From b904f0c5d34cd8d7cdf7f2ea4be8e206df76759a Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 28 Jan 2019 15:40:13 +0100 Subject: [PATCH 1/5] Fix broken check for cert expiration time in renew command Signed-off-by: Xavier Bachelot --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 16ba40d..d019f87 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1006,13 +1006,13 @@ at: $crt_in" # Check if old cert is expired or expires within 30 days expire_date=$( "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -enddate | - sed -n 's/^notAfter=//' + sed 's/^notAfter=//' ) expire_date=$(date -d "$expire_date" +%s) allow_renew_date=$(date -d '+30day' +%s) - [ "$expire_date" -gt "$allow_renew_date" ] || die "\ + [ "$expire_date" -lt "$allow_renew_date" ] || die "\ Certificate expires in more than 30 days. Renewal not allowed." From 7966cc287a50ae172d3fbcd18c004764e1ae86aa Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 28 Jan 2019 16:11:57 +0100 Subject: [PATCH 2/5] Make cert renew grace period configurable (default: 30 days) Signed-off-by: Xavier Bachelot --- easyrsa3/easyrsa | 5 +++-- easyrsa3/vars.example | 4 ++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d019f87..00bdcf0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1010,10 +1010,10 @@ at: $crt_in" ) expire_date=$(date -d "$expire_date" +%s) - allow_renew_date=$(date -d '+30day' +%s) + allow_renew_date=$(date -d "+${EASYRSA_CERT_RENEW}day" +%s) [ "$expire_date" -lt "$allow_renew_date" ] || die "\ -Certificate expires in more than 30 days. +Certificate expires in more than $EASYRSA_CERT_RENEW days. Renewal not allowed." # Extract certificate usage from old cert @@ -1488,6 +1488,7 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months + set_var EASYRSA_CERT_RENEW 30 set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no set_var EASYRSA_NS_COMMENT "Easy-RSA (~VER~) Generated Certificate" diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index 372be04..f03ea6e 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -127,6 +127,10 @@ fi # parsed after this timeframe passes. It is only used for an expected next # publication date. +# How many days before its expiration date a certificate is allowed to be +# renewed? +#set_var EASYRSA_CERT_RENEW 30 + #set_var EASYRSA_CRL_DAYS 180 # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default From 2f841e9fecc1e5b0601930918b0e5eb71aadd261 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 28 Jan 2019 16:19:55 +0100 Subject: [PATCH 3/5] Workaround older openssl which don't have -ext Signed-off-by: Xavier Bachelot --- easyrsa3/easyrsa | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 00bdcf0..313fa73 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1018,8 +1018,8 @@ Renewal not allowed." # Extract certificate usage from old cert cert_ext_key_usage=$( - "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -ext extendedKeyUsage | - sed -n "2p;n;s/^ *//;p;" + "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | + sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}" ) case $cert_ext_key_usage in "TLS Web Client Authentication") @@ -1037,8 +1037,8 @@ Renewal not allowed." echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || \ { san=$( - "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -ext subjectAltName | - sed -n "2p;{n;s/ //g;p;}" + "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | + sed -n "/X509v3 Subject Alternative Name:/{n;s/ //g;p;}" ) export EASYRSA_EXTRA_EXTS="\ $EASYRSA_EXTRA_EXTS From 8b24da13fdab91f38ed43f581a51be01a1b49b71 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 28 Jan 2019 16:28:24 +0100 Subject: [PATCH 4/5] Don't try to move inexistant files Signed-off-by: Xavier Bachelot --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 313fa73..4066f41 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -959,7 +959,7 @@ input in file: $req_in" # get file extension file_ext="${file##*.}" - mv "$file" "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext" + [ -f "$file" ] && mv "$file" "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext" done # remove the dublicate certificate in the certs_by_serial folder @@ -1113,7 +1113,7 @@ input in file: $req_in" # get file extension file_ext="${file##*.}" - mv "$file" "$EASYRSA_PKI/renewed/private_by_serial/$cert_serial.$file_ext" + [ -f "$file" ] && mv "$file" "$EASYRSA_PKI/renewed/private_by_serial/$cert_serial.$file_ext" done # remove the duplicate certificate in the certs_by_serial folder From 4ccde23e07d113fee427a507be323d1bc78e25fd Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 28 Jan 2019 21:39:00 +0100 Subject: [PATCH 5/5] Prevent using an empty SAN Signed-off-by: Xavier Bachelot --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4066f41..00fc0cd 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1040,7 +1040,7 @@ Renewal not allowed." "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | sed -n "/X509v3 Subject Alternative Name:/{n;s/ //g;p;}" ) - export EASYRSA_EXTRA_EXTS="\ + [ -n "$san" ] && export EASYRSA_EXTRA_EXTS="\ $EASYRSA_EXTRA_EXTS subjectAltName = $san" }