commit 37232a8a6677dcdd5be4b4f9d3f1c8241e214a49
Merge: bee93cf a3c9f0b
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Aug 5 18:05:56 2022 +0100
Merge branch 'doc-add-ed' of ssh://github.com/mnme/easy-rsa into mnme-doc-add-ed
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit a3c9f0bb5b79fa9fffaaf65b109069035138788b
Author: Nicolas Jeker <n.jeker@gmx.net>
Date: Thu Aug 20 11:31:32 2020 +0200
doc: Add 'ed' option to EASYRSA_ALGO
Related to #488
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note: This change only assigns the secure session variable,
it does not create the directory nor any files within it.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To create Easyrsa Safe SSL config file, a standard temporary
directory is required, which can only be created after a secure
session has been assigned.
Closes: #622
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Because easyrsa uses die() on errors, functions which call other
functions may not receive a returned error code and, therefore,
a test for an error will not occur in the calling function.
If 'renew' fails in the build_full() phase then build_full(), gen_req()
or sign_req() will error out to die() and not return an error to 'renew'.
This leaves the files which are about to be renewed in the 'renewed'
sub-folder without replacement files in the PKI folders.
Set 'on_error_undo_renew_move=1' and call renew_restore_move() from
cleanup() when an error occurs during the build_full() phase of 'renew'.
Closes: #613
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA 'renew' does not renew a certificate, it builds a new cert/key pair.
This 'old' method thus causes the Entity Private Key to be 'leaked'.
'renew-req' allows the original Entity Private Key to remain ''secure''.
This is achieved by generating a new certificate request for the original
Entity Private Key, to be submitted for signing by the CA administrator.
Resolves: #609
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add a *final* layer of granularity to X509 Distinguished Name.
Only used if --req-serial="<PRINTABLE>user data" is specified.
To minimize the noise to the user by this new field, change the way
that OpenSSL is called to build a CA: Always use '-batch' mode.
User visible change when building a CA:
* Instead of being prompted for each individual DN field, now the
user is presented with a read-out of how the fields are currently
set. There is now only a single confirmation that all fields are
correct.
* If '--req-serial' is not used then 'serialNumber' is not displayed.
PRINTABLE: a-z,A-Z,0-9, -+/=.,?:()
Closes: OpenVPN#462 - The original proposal and prototype code.
Closes: OpenVPN#598 - Supersedes: Introduce 1.organizationalUnitName
Closes: OpenVPN#600 - Bugfix: Remove unused 'name' definition from SSL conf.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
* easyrsa_openssl() - Disable 'genpkey -config' for LibreSSL
Closes: #601
* Set '-nodes' for LibreSSL version 3 'no-password' mode
Closes: #602
Minor corrections to indentation/comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Subshell is required due to use of die() in sign_req().
Otherwise, on error sign_req() errors out without removing input files.
Revert part of commit: 15429df9fdd5c63c6e33dba141ff2e9a77ed0855
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Option '--renew-days=#', variable $EASYRSA_CERT_RENEW was used to enforce a
"grace" period, *outside of which* 'renew' was prohibited. Default: 30days.
This prohibition is no longer enforced:
* https://github.com/OpenVPN/easy-rsa/issues/593
Option '--renew-days=#' now represents the cut-off date for EasyRSA status
report 'show-expire'. This report *only* lists those certificates which will
expire within the given $EASYRSA_CERT_RENEW number of days 'from now'.
This also effects the command 'renewable'. (Only supports GNU 'date')
Updates to 'help options'.
(1) Official notice of "intention to deprecate" option: '--req-cn'
EasyRSA has *never* supported '--req-cn'.
For "type" server/client 'Build-$type-full' AlWAYS explicitly sets variable
EASYRSA_REQ_CN to $2 from the command line. Always over-riding the option.
'gen-req' explicitly sets 'EASYRSA_REQ_CN="$1"'. Always over-riding ..
'sign-req' explicitly sets 'crt_out="$EASYRSA_PKI/issued/$2.crt"' .. ditto.
'build-ca' requires specific code review to understand.
Labeled as: "May have tried but gave up.."
This is *only* a notice of "intention to deprecate".
The main goal of the option '--req-cn' is to achieve a disconnect between
certificate 'commonName' verses the 'file-name' of the certificate.
Eg: file-name: mmjd0101.crt | commonName: "mass-murderer John Doe (#0101)"
There is "merit" to this functionality but then .. EasyRSA is Free-OSS.
"If You need this functionality then You should help provide it."
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If this 'date' is MacPorts then it will fall throught to:
* This *is* the bottom-line, "date-wise": Ubuntu or busybox.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use command option '--fix-offset=nnn' [nnn: 1 - 365] day number,
to set the date at which the certificate will become Valid.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When revoking a renewed certificate, do not delete PKCS files,
because they do not belong to the old certificate which was renewed.
Update warnings to reflect this change.
Add revocation "reason" to confirmation dialogues.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The original cert_dates(); was intended to restrict certificate renewal
to a fixed 30-day-window of the certificate expiry date. This was an
unnecessary restriction. Removed-by: #594
The original cert_dates(); "gave rise to" the Easy-RSA "ambition" to
support multiple versions of 'date' (*nix), which proved to be more
demanding than initially expected. The "new" code speaks for itself.
Currently supported versions of 'date', as of this pull request:
* Linux (Standard Ubuntu)
* FreeBSD
* MacOS and MacOS Ports
* busybox
New functions:
* cert_date_to_timestamp_s()
Takes* an X509 certificate date, as output by SSL option '-startdate'
or '-enddate' and creates a 'timestamp' in seconds since epoch.
* offset_days_to_cert_date() [Note: 'days' not 'date']
Adds* the $offset number of days to the current date and creates an
X509 "style" certificate date string.
* ff_date_to_cert_date()
Takes* a fixed-format date and converts it into an X509 certificate
"style" date string.
* ssl_cert_not_before_date()
Dedicated function to return an X509 certificate '-startdate' by SSL.
* ssl_cert_not_after_date()
Dedicated function to return an X509 certificate '-enddate' by SSL.
These functions serve to provide an extensible frame-work for Easy-RSA
to manage all 'date' requirements.
Extras:
Built in reports 'show-expire','show-revoke' and 'show-renew' all use
these functions to interrogate index.txt and the PKI, extensively.
Add error detection to Easy-RSA options which involve "number of days"
and fail for any input which is not a base-10 number. eg. --days=nn
Closes: #593
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Auto-escape '&' ampersand explanation:
'easyrsa' uses 'sed' to build a safe SSL config file, which means
that an unescaped '&' ampersand cannot be used in the 'vars' file.
This is due to 'sed' treating '&' as a special character.
Rather than expect users to know all this and use extended escaping,
to get around 'easyrsa' set_var(), use auto-escape. This allows use
of unescaped '&' in vars file. Like any other character.
Auto-escape '$' dollar-sign explanation:
Using '$' in the 'vars' file MUST be escaped. Escaping '$' to stop
expansion is common knowledge and the first thing a user will try.
Using an escaped '$' in the 'vars' file results in an unescaped '$'
being written to the SSL config file, which is then expanded by
OpenSSL or choked on by LibreSSL. Auto-escaping '$' fixes this.
Add SSL library name to die().
Allow verify_ssl_lib() to run ONLY once.
Improve comments.
Re-order the areas searched for data files to prioritise preferred
locations over old defaults.
Tested-with: OpenSSL and LibreSSL and on Windows and FreeBSD.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Changes:
* Improve help
* Move renew_restore_move() out of die() and back to renewal block.
* Minor corrections to user output.
* Add detailed description of which files will be moved/removed.
* Simplify check/create revoked/renewed directory structures.
* Only die on failure to move certificate, otherwise warn only.
Some files may not be present. eg. PKCS files, already removed.
Manually tested.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
