Open Yannik opened 2 years ago
Yannik
commented
2 years ago I was able to solve this:
By commenting out [ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session" in /usr/share/easy-rsa/easyrsa, I could keep the temporary config file. Turns out that it is dynamically generated from various files, and this issue was caused by a line in x509-types/COMMON which used $ENV::CA_NAME for the crlDistributionPoints.
Setting that variable fixed the issue.
TinCanTech
commented
2 years ago @Yannik Hi, thanks for reporting this and taking time to try to solve it.
However, your solution is certainly not an acceptable fix, so I'm reopening this for further investigation.
Is there a specific reason why you only put your openssl config file on pastebin ? Do you mind if I paste it here for the record ?
Yannik
commented
2 years ago Hey @TinCanTech
The issue was caused by having added the line
crlDistributionPoints = URI:http://pki.XX.de/$ENV::CA_NAME.crl
to the COMMON file of the x509-types and not having $CA_NAME set.
So it is an issue that is not present with the default easy-rsa config.
However, I would like to suggest to add an parameter to easyrsa which allows keeping (instead of removing) the dynamically generated temporary openssl config.
This would've made debugging this much easier, cause I wouldn't have needed to understand and then modify easyrsa to keep the config and find the root cause for this issue.
TinCanTech
commented
2 years ago I would like to suggest to add an parameter to
easyrsawhich allows keeping (instead of removing) the dynamically generated temporary openssl config.This would've made debugging this much easier
That is certainly possible via a --debug switch or something like that. I have been trying to improve debug-ability moving forward.
TinCanTech
commented
2 years ago The issue was caused by having added the line
crlDistributionPoints = URI:http://pki.XX.de/$ENV::CA_NAME.crlto the COMMON file of the
x509-typesand not having$CA_NAMEset.So
Ok. That is a nice catch. I'll have to think about some documentation or input checking for such.
TinCanTech
commented
2 years ago We don't need your SSL config, so I will not post that but I will leave this open as a reminder to look into it soon.
Yannik
commented
2 years ago I would like to suggest to add an parameter to
easyrsawhich allows keeping (instead of removing) the dynamically generated temporary openssl config. This would've made debugging this much easierThat is certainly possible via a
--debugswitch or something like that. I have been trying to improve debug-ability moving forward.
On a further note, I also needed to comment out the following lines for debugging another issue
rm -f "$easyrsa_openssl_conf"
rm -f "$easyrsa_extra_exts"I have opened a separate issue #610 to track this.
TinCanTech
commented
2 years ago The absolute bottom line is this:
If you use new variables in any SSL config file then that is on you. PRs concerning the use thereof can be considered.
easyrsa only has to provide support where LibreSSL is concerned.
If you are using LibreSSL then a PR is mandatory for consideration.
TinCanTech
commented
2 years ago To remain open, indefinitely.
TinCanTech
commented
1 year ago TinCanTech
commented
3 months ago Using Easy-RSA built-in command write, x509-type file expansion is trivial.
Example: critical attribute could be expanded, instead of inserted; as it currently is.
I'm currently having issues signing a CSR for a Sub-CA (Windows ADCS):
After importing the csr, sign-req results in:
I have checked line 8 of the config file, it is
[ CA_default ], so I don't really know how this could cause an issue. Full config file here: https://pastebin.com/u8HfYDXKI'm using easy-rsa 3.0.8 from the debian repo.