EASYRSA_SAFE_CONF is libressl compatible config file.
Create EASYRSA_SAFE_CONF during init-pki, one time per PKI.
Set OPENSSL_CONF to be EASYRSA_SAFE_CONF, to prevent bogus warnings.
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
Make wait_sec() accept an argument for time so it behaves more like
sleep.
Merge branch 'TinCanTech-master'
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
fixes#305
Gracefully handle IP when both renewing cert and keeping SAN from the
old certificate
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Should "fix" errors related to ash and potentially other non-POSIX
shells that don't handle set -o or related options.
http://www.austingroupbugs.net/view.php?id=1207
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Although 'read -s' is not POSIX, it might be the only option
for some systems (OpenWrt). Try each alternative and, if all
those fails, warn the user and read with "echo on".
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
win32 mktemp shipped by easyrsa does not work. It returns
unmodified template as the "temporary file". This results
in file conflicts when two temporary files are in use.
However win32 mktemp -d does work as expected. So, we can use
mktemp -du to generate a correct temporary file name.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Remove a warning when the first certificate is generated
Can't open .../easy-rsa/pki/index.txt.attr for reading, No such file or directory
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
When easyrsa in in $PATH, $0 does not contain a directory, resulting
in an invalid prog_vars. prog_vars is used to get default vars
location, if $EASYRSA_VARS_FILE, $EASYRSA_PKI/vars and $PWD/pki/vars
does not exist.
$0 is also used to set $EASYRSA the same way prog_vars is defined.
$EASYRSA/openssl-easyrsa.cnf is used to set $EASYRSA_SSL_CONF initial
content if missing.
$EASYRSA/x509-types is used to for extensions dir if $EASYRSA_EXT_DIR
and $EASYRSA_PKI/x509-types are not found. However, if vars already
needs changes, it is better to set $EASYRSA_EXT_DIR and file locations
there.
Normally a symlink to /usr/bin will be used to put easyrsa in $PATH.
Following $PATH and symlink allows easyrsa to be located in a more
standard dir like /usr/lib/easy-rsa/easyrsa and vars at
/usr/{lib,libexec,share}/easyrsa/vars, which could be a symlink to
/etc/easy-rsa/vars. vars can be easily appended with the default
distribution values.
With this patch, a system-wide easyrsa package could use this file
structure without patching easyrsa:
/etc/easy-rsa/openssl-easyrsa.cnf
/etc/easy-rsa/pki/
/etc/easy-rsa/vars
/usr/bin/easyrsa -> /usr/lib/easy-rsa/easyrsa
/usr/lib/easy-rsa/easyrsa
/usr/lib/easy-rsa/openssl-easyrsa.cnf
/usr/lib/easy-rsa/vars -> /etc/easy-rsa/vars
/usr/lib/easy-rsa/x509-types
If following symlink fails (win32), the previous behavior is used.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
build_full leave req/privkey ig sign fails (i.e. when CA pass was
incorrect). If build_full fails, it should remove everything it created.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Batch operations cannot be automated if openssl keeps asking
for a password. These new options allow the user to specify
a new source for password, using any openssl password options
like pass:1234 or env:var
Aborts build-ca if privkey generation fails.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Most $EASYRSA_OPENSSL calls where replaced by easyrsa_openssl
calls. When OpenSSL config is needed, easyrsa_openssl generates
a temporary config in tempfiles, incorporating make_ssl_config and
$EASYRSA_EXTRA_EXTS usage.
vars_source_check and verify_ssl_lib use of make_ssl_config was
removed.
'export OPENSSL_CONF' was removed as every openssl call that might
need a conf now uses easyrsa_safessl.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Manually managing temp files into fixes variables (EASYRSA_TEMP_FILE_*),
can result in errors like in build_ca that reused EASYRSA_TEMP_FILE_3.
A temporary directory simplify the cleanup.
A configurable directory for temp files (var EASYRSA_TEMP_DIR) also
allows the user to define a different temporary directory. This is
important for devices using flash disks that have limited number of
writes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Merged clean_temp and prog_exit into cleanup, but removing
the exit call. Exit should not be called during EXIT as it will
overwrite the current exit code.
Trapped signals simply call "exit $((128+signal))" to force the
execution of EXIT (for non bash-shells).
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
