Check that sourcing default pki/vars has NOT changed EASYRSA or EASYRSA_PKI.
This will be resolved in v3.2.0 - See #comment for details.
Refactor select_vars():
To: single if/elif/else/fi.
From: separate if/fi statements.
Always set EASYRSA_VARS_FILE to the used vars-file.
(Required for 'help' status)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
vars_setup was trying to do more work than only setting up vars.
These tasks have been broken down as follows:
select_vars:
* Choose only ONE vars file to source by priority specified in Advanced.md
* Apply restrictions to default vars changing EASYRSA or EASYRSA_PKI.
source_vars:
* Verify and source a vars file.
default_vars:
* Set all default values as expected.
Note: Also disable use of vars_setup.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Correct auto-load order:
The previous order was to search the default PKI before EASYRSA.
Change: EASYRSA is moved to a higher priority than a default PKI.
Remove 'program location' as a valid target for auto-loading vars.
Keeping writable data files in the same folder as executable code
is not necessary. If it is required then use of other options is
preferred. eg: --vars=<FILE> or $EASYRSA
Add additional information regarding use of default PKI.
Add section to advise the preferred use of --pki over --vars.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a vars file in the PKI tries to change the expected PKI then fail.
Allow vars file in the working directory to change the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The main changes made are:
* If EASYRSA is set then only allow default vars file. No auto-load
* If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load.
This is something like "The Three Laws"; vars auto-load is unnecassary
and should be replaced by a single default vars file. However, here is
the latest version:
1. The DEFAULT vars file is in the working directory: ./vars
2. Using --vars=<FILE>, takes priority ALWAYS. NO auto-load!
3. Using --pki-dir=<DIR>, allows "$EASYRSA_PKI/vars". Use auto-load!
Note:
A user set PKI can auto-load a default vars file in the PKI, however,
that can also conflict with a default ./vars file.
4. ERROR, if vars auto-load finds more than one VIABLE vars file.
Viable vars files and conflicts:
1. "$PWD/vars" - Can conflict.
2. "$PWD/pki/vars" - Can conflict.
3. "$EASYRSA/vars" - User defined EASYRSA, no conflict.
4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict.
This is achieved by making the following changes:
Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY.
No auto-load.
Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI.
Use auto-load.
Remove unused code and improve comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When a certificate CN is not the same as the file-name then show-expire
must calculate the expiry date, in seconds, from the database field.
This is done by functions:
* db_date_to_iso_8601_date()
Translate from database format to ISO_8601 date format.
* iso_8601_timestamp_to_seconds()
Translate from ISO_86012 date format to time-stamp in seconds.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If '--vars=vars' is used, without specifying a path to 'vars', then
sourcing 'vars' fails to find './vars'. POSIX '.' searches the PATH
when the file-name does not contain a slash '/'. [man dot(1p)]
Since EasyRSA expects the 'vars' file to be within the current working
directory, setting 'PATH=./' forces '.' to search ONLY './'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The option 'soft' for 'init-pki' has been found to be flawed, because
keeping the 'vars' file in the PKI is now forbidden. The 'soft' option
will be removed in due course.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
For 'init-pki, disable creating vars.example, which also disables
creating a vars file in the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The default 'vars' file MUST be "$PWD/vars", no other file can be default.
In order to enforce that, a default 'pki/vars' file MUST be forbidden.
This patch:
* Disables the recommandation for 'vars' to be moved TO the PKI, './pki/vars.
* Forbids the file called './pki/vars'.
* Forbids multiple 'vars' files
* Recommends ONLY the working directory copy of a 'vars' file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
