Procedure to replace renew command useless

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility

Other

4k stars 1.19k forks source link

Procedure to replace renew command useless #1199

Closed malibata closed 1 month ago

malibata commented 1 month ago

New procedure meant to replace simple renew command is kind of useless. If you issue expire command followed by sign-req command easyrsa will sign new certificate but will not generate new inline file and will leave the old one with expired certificate... If you then issue revoke-expired command it will not remove request file so that it can be signed again as it should be but will remove private key file making request file useless. revoke-renewed does not work anymore because it looks for a certificate in pki/renewed directory instead of pki/renewed/issued where the files actually are... All this makes new procedure basically dysfunctional and using something like revoke followed by build-TYPE-full commands, although not as simple as renew, the way to go for now.

TinCanTech commented 1 month ago

@malibata Which version of EasyRSA are you using ?

malibata commented 1 month ago

Easy-RSA version 3.2.0, I beleive this change is introduced in this version... I see now on github that it is a development snapshot, but was pulled by Fedora as the latest stable version and installed by dnf upgrade...

malibata commented 1 month ago

Probably NOT removing key file would be a good idea since you are already not moving request file because it could be signed again:

--- easyrsa.saved       2024-05-18 14:20:59.000000000 +0200
+++ easyrsa     2024-08-05 13:46:46.301014865 +0200
@@ -3054,14 +3054,11 @@
        # do NOT move the req - can be signed again

        # move crt to renewed_then_revoked folders
        mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

-       # only move the key if we have it
-       if [ -e "$key_in" ]; then
-               mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
-       fi
+       # do NOT move the key - req can be signed again

        # remove any pkcs files
        for pkcs in p12 p7b p8 p1; do
                if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
                        # issued

TinCanTech commented 1 month ago

OK and thanks for testing.

This has been addressed in git/master a.k.a. v3.2.1.

In the following way:

revoke will revoke the cert and move .req and .key files to the revoked sub-dir.
expire will only move the cert to the expired sub-dir, allowing the original CSR to be signed again, as in renew but with more flexibility.
renew has been reinstated but is more strict in order that a renewed cert has the same attributes as the original. renew also uses the original .req and .key files, so they are not moved.

If you care to try this then please clone this repo and test it. Otherwise, v3.2.1 is intended for release in early September 2024.

Edit: Inlining files has also been/about to be addressed #1200