Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add warning for new password status, prior to renewal.
Add reminder to replace certificate AND key files, after renewal.
Correct input check for option 'nopass'
Closes: m#644
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Previously, testing vars for unsupported characters was only done if
vars was in the PKI. This test can now be done for all vars files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The 3 definitions of $prog_dir:
- foo -> prog_dir=/search/path ## Not $PWD
- ./foo -> prog_dir=. ## $PWD
- /full/path/foo -> prog_dir=/full/path ## Could be $PWD
'/full/path' was previously missing from the check.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since relaxing the rules concerning the location of vars file,
commit f4a604438d3ce5fe67a1f4db956dc42fc4ae5588, it is no longer
necessary to prohibit the use of --vars=file with 'init-pki'.
This initial prohibition was only a temporary measure and has
proven to be of no value.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'shift 2' was moved above the parameter check in previous commit:
1d227736e404b805e84b8949aa238a240c4ad5eb
Move it back to after the check and reword user output for clarity.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If verify_ca_init fails then the error message states that: 'serial
is missing'. While this is true, it is not 'user friendly'.
Reorder the checks so that if verify_ca_init fails then the error
message will "probably" state that: 'ca.crt is missing', which makes
more sense if the CA has not been initialised.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The command 'sign-req COMMON client1 nopass' would generate an invalid
certificate. Do not allow COMMON as a $cert_type.
Also, improve comment and user output for existing certificate check.
Closese: #634
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a user breaks out [Ctrl-C] from generating a DH parameters file
then there is an empty dh.pem file left over.
Output the DH parameters to a temp-file and move it upon validation
and completion.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Prefer /usr/local/share over /usr/share
and move /etc/easy-rsa to last place.
Tidy up a 'case', no functional change.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The utility script 'make-cadir' creates a CA directory with a vars file.
This vars file conflicts with the preferred PKI-vars file.
This patch changes 'init-pki' to allow make-cadir vars file to over-ride
the preferred PKI-vars file, without error.
Closes: #633
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 37232a8a6677dcdd5be4b4f9d3f1c8241e214a49
Merge: bee93cf a3c9f0b
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Aug 5 18:05:56 2022 +0100
Merge branch 'doc-add-ed' of ssh://github.com/mnme/easy-rsa into mnme-doc-add-ed
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit a3c9f0bb5b79fa9fffaaf65b109069035138788b
Author: Nicolas Jeker <n.jeker@gmx.net>
Date: Thu Aug 20 11:31:32 2020 +0200
doc: Add 'ed' option to EASYRSA_ALGO
Related to #488
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note: This change only assigns the secure session variable,
it does not create the directory nor any files within it.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To create Easyrsa Safe SSL config file, a standard temporary
directory is required, which can only be created after a secure
session has been assigned.
Closes: #622
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
It is possible that only the 'foo_by_serial' folders will exist in
the 'pki/renewed' sub-folder when 'rewind-renew' is needed.
Create the required folders when using 'rewind-renew'.
Closes: #612
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Because easyrsa uses die() on errors, functions which call other
functions may not receive a returned error code and, therefore,
a test for an error will not occur in the calling function.
If 'renew' fails in the build_full() phase then build_full(), gen_req()
or sign_req() will error out to die() and not return an error to 'renew'.
This leaves the files which are about to be renewed in the 'renewed'
sub-folder without replacement files in the PKI folders.
Set 'on_error_undo_renew_move=1' and call renew_restore_move() from
cleanup() when an error occurs during the build_full() phase of 'renew'.
Closes: #613
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
