Login/Register
OpenSSL and error in reading openssl.conf file
Asked Answered
windowsconfigurationopensslenvironment-variables
I

19

156

I am running windows xp 32bit

I just downloaded Openssl from the following URL and installed it. http://www.slproweb.com/products/Win32OpenSSL.html

and then I tried to create a self signed certificate by using the following command

openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

then it started giving the following error

Unable to load config info from /usr/local/ssl/openssl.cnf

After some googling, I changed the above command to

openssl req -config C:\OpenSSL\bin\openssl.conf -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

But now I get the following error in the command prompt

error on line -1 of C:\OpenSSL\bin\openssl.conf
4220:error:02001002:system library:fopen:No such file or
directory:.\crypto\bio\bss_file.c:126:fopen('C:\OpenSSL\bin\openssl.conf','rb') 
4220:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:129: 
4220:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197:
Isobelisocheim answered 9/9, 2011 at 10:55 Comment(5)
check exact filename: openssl.conf ---> openssl.cnfAnatase
the file extension on Windows is now .cfg. Also ensure that the file path specified (on the command line or in the environment variable OPENSSL_CONF) is not inside quotes.Frugal
The file extension (.cnf/.cfg) appears to vary depending upon what was used to install OpenSSL. On a WampServer v3.2.2 install I just did the configuration filename was openssl.cnf. I also did a Window10 64-bit install using the binaries from Shining Path Productions. The file name in that installation was openssl.cfg. This difference in OpenSSL configuration file extension names appears to be compile dependent. I haven't tested yet which extension name is recognized by OpenSSL v1.1.1g.Flowerlike
you might also want to change the hostcert file extention to .crt or to .cer?Hercules
We should check our installation, I installed openssl lite, which does not have this config file. Now I am using git's ssl, more on that here #50625783Buskus
M
168

On Windows you can also set the environment property OPENSSL_CONF. For example from the commandline you can type:

set OPENSSL_CONF=c:/libs/openssl-0.9.8k/openssl.cnf

to validate it you can type:

echo %OPENSSL_CONF%

You can also set it as part of the computer's environmental variables so all users and services have it available by default. See, for example, Environment variables in Windows NT and How To Manage Environment Variables in Windows XP.

Now you can run openssl commands without having to pass the config location parameter.

Misfire answered 28/6, 2012 at 9:26 Comment(6)
Thanks, worked for me! ( set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg )Scarberry
@jww tried this but it tells me set is an invalid command. any ideas?Leitmotif
@Leitmotif - set is a Windows command, and its meant to be run from cmd.exe. It won't work on a non-Windows machine. The set and echo thing does not work in Power Shell, either. You would use something like $X=1; Write-Output $X.Mendie
@Mendie thank you. i am on a windows machine but I was using that command in the openssl.exe instead of cmd.exe.. I read your comment and went to cmd.exe and typed the set command there instead. It worked correctly but I was still getting the same error in the openssl.exe saying "Unable to load config info from wrong_path/ssl/openssl.cnf" so I tried the solution below saying to add the parameter -config with your openssl directory and that worked perfect. so I'm happy. thanks for the help :)Leitmotif
Should be marked as answer. Frankly should be unnecessary too. Why does this OpenSSL Windows distro not simply default to PWD for example?Upthrust
Setting the OPENSSL_CONF variable, or specifying config file from openssl command, I still receive the same error on \crypto\bio\bss_file.c file. Now the config file is correctly read but there is some other problem.Hominid
T
50

Just add to your command line the parameter -config c:\your_openssl_path\openssl.cfg, changing your_openssl_path to the real installed path.

Tronna answered 14/3, 2013 at 17:31 Comment(3)
great, been following this blog post ajden.towfeek.se/post/… and adding -config works for cygwin too e.g. $ openssl ca -in server.csr -config /etc/ssl/openssl.cnf But why doesn't that -config get listed in man openssl? openssl.org/docs/apps/openssl.htmlHalle
@nneonneo tried this and the above solution but it tells me set and config are invalid commands. any ideas?Leitmotif
set only works on Windows; config is not an independent command (you append it to your OpenSSL command line).Paction
F
39

Just create an openssl.cnf file yourself like this in step 4: http://www.flatmtn.com/article/setting-openssl-create-certificates

Edit after link stopped working The content of the openssl.cnf file was the following:

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                 = .

