easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Add --root command-line option to set the top level directory

Open johnlane opened this issue 8 years ago • 9 comments

Provide a command-line argument to set the root (top level) directory of the easy-rsa tree.

This is normally set to pwd unless variable EASYRSA is set, either through the environment or in vars. Because the default location of vars is relative to EASYRSA this must be pre-set before accessing vars or the path to vars must be given explicitly and then vars must be edited to set EASYRSA.

I needed a non-environment way to set EASYRSA because I have a dedicated ca account that is used through restricted sudo which does not propagate environment variables.

I could use --vars and then edit vars to set EASYRSA but this --root option is neater and does not requie altering the stock vars file.

johnlane avatar Sep 13 '16 08:09 johnlane

I think pull request #128 (which has been merged) obsoletes the need for a --root command-line option because $PWD/pki/vars is now a default location of the vars file. If you agree, please consider closing this pull request.

Revision 47a66ca (for adding a pem option to the show command) is unrelated, and should be submitted in a pull request of its own.

oreinert avatar Aug 18 '17 17:08 oreinert

I will check this with my code base to see if I get by without --root.

Also Revision 47a66ca (for adding a pem option to the show command) is already a separate PR #108. It's a misake to be attached to this PR. After I check my code I will update or close this PR.

johnlane avatar Aug 30 '17 09:08 johnlane

I think this links directly to #499 and #348

This --root=DIR idea is one approach. I would prefer to see easyrsa running correctly, regardless of where the script is located.

TinCanTech avatar Mar 27 '22 17:03 TinCanTech

I don't get this hole discussion about where to store/find the different files.

Aren't there well defined locations for all platforms this thing is supposed to run?

On a Linux based system, you have system-wide config in /etc/something and user specific in $HOME/.config/something The same goes for Win and Mac. Why not stick to the defined standard?

trasherdk avatar Mar 28 '22 05:03 trasherdk

I don't get this hole discussion about where to store/find the different files.

Until now, there has been no discussion nor development on this subject. This has lead to multiple problems and small patches which try to fix one thing. And like whack-a-mole, each time one gets knocked down something else pops up.

The goal now is to fix all that properly instead of using sticky-tape and string hacks to stumble through development.

TinCanTech avatar Mar 28 '22 12:03 TinCanTech

I'm kinda looking at a bunch of issues and PR's, all addressing the same general problem, as a discussion :)

trasherdk avatar Mar 29 '22 10:03 trasherdk

As of https://github.com/OpenVPN/easy-rsa/commit/ec6d072707d4378f0b6343d47333e74e78de12fc you should be able to achieve this without --root.

To do so use either method below.

  1. Install easyrsa to your PATH. eg. /usr/local/sbin
  2. Install openssl-easyrsa.cnf and x509-types to /usr/local/share/easy-rsa
  3. cd to the folder you would name root and run easyrsa If you have multiple PKIs then use easyrsa --pki-dir=foo
  4. Or Run easyrsa from your ~/ and use --pki-dir=/full/path/to/foo

foo is the name of the PKI folder.

TinCanTech avatar Mar 29 '22 11:03 TinCanTech

After more careful review, I think the --root (or possibly another name) idea, is a good approach.

It also clarifies exactly what $EASYRSA is meant to be.

TinCanTech avatar Apr 05 '22 18:04 TinCanTech

I have changed my mind. Simply use --pki-dir=<DIR>

Which, once again, leaves $EASYRSA in Limbo ..

TinCanTech avatar Apr 05 '22 21:04 TinCanTech

If anybody is genuinely interested in this idea then drop a comment here.

Closed as resolved.

TinCanTech avatar Sep 25 '22 21:09 TinCanTech