[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set_var EASYRSA_SSL_CONF - add wrong / #1074

Closed
GLADtr opened this issue Feb 2, 2024 · 6 comments · Fixed by #1262
Closed

set_var EASYRSA_SSL_CONF - add wrong / #1074

GLADtr opened this issue Feb 2, 2024 · 6 comments · Fixed by #1262

Comments

@GLADtr
Copy link
GLADtr commented Feb 2, 2024

Hi.
For an experiment in vars, I uncommented the value of set_var EASYRSA_SSL_CONFopenssl-easyrsa.cnf.
when running ./easyrsa build-ca I got a sed error: cannot read /openssl-easyrsa.cnf: No such file or directory.
Having set the set -x and set -v flags, I discovered that an erroneous, extra / is passed at the variable assignment stage.
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"

  • set_var EASYRSA_SSL_CONF /openssl-easyrsa.cnf
  • var=EASYRSA_SSL_CONF
    +shift
    + value=/openssl-easyrsa.cnf
  • eval export EASYRSA_SSL_CONF="${EASYRSA_SSL_CONF-/openssl-easyrsa.cnf}"
  • export EASYRSA_SSL_CONF=/openssl-easyrsa.cnf
@TinCanTech
Copy link
Collaborator
TinCanTech commented Feb 2, 2024

Which version of EasyRSA are you using ?

Where have you uncommented the value of set_var EASYRSA_SSL_CONF openssl-easyrsa.cnf ? Do you mean that you edited the vars file ?

Got it, you did edit the vars file.

Ok, I think I understand the problem:

  • EASYRSA_PKI expands to an empty string in the vars file, unless you also uncomment #set_var EASYRSA_PKI "$PWD/pki" in the vars file.

Please try uncommenting #set_var EASYRSA_PKI "$PWD/pki" in the vars file and try again.

@GLADtr
Copy link
Author
GLADtr commented Feb 2, 2024

I have at moment next uncommented strings:

`it@datasrv:~/easyrsa$ grep -v "^#" easyrsa3/vars

set_var EASYRSA_PKI "$PWD/pki"
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY ""
set_var EASYRSA_REQ_PROVINCE ""
set_var EASYRSA_REQ_CITY ""
set_var EASYRSA_REQ_ORG ""
set_var EASYRSA_REQ_EMAIL ""
set_var EASYRSA_REQ_OU ""
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 1080
set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"`

Maybe I'm wrong in my reasoning, but - I apologize for the following words, but this is not logical. The parameter you specified works by default. and to guess about such a connection - you need to know this and understand the script itself. This is difficult without diving into the topic.
Once again I apologize.

@TinCanTech
Copy link
Collaborator
TinCanTech commented Feb 2, 2024

@GLADtr There is no need to apologize, this issue is valid.

And yes, there is a basic logical flaw having certain variables in vars.

I have been phasing out the variables from vars which cause this problem .. but I have to try to maintain backward compatibility for the most part.

In this specific issue, you have selected to define the openssl-easyrsa.cnf file. This is now considered to be an advanced configuration and, once again yes, you have found an issue with the way vars is currently expected to work. This way is not my design.

@TinCanTech
Copy link
Collaborator
TinCanTech commented Feb 2, 2024

With current v3.2, you would not use the vars file to set easyrsa-openssl.cnf. Instead, you would make your changes to pki/openssl-easyrsa.cnf and the script would use your file, in this PKI.

To specify a different PKI, from default pki/, you would use command line option --pki=<YOUR_PKI>. This approach also fixes this issue because EASYRSA_PKI is defined on the command line, not the vars file.

Also, current v32x built-in vars.example file does not have the setting for EASYRSA_SSL_CONF. This is how I have decided to stage this change. I may also change the distribution vars.example file before v3.2.0 release (Undecided).

@TinCanTech
Copy link
Collaborator
TinCanTech commented Feb 2, 2024

EasyRSA v317 was intentionally made to conform to traditional v31x methodology, broken or not.

EasyRSA v32x is being intentionally developed to replace the old methodologies , specifically to remove inconsistencies like this issue.

Which is why this issue is valid, and @GLADtr thank you for reporting it.

@TinCanTech
Copy link
Collaborator

Follow-up: #1261

@TinCanTech TinCanTech linked a pull request Dec 1, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants