as long as the two distinct OpenSSL libararies are in play).

This has been the cause of the errors from the beginning... not the --why-disable-file-hash option, which I was using at the beginning to get more information.

[TinCanTech]

If you think that you have discovered a bug in OpenSSL then please let them know.

[TinCanTech]

The reason that your initial certificate failed is because the file was corrupt, no other reason.

[TinCanTech]

I believe the reason EasyRSA is working smoothly, while Easy-tls is not

By your own admission, you only just learnt how to quote text on github. TODAY

EasyRSA does not work smoothly it has a number of bugs.

[wiscii]

What output do you get from ./easytls init

[biyanpian]

To provide evidence, and as much consolidated information as possible, I will re-install the way I initially did (EasyRSA manually), and run the commands, including show-cert, in each of the 3 ways I tested; then, I will reinstall as I have it now (EasyRSA along with OpenVPN), and run the Easy-TLS commands plus EasyRSA's show-cert. I'll post the command and output chains at the end of this comment, and hopefully that will suffice.

The certificate which you fed into Easy-TLS was corrupt as is evident from what you posted.

The certificate(s) which I fed to Easy-TLS were many, and included the 2nd certificate which I posted, about which you have not commented directly; All of the certificates which I tested (except for the first, which I had already deleted by that point in time) produced the same error output in Easy-TLS as the first, in the early environment, and worked fine in the late (fixed) environment. Whether or not all of those files were corrupt did not apparently factor in their processing, while a change to the installation method (and the OpenSSL files being used) did.

I don't know to what "assumptions" you are referring...still. Some of my earlier comments have been incorrect (specifically those referring to the command-line options being necessary to move forward), having been based on reference to OpenRSA (3.0.8) having been manually installed rather than as part of the OpenVPN package...since they were in fact necessary for me to move forward under those conditions; but, at the same time, the original problem, in its entirety, was brought about by the same factor.

1. If you believe OpenSSL version has anything to do with it then you do not understand how X509 works,
   If you did know then you would know how to verify your certificate and how it is corrupted.

1. It was a mismatch of OpenSSL files which was causing my problem. I was performing the tests, and I am convinced by the results, and it doesn't seem that any special X509 knowledge is required to troubleshoot this. That said, I don't have much of an idea of how X509 works, regardless, as I haven't investigated it. Again, whether or not the files have been corrupted did not appear to be a factor, and they were all produced using the same method.

2. You were unable to format your own posts correctly in this thread.

2. Perhaps this relates to the thread topic(?), but I don't see how. On the surface, the comment appears to be ad hominem. This conversation, collectively, has been my first time posting in a Github thread, and I learned to format while participating in it, in part thanks to your urging.

3. I simply do not believe what you claim to be true.

3. That doesn't deeply concern me. I would prefer that you did believe what I claim to be true (only if it is, in fact, true), but being an expert with the elements involved, you already know how to avoid the installation error I made originally. At this point, my concern would be for those (if any) who might make the same installation mistake, who are unfamiliar with the elements involved, in order to save them a little time. My impression is still that the problem was caused by mismatched OpenSSL files.

The whole enchilada below -- Pasted command prompt text follows, with nothing omitted or changed, except during gen-dh as noted.

With original installation setup (EasyRSA 3.0.8 installed manually, basic custom options including 1825 day cert validity):

c:\PROGRA~1\OpenVPN\Easy-RSA>easyrsa-start

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# ./easyrsa init-pki
path = /temp/easy-rsa-5332.a01744/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmpE435.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmpE435.tmp
fd = 3

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: c:/PROGRA~1/OpenVPN/Easy-RSA/pki



EasyRSA Shell
# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

(deleted the field of . and + to save space)

DH parameters of size 2048 created at c:/PROGRA~1/OpenVPN/Easy-RSA/pki/dh.pem



EasyRSA Shell
# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = /temp/easy-rsa-5456.a05972/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp60D2.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp60D2.tmp
fd = 3
path = /temp/easy-rsa-5456.a05972/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp619D.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp619D.tmp
fd = 3
Generating RSA private key, 2048 bit long modulus
......+++++
........................+++++
e is 65537 (0x010001)
path = /temp/easy-rsa-5456.a05972/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp62D6.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp62D6.tmp
fd = 3
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Testy-Test

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
c:/PROGRA~1/OpenVPN/Easy-RSA/pki/ca.crt



EasyRSA Shell
# ./easyrsa build-server-full Testy-Test nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp2693.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp2693.tmp
fd = 3
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp275E.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp275E.tmp
fd = 3
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp281A.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp281A.tmp
fd = 3
Generating a RSA private key
..............+++++
..............................................................+++++
writing new private key to '/temp/easy-rsa-3016.a05280/tmp.a04776'
-----
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp2EE0.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp2EE0.tmp
fd = 3
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp31CE.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp31CE.tmp
fd = 3
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp33D2.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp33D2.tmp
fd = 3
path = /temp/easy-rsa-3016.a05280/tmp.XXXXXX
lpPathBuffer = C:\Users\ADMINI~1\AppData\Local\Temp\2\
szTempName = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp349D.tmp
path = C:\Users\ADMINI~1\AppData\Local\Temp\2\tmp349D.tmp
fd = 3
Using configuration from /temp/easy-rsa-3016.a05280/tmp.a04268
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'Testy-Test'
Certificate is to be certified until Aug 24 05:18:30 2026 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated


EasyRSA Shell
# ./easyrsa show-cert Testy-Test
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018

Showing cert details for 'Testy-Test'.
This file is stored at:
c:/PROGRA~1/OpenVPN/Easy-RSA/pki/issued/Testy-Test.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:14:cd:49:a8:de:10:c0:75:97:2a:ff:38:0a:7b:4f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Testy-Test
        Validity
            Not Before: Aug 25 05:18:30 2021 GMT
            Not After : Aug 24 05:18:30 2026 GMT
        Subject:
            commonName                = Testy-Test
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                02:34:72:B3:EE:CF:B3:0D:98:16:D0:D2:A6:C0:88:27:58:B5:09:BD
            X509v3 Authority Key Identifier:
                keyid:7E:C0:55:6B:85:A8:32:EE:F0:79:1D:41:91:AA:14:C2:86:D2:71:AC
                DirName:/CN=Testy-Test
                serial:F5:2B:F5:0A:28:F1:DF:68

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:Testy-Test


EasyRSA Shell
# ./easytls init-tls
Easy-TLS version: 2.6
Failed to hash config-file

ERROR:
validate_hash - test_length
generate_and_validate_file_hash - validate_hash
generate_and_validate_file_hash - generate_and_save_file_hash
config_save_hash - generate_and_save_file_hash

EasyRSA Shell
#

Delete the pki\easytls folder, and test with --why-disable-file-hash option:

EasyRSA Shell
# ./easyrsa show-cert Testy-Test
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018

Showing cert details for 'Testy-Test'.
This file is stored at:
c:/PROGRA~1/OpenVPN/Easy-RSA/pki/issued/Testy-Test.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:14:cd:49:a8:de:10:c0:75:97:2a:ff:38:0a:7b:4f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Testy-Test
        Validity
            Not Before: Aug 25 05:18:30 2021 GMT
            Not After : Aug 24 05:18:30 2026 GMT
        Subject:
            commonName                = Testy-Test
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                02:34:72:B3:EE:CF:B3:0D:98:16:D0:D2:A6:C0:88:27:58:B5:09:BD
            X509v3 Authority Key Identifier:
                keyid:7E:C0:55:6B:85:A8:32:EE:F0:79:1D:41:91:AA:14:C2:86:D2:71:AC
                DirName:/CN=Testy-Test
                serial:F5:2B:F5:0A:28:F1:DF:68

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:Testy-Test


EasyRSA Shell
# easytls --why-disable-file-hash init-tls

Saved CA Identity: c:/PROGRA~1/OpenVPN/Easy-RSA/pki/easytls/data/easytls-ca-identity.txt

init-tls complete; you may now create TLS keys and .inline files.
  Your newly created TLS dir is:

    c:/PROGRA~1/OpenVPN/Easy-RSA/pki/easytls

To configure your Easy-TLS custom group now, use:
    'easytls config custom.group YOUR_GROUP'

To configure your Easy-TLS temporary directory now, use:
    'easytls config tmp.dir YOUR_DIR'

Recommended temporary directory setting:
    Windows - c:/Windows/Temp (Use '/' NOT '\')



EasyRSA Shell
# easytls --why-disable-file-hash build-tls-auth

TLS auth key created: c:/PROGRA~1/OpenVPN/Easy-RSA/pki/easytls/tls-auth.key


EasyRSA Shell
# easytls --why-disable-file-hash build-tls-crypt

TLS crypt v1 key created: c:/PROGRA~1/OpenVPN/Easy-RSA/pki/easytls/tls-crypt.key


EasyRSA Shell
# easytls --why-disable-file-hash build-tls-crypt-v2-server Testy-Test
Easy-TLS version: 2.6/1
Error: build_tls_crypt_v2_server

ERROR:
Unknown certificate purpose
=
verify_cert_purpose failed

EasyRSA Shell
#

Delete the pki\easytls folder, and test with the --openvpn-bin-dir and --openvpn options:

EasyRSA Shell
# ./easytls --openvpn-bin-dir=c:/progra~1/openvpn/easy-rsa --openvpn=c:/progra~1/openvpn/bin/openvpn.exe init-tls

Saved CA Identity: ./pki/easytls/data/easytls-ca-identity.txt

init-tls complete; you may now create TLS keys and .inline files.
  Your newly created TLS dir is:

    ./pki/easytls

To configure your Easy-TLS custom group now, use:
    'easytls config custom.group YOUR_GROUP'

To configure your Easy-TLS temporary directory now, use:
    'easytls config tmp.dir YOUR_DIR'

Recommended temporary directory setting:
    Windows - c:/Windows/Temp (Use '/' NOT '\')



EasyRSA Shell
# ./easytls --openvpn-bin-dir=c:/progra~1/openvpn/easy-rsa --openvpn=c:/progra~1/openvpn/bin/openvpn.exe build-tls-auth

TLS auth key created: ./pki/easytls/tls-auth.key


EasyRSA Shell
# ./easytls --openvpn-bin-dir=c:/progra~1/openvpn/easy-rsa --openvpn=c:/progra~1/openvpn/bin/openvpn.exe build-tls-crypt

TLS crypt v1 key created: ./pki/easytls/tls-crypt.key


EasyRSA Shell
# ./easytls --openvpn-bin-dir=c:/progra~1/openvpn/easy-rsa --openvpn=c:/progra~1/openvpn/bin/openvpn.exe build-tls-crypt-v2-server Testy-Test

(Command Prompt lockup)
(Terminated Command Prompt)

Uninstall all, install as with current installation setup (EasyRSA installed as part of OpenVPN package, same pki folder as produced during first part & same EasyRSA file custom options):

c:\PROGRA~1\OpenVPN\Easy-RSA>easyrsa-start

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

EasyRSA Shell
# ./easyrsa show-cert Testy-Test
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021

Showing cert details for 'Testy-Test'.
This file is stored at:
c:/PROGRA~1/OpenVPN/Easy-RSA/pki/issued/Testy-Test.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:14:cd:49:a8:de:10:c0:75:97:2a:ff:38:0a:7b:4f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Testy-Test
        Validity
            Not Before: Aug 25 05:18:30 2021 GMT
            Not After : Aug 24 05:18:30 2026 GMT
        Subject:
            commonName                = Testy-Test
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                02:34:72:B3:EE:CF:B3:0D:98:16:D0:D2:A6:C0:88:27:58:B5:09:BD
            X509v3 Authority Key Identifier:
                keyid:7E:C0:55:6B:85:A8:32:EE:F0:79:1D:41:91:AA:14:C2:86:D2:71:AC
                DirName:/CN=Testy-Test
                serial:F5:2B:F5:0A:28:F1:DF:68

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:Testy-Test


EasyRSA Shell
# ./easytls init-tls

Saved CA Identity: ./pki/easytls/data/easytls-ca-identity.txt

init-tls complete; you may now create TLS keys and .inline files.
  Your newly created TLS dir is:

    ./pki/easytls

To configure your Easy-TLS custom group now, use:
    'easytls config custom.group YOUR_GROUP'

To configure your Easy-TLS temporary directory now, use:
    'easytls config tmp.dir YOUR_DIR'

Recommended temporary directory setting:
    Windows - c:/Windows/Temp (Use '/' NOT '\')



EasyRSA Shell
# ./easytls build-tls-auth

TLS auth key created: ./pki/easytls/tls-auth.key


EasyRSA Shell
# ./easytls build-tls-crypt

TLS crypt v1 key created: ./pki/easytls/tls-crypt.key


EasyRSA Shell
# ./easytls build-tls-crypt-v2-server Testy-Test

TLS crypt v2 server key created: ./pki/easytls/Testy-Test-tls-crypt-v2.key


EasyRSA Shell
#

[TinCanTech]

A prerequisite to using Easy-TLS is to install OpenVPN and Easy-RSA-3 by using the Official Openvpn Installer.

[TinCanTech]

And this is my result from manually installing Easy-RSA 3 from the source, with no issues:

EasyRSA Shell
# ./easyrsa init-pki
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-2704.a02780/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpF120.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpF120.tmp
fd = 4

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: C:/Program Files/OpenVPN/easy-rsa/pki


EasyRSA Shell
# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3696.a02704/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp854A.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp854A.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3696.a02704/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp85A8.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp85A8.tmp
fd = 4
Generating RSA private key, 2048 bit long modulus
................................................................+++++
..+++++
e is 65537 (0x010001)
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3696.a02704/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp879C.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp879C.tmp
fd = 4
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
C:/Program Files/OpenVPN/easy-rsa/pki/ca.crt



EasyRSA Shell
# ./easyrsa build-server-full s1 nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC159.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC159.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC1B7.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC1B7.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC205.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC205.tmp
fd = 4
Generating a RSA private key
...........................+++++
...........................+++++
writing new private key to 'C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a
02476/tmp.a04040'
-----
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC64B.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC64B.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC793.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC793.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC84E.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC84E.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a02476/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpC88D.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpC88D.tmp
fd = 4
Using configuration from C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-568.a024
76/tmp.a03968
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'s1'
Certificate is to be certified until Nov 28 13:50:34 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated


EasyRSA Shell
# ./easyrsa build-client-full c1 nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpF913.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpF913.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpF961.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpF961.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpF9AF.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpF9AF.tmp
fd = 4
Generating a RSA private key
.....+++++
..........................+++++
writing new private key to 'C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a
00284/tmp.a01632'
-----
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpFD2A.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpFD2A.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpFDB6.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpFDB6.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a00284/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmpFE04.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmpFE04.tmp
fd = 4
Using configuration from C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-964.a002
84/tmp.a02576
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'c1'
Certificate is to be certified until Nov 28 13:50:47 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated


EasyRSA Shell
# ./easyrsa build-client-full c2 nopass
Using SSL: openssl OpenSSL 1.1.0j  20 Nov 2018
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp148A.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp148A.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp14E8.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp14E8.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp1536.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp1536.tmp
fd = 4
Generating a RSA private key
..+++++
.........................+++++
writing new private key to 'C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.
a03148/tmp.a02732'
-----
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp1814.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp1814.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp18C0.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp18C0.tmp
fd = 4
path = C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03148/tmp.XXXXXX
lpPathBuffer = C:\Users\IEUser\AppData\Local\Temp\
szTempName = C:\Users\IEUser\AppData\Local\Temp\tmp18FF.tmp
path = C:\Users\IEUser\AppData\Local\Temp\tmp18FF.tmp
fd = 4
Using configuration from C:/Program Files/OpenVPN/easy-rsa/pki/easy-rsa-3972.a03
148/tmp.a03556
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'c2'
Certificate is to be certified until Nov 28 13:50:54 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated


EasyRSA Shell
# ./easytls init

Saved CA Identity: C:/Progra~1/OpenVPN/easy-rsa/pki/easytls/data/easytls-ca-iden
tity.txt

init-tls complete; you may now create TLS keys and .inline files.
  Your newly created TLS dir is:

    C:/Progra~1/OpenVPN/easy-rsa/pki/easytls

To configure your Easy-TLS custom group now, use:
    'easytls config custom.group YOUR_GROUP'

To configure your Easy-TLS temporary directory now, use:
    'easytls config tmp.dir YOUR_DIR'

Recommended temporary directory setting:
    Windows - C:/Windows/Temp (Use '/' NOT '\')



EasyRSA Shell
# ./easytls help

Easy-TLS usage and overview

USAGE: easytls [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, use:
  ./easytls help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easytls help options

For a list of abbreviated command names, use:
  ./easytls help abb

For a list of configurable options, use:
  ./easytls help config

Here is the list of commands available with a short syntax reminder.
Use the 'help' command above to get full usage details.

  config
  init-tls <hash_algorithm> no-ca
  build     :Inter-active menu to build TLS keys
  inline    :Inter-active menu to build Inline files
  remove    :Inter-active menu to remove TLS keys and Inline files
  script    :Inter-active menu to configure Server scripts
  selfsign  :Inter-active menu to build and inline self-signed certificates
  self-sign-server
  self-sign-client
  build-tls-auth
  build-tls-crypt
  build-tls-crypt-v2-server <server_filename_base>
  build-tls-crypt-v2-client
        <server_filename_base> <client_filename_base> <HW-ADDR> <HW-ADDR>
  remove-tlskey <client_filename_base>
  save-id
  status [ cmd-opts ]
  inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
  inline-tls-crypt <filename_base> [ cmd-opts ]
  inline-tls-crypt-v2 <filename_base> [ cmd-opts ]
  remove-inline <filename_base>
  remove-metadata <filename_base> pattern
  inline-show <filename_base>
  inline-index-rebuild
  inline-expire <filename_base>
  cert-expire <filename_base> | <ca>
  disable <filename_base>
  enable <filename_base>
  disabled-list-rehash

No-CA Mode commands:
  self-sign-server <filename_base>
  self-sign-client <filename_base>

Easy-TLS also has a useful Howto and wiki with expanded help and examples:
* https://github.com/TinCanTech/easy-tls/blob/master/EasyTLS-Howto-ii.md
* https://github.com/TinCanTech/easy-tls/wiki

DIRECTORY STATUS (commands would take effect on these locations)
  EASYTLS: C:/Progra~1/OpenVPN/easy-rsa
      PKI: C:/Progra~1/OpenVPN/easy-rsa/pki
      TLS: C:/Progra~1/OpenVPN/easy-rsa/pki/easytls


EasyRSA Shell
# ./easytls build-tls-crypt-v2-server s1

TLS crypt v2 server key created: C:/Progra~1/OpenVPN/easy-rsa/pki/easytls/s1-tls
-crypt-v2.key


EasyRSA Shell
# ./easytls build-tls-crypt-v2-client s1 c1

TLS crypt v2 client key created: C:/Progra~1/OpenVPN/easy-rsa/pki/easytls/c1-tls
-crypt-v2.key


EasyRSA Shell
#

[TinCanTech]

It is possible that you will have better luck using Easy-TLS master (v2.6) not version 2.5

[biyanpian]

It is possible that you will have better luck using Easy-TLS master (v2.6) not version 2.5

I installed from master (as of the date of the beginning of the conversation)... forgot to include that tidbit originally.

Everything I ran worked fine once I installed from the OpenVPN installer... same Easy-TLS files, of course.

[TinCanTech]

For future reference, if you are using Windows then you must install OpenVPN and Easy-RSA-3 by using the official Openvpn-installer. See: Download and install Easy-TLS