easy-rsa
easy-rsa copied to clipboard
OpenVPN
Running easyrsa from a symlink or PATH
This issue is here to discuss how to simplify and resolve the problems related to:
- where
easyrsais located verses - the current directory, where
easyrsawas called.
When running easyrsa from the same directory as the location of the PKI, things generally work.
When easyrsa is not located in $PWD then things go wrong:
$EASYRSAis evaluated to the script directory not the working directory.
While it is a very simple fix, #475 changes this behavior by explicitly setting $EASYRSA to $PWD.
This is a binary choice; Either easyrsa is in $PWD or it is not.
- If
$0points to$PWDtheneasyrsais here. Normal functions resumed.. - Otherwise, it is somewhere else. Good luck..
This seems to be a far simpler choice than the if/elif/else maze to be found in vars_setup(). If otherwise then simple measures can be put in place for that specific situation.
Comments welcome.
A special approach could be, to deliberately run easyrsa from within your chosen PKI.
Edit:
This could be the default mode of operation, for easyrsa, to expect to be inside the PKI folder. This would end the vars location war too.
Depending on what is to be expected in the PKI after init-pki, easyrsa can detect (or be configured via a command --flag) that it is inside the PKI and adjust folder names etc, accordingly.
Each PKI will have it's own vars and openssl-easyrsa.cnf file by default.
Using Windows, easyrsa is always in the same place as openssl-easyrsa.cnf, unless the user has made specific changes, which easyrsa does not have to support.
Other OSs (*nix), if EasyRSA is installed via a package manager then easyrsa will not be in the same location as openssl-easyrsa.cnf (Also, X509-types).
In this case, easyrsa should not be hazarding guesses as to where to find data files, it should have pre-defined, expected locations and fail if these files are not found. (My personal opinion)
Also, easyrsa should check for these files existence during init-pki and, if found, then setup the files in the expected location. If not found then init-pki should fail, immediately.
I am tempted to include all the data files as heredocs inside easyrsa. Extra 16.0 kB
BUG:
If easyrsa is in your path, not in the current-directory, then it will always fail to find openssl-easyrsa.cnf. This is due to the current mess found in vars_setup().
Fixing this may be a good place to start ..
It seems like nobody knows how to package EasyRSA.
Packaging found at:
- Arch Linux -
/etc/easyrsaeasyrsais installed to/usr/binbut fails to findopenssl-easyrsa.cnf - Debian 10 -
/usr/share/easy-rsaThis requires the user to manually installeasyrsatoPATH - Ubuntu 20.04 -
/usr/share/easy-rsaeasyrsais installed to/usr/local/sbinbut fails to findopenssl-easyrsa.cnf
Please add your distro details below.
In order to allow easyrsa to be executed from a location in PATH, EASYRSA should be $PWD.
prog_dir can be used to look for data files, they might be present ..
Finding data files is another problem.
Because finding the data files is critical for easyrsa, the best location for them is: /etc/easyrsa
Because the x509-types and data-files are intended to be edited by users, they need to be per PKI.
It makes sense for init-pki to copy the x509-types and data-files from /etc/easyrsa to the newly created PKI.
And then present help to editing those files on completing init-pki.
This change would require that EASYRSA_EXT_DIR and EASYRSA_SAFE_CONF are only declared if init-pki() has run. The same as EASYRSA_TEMP_DIR_session, which already has a work around for missing PKI (Use the same if).
So to keep track, init-pki should copy the following files into a new PKI directory:
openssl-easyrsa.cnf- (
safessl-easyrsa.cnfis automatically generated) varsx509-types/
It could be required for future versions of easyrsa that those files are in either ~/.config/easy-rsa or /etc/easy-rsa.
As you mentioned they are critical.
@Prouflon Thanks for your feedback, you can clearly see the problem.
I have a patch, almost ready, which will sort this mess out.
I'll post it as a draft and I would be very happy for reviews.
There is one question:
- Where should
varsbelong ?
It is customary to find vars in the parent folder to the PKI.
This can be copied/moved to the PKI folder .. but it MUST be very visible to users that behavior has (will be) changed.
It may be of use to have a new easyrsa command: show-vars
This could grep the vars file in the PKI, without showing comments.
It could also show a warning if a vars file is found in the parent folder to the PKI.
I need the output to this on Windows 11 with and without WSL:
$ readlink -f ./easyrsa
$ echo "$PWD"
$ set
Glad this was taken up. I was unable to articulate the problem. :)
I don't have a Windows 11 to assist with.
