Closed tecoboot closed 2 years ago
tecoboot
commented
2 years ago The pki/vars.example is copied, instead of a move of the vars.
+ [ -d /root/easyrsa-master/test-vars/pki/x509-types ]
+ [ -e /root/easyrsa-master/test-vars/pki/vars.example ]
+ [ -e /root/easyrsa-master/test-vars/pki/vars ]
+ cp /root/easyrsa-master/test-vars/pki/vars.example /root/easyrsa-master/test-vars/pki/varsRelated or duplicate of #589
TinCanTech
commented
2 years ago @tecoboot Try again but do not use make-cadir
tecoboot
commented
2 years ago This works. So there is some dependency on vars processing between make-cadir and easyrsa.
root@host:~# rm -rf easyrsa-master
root@host:~# cd easyrsa-master
-bash: cd: easyrsa-master: No such file or directory
root@host:~# git clone https://github.com/OpenVPN/easy-rsa.git
fatal: destination path 'easy-rsa' already exists and is not an empty directory.
root@host:~# mkdir test-vars
root@host:~# cd
root@host:~# rm -rf easyrsa-master
root@host:~# mkdir easyrsa-master
root@host:~# cd easyrsa-master
root@host:~/easyrsa-master# git clone https://github.com/OpenVPN/easy-rsa.git
Cloning into 'easy-rsa'...
remote: Enumerating objects: 3695, done.
remote: Counting objects: 100% (134/134), done.
remote: Compressing objects: 100% (79/79), done.
remote: Total 3695 (delta 60), reused 126 (delta 55), pack-reused 3561
Receiving objects: 100% (3695/3695), 25.04 MiB | 17.37 MiB/s, done.
Resolving deltas: 100% (1742/1742), done.
root@host:~/easyrsa-master# mkdir test-vars
root@host:~/easyrsa-master# cd test-vars
root@host:~/easyrsa-master/test-vars# ln -s ../easy-rsa/easyrsa3/easyrsa ./
root@host:~/easyrsa-master/test-vars# ./easyrsa version
EasyRSA Version Information
Version: ~VER~
Generated: ~DATE~
SSL Lib: OpenSSL 1.1.1n 15 Mar 2022
Git Commit: ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
root@host:~/easyrsa-master/test-vars# ./easyrsa --sbatch init-pki
root@host:~/easyrsa-master/test-vars# find | grep vars
./pki/vars.example
./pki/vars
root@host:~/easyrsa-master/test-vars# ./easyrsa --sbatch build-ca nopass
............................................+++++
.............................................+++++
root@host:~/easyrsa-master/test-vars# It comes with Debian Bullseye:
root@host:~/easyrsa-master/easy-rsa# grep -r make-cadir *
root@host:~/easyrsa-master/easy-rsa# find | grep make-cadir
root@host:~/easyrsa-master/easy-rsa# which make-cadir
/usr/bin/make-cadir
root@host:~/easyrsa-master/easy-rsa# cat /usr/bin/make-cadir
#!/bin/sh
# This script creates a new directory in order to be used
# with the tools from the easy-rsa project.
#
# Copyright (C) 2012 Alberto Gonzalez Iniesta
# 2018 Pierre-Elliott Bécue
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
set -e
usage() {
echo "Usage: $0 DIRECTORY"
echo "Creates a *new* directory and prepares it to be used as a (CA) key management directory (to create and store keys and certificates)."
exit 1
}
[ "$#" -ne 1 ] && usage
[ -e "$1" ] && { echo "$1 exists. Aborting." ; usage ; }
mkdir -m 700 -p "$1"
ln -s /usr/share/easy-rsa/easyrsa "$1"
ln -s /usr/share/easy-rsa/x509-types "$1"
cp /usr/share/easy-rsa/openssl-easyrsa.cnf "$1"
cp /usr/share/easy-rsa/vars.example "$1/vars"
root@host:~/easyrsa-master/easy-rsa# It is untouched in Bookwork/SID. Why not accept installations with both vars, and take pki/vars as preference? It is confusing, so a warning that pki/vars is used is helpful !! Moving could break existing procedures, where it is assumed that the vars in the main folder is kept. It is up to the Debian maintainer to decide.
tecoboot
commented
2 years ago Title changed
tecoboot
commented
2 years ago Ahh, it was the breaking change https://github.com/OpenVPN/easy-rsa/commit/4d5a5d4a7b14eecdbabd293e8403981165f35476
Find 'vars' in preferred locations and only allow ONE instance.
* Probably a breaking change but only where things are already broken.Already posted: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016759
TinCanTech
commented
2 years ago I believe your bug report has been posted in haste.
I will leave you to chose its fate but I would close it as: Over zealous.
TinCanTech
commented
2 years ago The make-cadir is a simple utility which can be easily worked around or with in the main easyrsa script.
tecoboot
commented
2 years ago Sure. But update to easyrsa breaks debian make-cadir. It has to be fixed one way or another.
