Open GLADtr opened 5 months ago
Which version of EasyRSA are you using ?
~Where have you uncommented the value of set_var EASYRSA_SSL_CONF openssl-easyrsa.cnf
? Do you mean that you edited the vars
file ?~
Got it, you did edit the vars
file.
Ok, I think I understand the problem:
EASYRSA_PKI
expands to an empty string in the vars
file, unless you also uncomment #set_var EASYRSA_PKI "$PWD/pki"
in the vars
file.Please try uncommenting #set_var EASYRSA_PKI "$PWD/pki"
in the vars
file and try again.
I have at moment next uncommented strings:
`it@datasrv:~/easyrsa$ grep -v "^#" easyrsa3/vars
set_var EASYRSA_PKI "$PWD/pki" set_var EASYRSA_DN "org" set_var EASYRSA_REQ_COUNTRY "" set_var EASYRSA_REQ_PROVINCE "" set_var EASYRSA_REQ_CITY "" set_var EASYRSA_REQ_ORG "" set_var EASYRSA_REQ_EMAIL "" set_var EASYRSA_REQ_OU "" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 1080 set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"`
Maybe I'm wrong in my reasoning, but - I apologize for the following words, but this is not logical. The parameter you specified works by default. and to guess about such a connection - you need to know this and understand the script itself. This is difficult without diving into the topic. Once again I apologize.
@GLADtr There is no need to apologize, this issue is valid.
And yes, there is a basic logical flaw having certain variables in vars
.
I have been phasing out the variables from vars
which cause this problem .. but I have to try to maintain backward compatibility for the most part.
In this specific issue, you have selected to define the openssl-easyrsa.cnf
file. This is now considered to be an advanced configuration and, once again yes, you have found an issue with the way vars
is currently expected to work. This way is not my design.
With current v3.2
, you would not use the vars
file to set easyrsa-openssl.cnf
. Instead, you would make your changes to pki/openssl-easyrsa.cnf
and the script would use your file, in this PKI.
To specify a different PKI, from default pki/
, you would use command line option --pki=<YOUR_PKI>
. This approach also fixes this issue because EASYRSA_PKI
is defined on the command line, not the vars
file.
Also, current v32x
built-in vars.example
file does not have the setting for EASYRSA_SSL_CONF
. This is how I have decided to stage this change. I may also change the distribution vars.example
file before v3.2.0
release (Undecided).
EasyRSA v317
was intentionally made to conform to traditional v31x
methodology, broken or not.
EasyRSA v32x
is being intentionally developed to replace the old methodologies , specifically to remove inconsistencies like this issue.
Which is why this issue is valid, and @GLADtr thank you for reporting it.
Hi. For an experiment in vars, I uncommented the value of set_var EASYRSA_SSL_CONFopenssl-easyrsa.cnf. when running ./easyrsa build-ca I got a sed error: cannot read /openssl-easyrsa.cnf: No such file or directory. Having set the set -x and set -v flags, I discovered that an erroneous, extra / is passed at the variable assignment stage.
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"