search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.05k stars 1.2k forks source link

openssl execution fails when --enddate is used #1056

Closed bjoern-r closed 9 months ago

bjoern-r commented 10 months ago

EasyRSA Version Information

Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | Linux | /bin/zsh

description

When the --startdate and --enddate options are used the openssl execution fails with the error message:

req: Error on line 31 of config file "/home/xx/pki/openssl-easyrsa.cnf"
4077C545E97F0000:error:07000068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:751:line 31

where the line in openssl-easyrsa.cnf has the following content.

default_days    = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for

My understanding is that when --enddate is used EASYRSA_CERT_EXPIRE will be unset on line 5582 which will make openssl complain about the missing ENV variable.

When default_days is hard coded to a number then --enddate is working as expected.

TinCanTech commented 10 months ago

@bjoern-r Thanks for this report - I confirm this is a bug.

TinCanTech commented 10 months ago

The fix required is at line 5582:

unset -v EASYRSA_CERT_EXPIRE alias_days

Remove EASYRSA_CERT_EXPIRE from that line and it should work correctly.

TinCanTech commented 10 months ago

There is also the possibility to remove line:31 from openssl-easyrsa.cnf:

default_days    = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for

Easy-rsa always sets environment variables and SSL command options for dates.

bjoern-r commented 10 months ago

chaning the unset line worked for me.

I first tried to remove line 31 from openssl-easyrsa.cnf but this get regenerated if the file missing so my understanding was that this file should stay like this.

TinCanTech commented 10 months ago

I have been considering possible solutions.

Changing easyrsa is simplest but changing openssl-easyrsa.cnf is a better long-term solution because it leaves less ambiguity concerning which commands are used for expiry dates.

TinCanTech commented 10 months ago

For Easy-RSA v3.2 the fix is: 2a8c0de

Fixing v3.1.7 is not necessary.

TinCanTech commented 9 months ago

@bjoern-r I appreciate this bug report.