Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Bash Script Help
New on LowEndTalk? Please Register and read our Community Rules.

Bash Script Help

I want to automate the creation of new OpenVPN keys and I have a script for doing that. However, when I get to the point in the script where I call the "./build-key someuser" part to create the user's keys, I have to walk through answering all the questions (with a default return key) and then at the end having to hit the 'y' key followed by return twice. Is there anyway to bypass this step and just have it create the keys?

I've tried the following (and multiple variations on this) with no success:

echo -e "\n\n\n\n\n\n\n\n\ny\ny\n" | ./build-key someuser

Sarcasm: Just one more service I offer

Comments

  • jarjar Provider

    Seems a one liner would be the key. Off the top of my head I've got only theory I don't really mess with this process much but surely you can send the variables as flags to the application using a one liner.

  • use the yes command ?

  • geodirkgeodirk Member
    edited November 2013

    @exussum said:
    use the yes command ?

    Interesting idea, but unfortunately it doesn't work:

    yes | ./build-key someuser

    just returns an endless scrolling of:

    Country Name (2 letter code) [US]:string is too short, it needs to be at least 2 bytes long

    I would have thought that it would have worked as I would have assumed that it would just have taken the default [US]...but alas no.

    Sarcasm: Just one more service I offer

  • mcmyhostmcmyhost Member
    edited November 2013

    yes US | ./build-key someuser

    No Bullcrap VPS Hosting
    McMyHost - http://mcmyhost.net

  • wonder if you could build it in to a while loop with an answers file.

    Interesting problem I have never had to over come, I don't have time right now but will have a look in the morning if no solution is posted already.

    Quick search suggests: echo "Y Y N N Y N Y Y N" | ./your_script

    Or use expect

    Ant.

    I am no longer active here, find me at https://talk.lowendspirit.com (Just like LET without the scams)

  • It looks a lot like GPG's prompts. They have a batch mode option on that side.... so googling came up with this...

    http://highsecurity.blogspot.ca/2009/09/openvpn-easyrsa-batch-em.html

    I haven't tried it, but looks like it might do what you want.

  • Just so you are on the same page, here is actual output of what comes up (10 returns followed by 2 'y' then return:

    `== Starting to build client keys ==

    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

    Generating a 1024 bit RSA private key

    ......++++++

    ......................................................................++++++

    writing new private key to '.deleteme.key'

    You are about to be asked to enter information that will be incorporated
    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    Country Name (2 letter code) [US]:

    State or Province Name (full name) [CO]:

    Locality Name (eg, city) [Denver]:

    Organization Name (eg, company) [myworld.net]:

    Organizational Unit Name (eg, section) [myworld.net]:

    Common Name (eg, your name or your server's hostname) [deleteme]:

    Name [myworld.net]:

    Email Address [[email protected]]:

    Please enter the following 'extra' attributes to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf

    Check that the request matches the signature

    Signature ok

    The Subject's Distinguished Name is as follows

    countryName :PRINTABLE:'US'

    stateOrProvinceName :PRINTABLE:'CO'

    localityName :PRINTABLE:'Denver'

    organizationName :PRINTABLE:'myworld.net'

    organizationalUnitName:PRINTABLE:'myworld.net'

    commonName :PRINTABLE:'deleteme'

    name :PRINTABLE:'myworld.net'

    emailAddress :IA5STRING:'[email protected]'

    Certificate is to be certified until Nov 24 22:54:42 2023 GMT (3650 days)

    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y

    Write out database with 1 new entries`

    Sarcasm: Just one more service I offer

  • edited November 2013

    Has anyone actually done this before or are all you guys above just guessing? :) @tchen came the closest - you want to add -batch onto the end of the openssl req line in the build_key script, and check /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf has all the $variable = optional lines already filled in.

  • @SegmentationFault said:
    Has anyone actually done this before or are all you guys above just guessing? :) tchen came the closest - you want to add -batch onto the end of the openssl req line in the build_key script, and check /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf has all the $variable = optional lines already filled in.

    OK...I tried this. I edited all the variables in the openssl-0.9.8.cnf file and then opened up the build-key script. However, the contents are not the openssl that you quoted but instead this:

    #!/bin/sh
    
    # Make a certificate/private key pair using a locally generated
    # root certificate.
    
    export EASY_RSA="${EASY_RSA:-.}"
    "$EASY_RSA/pkitool" --interact $*
    

    I swapped out --interact with --batch and here is what I came up with when I run ./build-key deleteme2:

    == Starting to build client keys ==
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
    Using Common Name: myworld.net
    Generating a 1024 bit RSA private key
    ....................................++++++
    ...................++++++
    writing new private key to 'deleteme2.key'
    -----
    Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'CO'
    localityName          :PRINTABLE:'Denver'
    organizationName      :PRINTABLE:'myworld.net'
    organizationalUnitName:PRINTABLE:'myworld.net'
    commonName            :PRINTABLE:'myworld.net'
    name                  :PRINTABLE:'myworld.net'
    emailAddress          :IA5STRING:'[email protected]'
    US:invalid type in 'policy' configuration
    

    The generated files are all fine with the exception of deleteme2.crt which instead of the normal 5K size is 0K.

    Closer...

    Sarcasm: Just one more service I offer

  • Weird... my build-key script looks like the one listed here.

    US:invalid type in 'policy' configuration

    Maybe an error in the openssl-0.9.8.cnf?

    Thanked by 1geodirk
  • Finally figured it out mostly thanks to @SegmentationFault's leading.

    Because the recent versions of OpenVPN do not come with EasyRSA installed anymore, you need to download a copy off of the GitHub website here for version 2:

    https://github.com/OpenVPN/easy-rsa/tree/release/2.x

    In the easy-rsa/2.0 folder, edit the build-key file to swapped out --interact with --batch

    #!/bin/sh
    
    # Make a certificate/private key pair using a locally generated
    # root certificate.
    
    export EASY_RSA="${EASY_RSA:-.}"
    "$EASY_RSA/pkitool" --batch $*
    

    Then the only other thing that needs to be done is to edit the vars file to put in your default values:

    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CO"
    export KEY_CITY="Denver"
    export KEY_ORG="MyWorld"
    export KEY_EMAIL="[email protected]"
    export KEY_OU="MyWorld"
    

    That's it...

    Sarcasm: Just one more service I offer

Sign In or Register to comment.