[ ca ]
default_ca              = CA_default

[ CA_default ]
serial                  = $dir/serial
database                = $dir/certindex.txt
new_certs_dir               = $dir/certs
certificate             = $dir/cacert.pem
private_key             = $dir/private/cakey.pem
default_days                = 365
default_md              = md5
preserve                = no
email_in_dn             = no
nameopt                 = default_ca
certopt                 = default_ca
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName          = optional
commonName              = supplied
emailAddress                = optional

[ req ]
default_bits                = 1024          # Size of keys
default_keyfile             = key.pem       # name of generated keys
default_md              = md5               # message digest algorithm
string_mask             = nombstr       # permitted characters
distinguished_name          = req_distinguished_name
req_extensions              = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default      = My Company
localityName_default            = My Town
stateOrProvinceName_default     = State or Providence
countryName_default         = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier            = hash
Fidelafidelas answered 3/11, 2011 at 13:33 Comment(0)
M
18

If you have installed Apache with OpenSSL navigate to bin directory. In my case D:\apache\bin.

*These commands also work if you have stand alone installation of openssl.

Run these commands:

openssl req -config d:\apache\conf\openssl.cnf -new -out d:\apache\conf\server.csr -keyout d:\apache\conf\server.pem
openssl rsa -in d:\apache\conf\server.pem -out d:\apache\conf\server.key
openssl x509 -in d:\apache\conf\server.csr -out d:\apache\conf\server.crt -req -signkey d:\apache\conf\server.key -days 365

*This will create self-signed certificate that you can use for development purposes

Again if you have Apache installed in the httpd.conf stick these:

  <IfModule ssl_module>
    SSLEngine on
    SSLCertificateFile "D:/apache/conf/server.crt"
    SSLCertificateKeyFile "D:/apache/conf/server.key"
  </IfModule>
Mongolian answered 7/3, 2012 at 9:31 Comment(3)
The fellow asking the question clearly stated he was using Win32OpenSSL. Where did the Apache stuff come from? How is it relevant to the question?Mendie
Of course it is, installing OpenSSL that comes separately or with Apache is the same thing. I have added Apache bit because in 95% of cases the reason of installing OpenSSL on Windows is because is going to be used with Apache.Mongolian
This is useful because XAMPP includes OpenSSL inside of Apache folder.June
R
18
set OPENSSL_CONF=c:/{path to openSSL}/bin/openssl.cfg

take care of the right extension (openssl.cfg not cnf)!

I have installed OpenSSL from here: http://slproweb.com/products/Win32OpenSSL.html

Revise answered 16/11, 2013 at 16:24 Comment(1)
The installation link helped, I downloaded 0.9.8 from somewhere else and it was not working. Thank you.Downes
G
13

I just had a similar error using the openssl.exe from the Apache for windows bin folder. I had the -config flag specified by had a typo in the path of the openssl.cnf file. I think you'll find that

openssl req -config C:\OpenSSL\bin\openssl.conf -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

should be

openssl req -config "C:\OpenSSL\bin\openssl.cnf" -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

Note: the conf should probably be cnf.

Gaby answered 4/6, 2012 at 12:32 Comment(0)
K
13

Just try to run openssl.exe as administrator.

Kistner answered 16/12, 2012 at 17:7 Comment(3)
You should not have to run these commands as an administrator to get them to work. Its better to fix the underlying problem.Mendie
If it's installed to the program files directory on the system drive, running the command with elevated rights is required, you don't have write permissions otherwise.Bentham
This worked for me. I don't know why it was trying to access C:\Program Files\Common Files\SSL/openssl.cnf and then when running as admin suddenly it didn't care it couldn't find it (and didn't create the file either) but this worked for me so I don't care either.Escrow
B
9

If you installed OpenSSL on Windows together with Git, then add this to your command:

-config "C:\Program Files\Git\usr\ssl\openssl.cnf"
Beechnut answered 8/1, 2021 at 11:18 Comment(0)
V
6

I had the same issue on Windows. It was resolved by setting the environment variable as follow:

Variable name: OPENSSL_CONF Variable value: C:(OpenSSl Directory)\bin\openssl.cnf

Verdaverdant answered 15/8, 2019 at 14:22 Comment(0)
C
4

If openssl installation was successfull, search for "OPENSSL" in c drive to locate the config file and set the path.

set OPENSSL_CONF=<location where cnf is available>/openssl.cnf

It worked out for me.

Comstock answered 26/6, 2015 at 7:39 Comment(0)
S
4

https://github.com/xgqfrms-gildata/App001/issues/3

  1. first, make sure you have an openssl.cnf file in the right path;
  2. if you can't find it, just download one and copy it to your setting path.
$ echo %OPENSSL_CONF%

$ set OPENSSL_CONF=C:\OpenSSL\bin\openssl.cnf
Stretto answered 25/6, 2017 at 15:38 Comment(3)
OpenSSL & node.jsStretto
could not find C:\OpenSSL\Dovetailed
@SnehalDwivedi please following the steps as I described.Stretto
A
3

The problem here is that there ISN'T an openssl.cnf file given with the GnuWin32 openssl stuff. You have to create it. You can find out HOW to create an openssl.cnf file by going here:

http://www.flatmtn.com/article/setting-ssl-certificates-apache

Where it lays it all out for you on how to do it.

PLEASE NOTE: The openssl command given with the backslash at the end is for UNIX. For Windows : 1)Remove the backslash, and 2)Move the second line up so it is at the end of the first line. (So you get just one command.)

ALSO: It is VERY important to read through the comments. There are some changes you might want to make based upon them.

Afterheat answered 14/6, 2015 at 14:54 Comment(0)
L
3

This workaround helped us so much at my job (Tech Support), we made a simple batch file we could run from anywhere (We didnt have the permissions to install it). This workaround will set the variable and then run OpenSSL for you. It also opens up the bin folder for you (cause this is where any files you create or modify will be saved). Also, this is only for Windows.

How to Set Up:

  1. Download the OpenSSL binaries here. (Note that this is confirmed to work with version 0.9.8h.)

  2. Copy this code to a file named StartOpenSSL.bat. Save this to a location of your choice. It can be run from anywhere.

    @echo off
title OpenSSL

cd\openssl\bin

if exist "C:\openssl\share\openssl.cnf" (

set OPENSSL_CONF=c:/openssl/share/openssl.cnf
start explorer.exe c:\openssl\bin

echo Welcome to OpenSSL

openssl

) else (

echo Error: openssl.cnf was not found
echo File openssl.cnf needs to be present in c:\openssl\share
pause

)

exit
  3. Once you have downloaded the OpenSSL binaries, extract them to your C drive in a folder titled OpenSSL. (The path needs to be C:\OpenSSL). Do not move any of the folders contents around, just extract them to the folder.
  4. You are ready to use OpenSSL. This is a great workaround for Windows users who dont have the privileges to install it as it requires no permissions. Just run the bat file from earlier by double clicking it.
Lupus answered 10/3, 2017 at 1:53 Comment(0)
K
1

If you are seeing an error something like

error on line -1 c:apacheconfopenssl.cnf

try changing from back slash to front slash in the -config.

Kiwanis answered 9/10, 2014 at 17:20 Comment(0)
M
1

Run the command as administrator and copy the config file to somewhere where you have read rights and specify the path with the -config parameter.

Marvamarve answered 31/8, 2015 at 13:15 Comment(0)
C
1

I know this is old -- but thought others that happen on this (and use Visual Studio) might benefit. I read this on another post that I can't seem to find.

Open your config in notepad++ and make sure it's Encoding is UTF-8 (i.e., not UTF-8-BOM*).

This would have save me a lot of searching/trial'n'errors...

Cascara answered 17/1, 2019 at 19:28 Comment(0)
E
1

I know this question is old but here is how I solved it.

I copied the openssl.cnf file from the bin directory to the parent directory which is C:/Openssl/openssl.cnf instead of C:/Openssl/bin/openssl.cnf and worked fine.

Emergent answered 5/5, 2020 at 19:52 Comment(0)
N
1

I was also facing same issue. Below are the steps to resolve it.

  1. check your openssl version

openssl version

  1. If your version is below

OpenSSL 1.1.1h 22 Sep 2020

  1. go to below link and download latest full version of openssl. openssl windows installer
  2. After installation add openssl path at the top of 'PATH' variable in system path.
  3. confirm your version is latest by opening new command prompt and running command in step 1
  4. Now you're ready to run the command again and this time it will work.
Naturalist answered 12/11, 2020 at 5:53 Comment(1)
It is an assumption that updating to the latest version will work. I have the latest version and this does not work in my situation.Sprague
I
0

Open Windows PowerShell as an administrator and add the following line:

$env:OPENSSL_CONF = ''

If you still encounter the problem with your IDE, open the terminal and add the same line. I've tried everything, but this method works fine for me.

Impostor answered 11/9, 2023 at 9:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.