Do not allow a known PKI folder <NAME> as --keep-tmp=<NAME>
Remove unnecessary random number extension.
Move all snapshots to sub-directory: $EASYRSA_TEMP_DIR/tmp/<NAME>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Append the random 32bit number generated for temporary session directory
to the '--keep-tmp=NAME' directory NAME specified by the user.
This avoids obliterating a private keys directory.
Example:
With default settings, '--keep-tmp=private' will delete "$PKI/private".
This will now destroy any directory with the name:
* "$temp_dir/$NAME.$rand"
Closes: #707
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Do not require '--ns-cert=yes' (or no):
If '--ns-cert' is specified then Netscape support is being requested.
However, '--ns-cert=no' (or yes) will still work as expected.
if '--ns-cert' is used then '--ns-cert=yes' is the new default.
Remove 'awk_yesno()': Unnecessary complexity.
Reword 'help': The behavior is simplified and so is the help.
Closes: #698Closes: #709
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Move show_host() to cleanup() and only call it when die() was called.
This allows for confirm() Aborted to exit without extended error data.
Move detect_host after options processing. Allows for use of options.
eg: --verbose
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When signing a request for an intermediate CA using --subca-len=N:
For a Sub-CA, the current method to apply 'pathlen:N' to CA basicConstraints
over-writes all user set basicConstraints.
Replace that with an awk script which reads the current x509-types/ca file;
selects the last occurence of 'basicConstraints' (As does OpenSSL) and then
prints that line, with ", pathlen:$EASYRSA_SUBCA_LEN" appended, into the
temporary x509-types/ca file.
If no CA basicConstraint is found then exit with an error. Reason:
Easy-RSA default CA basicConstrain will always be defined. If that is changed
by the user, who then attempts to use Easy-RSA to append 'pathlen' then that
is an error. Easy-RSA must not insert a default when the default has been
deliberately removed.
Closes: #691 - Original bug report.
Closes: #692 - First use of awk as a solution. [Credit]
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
build-x-full uses a subshell to detect errors and cleanup the files
if an error occurs. This does not work if Ctrl-C is pressed during
the confirmation yes/no dialog.
Replace the subshell with an indicator, $on_error_build_full_cleanup,
to force cleanup() to remove the CSR, key and certificate files when
an error occurs or user presses Ctrl-C.
Closes: #680
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Expand 'show-renew' to include certs which have been renewed the old way.
These are stored in 'renewed/certs_by_serial' and require 'rewind-renew'
before they can be revoked.
Also, introduce option '-v|--verbose' to make all status reports (only)
more verbose.
In this particular use case, verbose message detail expected serialNumber
mismatches, which can then be verified. The previous code returned with
out an error, even though the test suggests that an error had occurred.
This verbosity for reports helps to verify that the report is correct.
Manually tested on a PKI with a mix of v1/v2 style renews.
Closese: 699
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since EasyRSA version 3.1 there is a NEW insert-marker for X509 type 'ca'.
* New insert-marker: '^#%CA_X509_TYPES_EXTRA_EXTS%' [BRE]
This is only required to build a new CA or Sub-CA. However, without this
check, an old version of openssl-easyrsa.cnf will silently FAIL to include
the X509 types for 'ca' and 'COMMON', when builing a new CA.
EasyRSA 'init-pki soft' does leave 'openssl-easyrsa.cnf' in place, which
means that this is a known possible failure.
For consistency, check for All EasyRSA insert-markers, when used.
* Standard insert-markers: '^#%EXTRA_EXTS%' and '^#%COPY_EXTS%' [BRE]
Tested manually.
Closes: #693
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Document the various EasyRSA version differences of renewal and revocation.
Closes: #626
Authors comment:
It has taken good luck, hard work and co-operation to save
EasyRSA "renewal and revocation".
I am pleased to have provided the solution presented here.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The old 'renew' always created a new private key at the CA signing side.
This forces the entity private key to be exposed, unnecessarily.
Only certificates expire, therefore, only certificates can be renewed.
For those reasons, the old 'renew' has been renamed to 'rebuild'.
The new 'renew' creates a new certificate only from the existing CSR.
The existing CSR will always exist, allowing a certificate to be renewed
indefinitely.
Both 'rebuild' and 'renew' use the renewed/ folders to temporarily store
the old certificate, where it can be revoked with 'revoke-renewed' command.
Manually tested.
Closes: #684
Notes:
* renew version 1 did not have a command to revoke old certificates.
* renew version 2 allowed old certificates to be revoked via command
'revoke-renewed'.
* renew version 3 only renews the certificate.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