But I do have this issue with Debian 11. The vars file in /opt/easyrsa is not honoured completely. Specifically in regards to the EASYRSA_CRL_DAYS variable
I have to set it manually:
root@corpapse2a-vpn01:~# ls -l /opt/
total 4
drwx------ 3 root root 4096 Apr 27 08:58 easyrsa
root@corpapse2a-vpn01:~# ls -l /opt/easyrsa/
total 24
lrwxrwxrwx 1 root root 27 Oct 27 14:43 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 root root 4616 Oct 27 15:30 openssl-easyrsa.cnf
drwx------ 8 root root 4096 Apr 27 08:58 pki
-rw-r--r-- 1 root root 8895 Oct 27 15:58 vars
lrwxrwxrwx 1 root root 30 Oct 27 14:43 x509-types -> /usr/share/easy-rsa/x509-types
root@corpapse2a-vpn01:~# cd /opt/easyrsa/
root@corpapse2a-vpn01:/opt/easyrsa# ./easyrsa version
EasyRSA Version Information
Version: 3.0.8
Generated: Wed Sep 9 15:59:45 CDT 2020
SSL Lib: OpenSSL 1.1.1n 15 Mar 2022
Git Commit: f12e00e53b4f486ce3d119ca429198780fa694ac
Source Repo: https://github.com/OpenVPN/easy-rsa
I have to run it like this:
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl for the variable to be taken in. I've realised the issue seemed that it took the enviroment from in /usr/share/easy-rsa, which has no vars file. So openssl-easyrsa.cnf defaults from /usr/share/easy-rsa are taken?
The vars file, in my opinion, should be taken from where the make-cadir script creates the easyrsa+PKI dirs.
Thank you!
Cheers, Dario Susman
Well, I've given it a try on my testing server.
It didn't appear to like it very much and it appears to expect it under the pki dir. And, as you can see, even on the same directory, it thinks there's a conflict when there's none. It's the same directory.
root@warpcore:/etc/openvpn/ca# ./easyrsa gen-crl
Found: /etc/openvpn/ca/vars
Found: ./vars
Easy-RSA error:
Conflicting 'vars' files found.
Priority should be given to your PKI vars file:
* /etc/openvpn/ca/pki/vars
Host: nix | Linux | /bin/bash
root@warpcore:/etc/openvpn/ca#
root@warpcore:/etc/openvpn/ca# ls -tlrah
total 32K
lrwxrwxrwx 1 openvpn nogroup 30 Nov 23 2020 x509-types -> /usr/share/easy-rsa/x509-types
lrwxrwxrwx 1 root root 27 Feb 17 23:38 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 openvpn nogroup 4.6K Feb 18 00:04 openssl-easyrsa.cnf
-rw-r--r-- 1 openvpn nogroup 8.5K Feb 18 00:14 vars
drwx------ 3 openvpn nogroup 4.0K Feb 18 00:14 .
drwxr-xr-x 5 openvpn nogroup 4.0K Mar 23 14:40 ..
drwx------ 8 openvpn nogroup 4.0K Apr 29 12:30 pki
root@warpcore:/etc/openvpn/ca# ls -tlrah pki/vars
ls: cannot access 'pki/vars': No such file or directory
root@warpcore:/etc/openvpn/ca#
The conflict is listed:
Found: /etc/openvpn/ca/vars
Found: ./vars
In this case, the script has probably found the same file twice:
- Once as the current working directory:
/etc/openvpn/ca - Once as "The vars of last resort":
./
easyrsa does not like either of these and instructs you to move your vars file to your PKI folder. Do that and the problem is solved.
The error message could be improved.
If the move forward is to have the vars file within the PKI dir, sure.
Thanks!
Cheers, Dario Susman
On 05/05/2022 16:47, TinCanTech wrote:
I believe this is all essentially fixed, so changing milestone.
— Reply to this email directly, view it on GitHub https://github.com/OpenVPN/easy-rsa/issues/499#issuecomment-1118983480, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE36VI3SUITYLWRYNQCGE5TVIQQUNANCNFSM5RMAFVQA. You are receiving this because you commented.Message ID: @.***>
If the move forward is to have the vars file within the PKI dir, sure.
It is not a hard requirement but it is heavily biased.
You can over-ride by using --vars=your-vars, as documented.
Gotcha. Thank you :)
Cheers,
Dario Susman
On 05/05/2022 17:20, TinCanTech wrote:
If the move forward is to have the vars file within the PKI dir, sure.It is not a hard requirement but it is heavily biased.
You can over-ride by using |--vars=your-vars|, as documented.
— Reply to this email directly, view it on GitHub https://github.com/OpenVPN/easy-rsa/issues/499#issuecomment-1119009599, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE36VI4RBKOTB6C56E4D2QTVIQUQ5ANCNFSM5RMAFVQA. You are receiving this because you commented.Message ID: @.***>
I have been running easyrsa v3.1.1 from /usr/local/sbin and a symlink for 6+ months with no issue.