TinCanTech
commented
2 years ago easyrsa version 3.1 can be improved to recognise that make-cadir has been used. Proposal for such are welcome.
At this time 3.1 is bleeding edge not main stream.
tecoboot
commented
2 years ago Right! What about this proposal:
Prepare my distribution:
[[ -e /usr/bin/easyrsa ]] || ln -s /usr/share/easy-rsa/easyrsa /usr/bin/Initiate my CA pki:
mkdir MyCA && cd MyCA
easyrsa --batch init-pkiResult:
root@host:~# mkdir MyCA && cd MyCA
root@host:~/MyCA#
root@host:~/MyCA# easyrsa --batch init-pki
root@host:~/MyCA#
root@host:~/MyCA# ls -al
total 12
drwxr-xr-x 3 root root 4096 Aug 12 11:10 .
drwxr-xr-x 6 root root 4096 Aug 12 11:10 ..
drwx------ 4 root root 4096 Aug 12 11:10 pki
root@host:~/MyCA#
root@host:~/MyCA# ls -al pki
total 56
drwx------ 4 root root 4096 Aug 12 11:10 .
drwxr-xr-x 3 root root 4096 Aug 12 11:10 ..
-rw------- 1 root root 4616 Aug 12 11:10 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Aug 12 11:10 private
drwx------ 2 root root 4096 Aug 12 11:10 reqs
-rw------- 1 root root 4578 Aug 12 11:10 safessl-easyrsa.cnf
-rw------- 1 root root 8925 Aug 12 11:10 vars
-rw------- 1 root root 8925 Aug 12 11:10 vars.example
root@host:~/MyCA# Done :-)
TinCanTech
commented
2 years ago
- There shouldn't be a need to have a distribution-specific tool to initiate the easyrsa pki
Exactly. easyrsa now does that which make-cadir does.
TinCanTech
commented
2 years ago @tecoboot There seems to be a bug with make-cadir, it creates a link to /usr/share/easy-rsa/easyrsa without verifying its existence. Would you be happy to raise a bug report for that ?
No check is done for usr/share/x509-types.
vars.example should really not be named vars, this is left for the user.
set -e only errors out once /usr/share/easy-rsa/openssl-easyrsa.cnf cannot be found and then leaves a mess.
TinCanTech
commented
2 years ago I think the best way to work with/around make-cadir is to have easyrsa detect the vars file in the CA-dir during init-pki and error out at that point. So, before any PKI is created, the unwanted vars file can be eliminated or at least renamed.
tecoboot
commented
2 years ago Would you be happy to raise a bug report for that ?
There is one, with XREF. See my posting above (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016759) I'm happy to post an advice for fixing. But I am the MITM here :-)
TinCanTech
commented
2 years ago I am the MITM here :-)
You are and I thank you for your help ;-)
TinCanTech
commented
2 years ago Because Debian has forwarded the bug here, to this thread, I shall keep this thread upto date.
First point: Easy-RSA version 3.1.x no longer requires use of make-cadir, easyrsa does that job internally.
Second point: easyrsa needs to work around make-cadir, should it be used.
Third point: vars belongs in the PKI folder not the PKI parent.
tecoboot
commented
2 years ago Thanks taking over. It was not "Debian" that "forwarded" the bug. I started here and found later on that the bug was reported already on Debian. So I connected the two reported issues.
tecoboot
commented
2 years ago What about declare make-cadir as obsolete? In Bookwork: just reply with a warning and an instruction how to use easyrsa init-pki. In next (SID): remove it.
Still the question on having easyrsa in the path and use either $(pwd) or --pki-dir.
TinCanTech
commented
2 years ago What about declare make-cadir as obsolete?
Tempting ..
It is true that Easy-RSA version 3.1 series does not support make-cadir, yet ..
However, smarter to find a permanent work around.
TinCanTech
commented
2 years ago With a minor adjustment to creating the PKI, a work-around is simple. Incoming PR.
TinCanTech
commented
2 years ago Re-opening for testing and feedback.
TinCanTech
commented
2 years ago @tecoboot if you can test and let me know your findings, perhaps we can close the debian bug as well.
tecoboot
commented
2 years ago Sure. It is OK now. I'll post on Debian as well.
root@host:~# make-cadir foo
root@host:~# cd foo
root@host:~/foo# ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /root/foo/pki
root@host:~/foo# ./easyrsa build-ca nopass
* Using Easy-RSA configuration from: /root/foo/vars
* The preferred location for 'vars' is within the PKI folder:
/root/foo/pki
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=./vars
* Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
EasyRSA DN 'commonName-Only' mode (cn_only)
* Current CA Distinguished Name fields:
commonName = Easy-RSA CA
Type the word 'yes' to continue, or any other input to abort.
Create CA certificate with these DN settings ? yes
............+++++
..............................................................................................................+++++
Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/foo/pki/ca.crt
root@host:~/foo#
I tested init-pki vars processing with clean master. It fails. Commands:
Result: