easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

'init-pki' should be mutually exclusive to '--vars'

Open TinCanTech opened this issue 3 years ago • 3 comments

The Classical way to use easyrsa, is to have all the necessary supporting data to be present in the current working directory.

Necessary supporting data [NSD]:

  • easyrsa script file.
  • openssl-easyrsa.cnf file. [NSD]
  • vars.example file. [NSD]
  • x509-types folder. [NSD]

This setup means running ./easyrsa directly and not a system binary in PATH. Combine that with the default PKI of ./pki and many of the configuration variables (eg. $EASYRSA_PKI) are rendered to be completely pointless .. although, this way has served its purpose very well, to date.

The Modern way, is to run easyrsa from a system location found by PATH. easyrsa now searches common data locations for the NSD and ensures that the NSD is found and usable; And copied/promoted to the PKI, when suitable. eg. openssl-easyrsa.cnf.

The challenge then, is to find a suitable medium between the Classical way and the Modern way.

TinCanTech avatar May 14 '22 17:05 TinCanTech

Making init-pki mutually exclusive to --vars, means that only --pki-dir can be used with init-pki. This means that initialising a new, non-default PKI must be explicitly requested.

Valid points:

  • vars really belongs in the PKI folder because it is pertinent only to this PKI.

  • $EASYRSA and $EASYRSA_PKI do not belong in vars. How can vars $EASYRSA_PKI point anywhere else but the same folder as vars .. ?

  • $EASYRSA_OPENSSL is a little more tricky. Luckily, easyrsa sources vars before any use of openssl, so can remain. It is also a well documented use of vars.

  • With the preferred location of vars being in the PKI, running init-pki will, by default, destroy the current vars .. Seems to be more than a little "chicken vs egg" .. thus, this discussion.

  • A global vars, for all PKIs to be found on this system, is absurd! vars is for customising not standardising.

Feedback is welcome.

TinCanTech avatar May 14 '22 18:05 TinCanTech

This issue aims to undo #562 (Above) and clarify how to use --vars=FILE and --pki-dir=DIR in combination with init-pki.

TinCanTech avatar May 14 '22 22:05 TinCanTech

With the release of version 3.1.0, using --vars=file with init-pki is prohibited. (Version 3.0.9 still allows it, however)

Barring a total user disaster, this issue can be closed (soon).

TinCanTech avatar May 19 '22 12:05 TinCanTech

#640 Has reverted back to standard behavior, --vars=file can be used with init-pki

Closed as resolved.

TinCanTech avatar Aug 20 '22 11:08 TinCanTech