Set run-once after if condition, otherwise Forced execution does not
set run-once.
Use "local" variable 'makesafeconf' to force a new safe ssl config.
Remove variable require_safe_ssl_conf, partially replaced by makesafeconf.
Add 'make-safe-ssl' command to the list which does not require a CA.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Move extension data preparation to before printing extension temp-file.
This allows the { extensions output command group } to always complete,
without error.
Consolidate create_x509_type_*() functions in one single function.
create_x509_type_easyrsa() remains as a separate function.
This file does not exist in x509-types directory. It is similar to the
COMMON x509-type; The details are the common extensions shared by x509
types: serverClient, server and client. Not suitable for x509-type ca.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Problem:
EasyRSA uses SSL CA command parameter '-serial $serial_number',
to check if a serial-number exists within the database.
The primary function of the SSL CA command parameter '-serial'
is to check if a certificate is Valid or has been Revoked.
EasyRSA abuses the SSL output to infer that a serial-number must
be unique because that output contains the text 'not present in db'.
SSL CA command parameter '-serial' ALWAYS returns an error,
reagrdless of what-ever check it does. Likely, an SSL bug.
As a step-in-the-right direction:
To ease this needless-headache, expose the unique, random
serial-number check to the command line.
This helps to understand what is going on under-the-hood.
The command 'sign-req' remains the same; except the unique, random
serial-number check is moved to a separate, stand-alone function,
which is also exposed to the command line for validation.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This reduces a tiny, unnecessary complexity for exiting with an error.
Functions which use the new variable to exit with error:
* verify_cert() and confirm().
Also, allow verify-cert to support --silent-ssl.
Add more verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The actual changes made are:
* Remove $old_vars_true, no longer required.
* Change a test of $found_vars from any-string to specific number 1.
Which then tests for only one vars file is found.
* If vars-file is created during init-pki then also set $vars to file-name.
The change here is that $vars is now ALWAYS set for this condition.
* Always print the names of conflicting vars files.
Helps debugging for users.
* Expand short-circuits to full 'if; then; else; fi'.
* Add more verbose messages
Help for debugging.
The combined effect is to show the correct messages regarding vars file,
during default status, help, init-pki and standard further commands.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'ca.crt' was hard-coded to 'pki/ca.crt', instead use '$EASYRSA_PKI/ca.crt'
Status incorrectly warns that there are multiple, conflicting vars files,
when vars is user-defined. Set '$found_vars' to 1, when vars is user-defined.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
For default command 'easyrsa', show the following:
* Show the location of vars-file.
* Show the status of the CA.
* If vars is not in the PKI then show the "Prefer pki/vars" warning.
Also, show the "Prefer pki/vars" warning for all commands except help.
Move the logic to show the "Prefer pki/vars" warning to the function.
Extensively, manually tested.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
