easy-rsa
easy-rsa copied to clipboard
OpenVPN
regression report 3.1.0 (since 3.0.8): vars handling
Greetings, I am the packager of the Easy-RSA package for FreeBSD. In our post-install scripot, we install the .example files for openssl-easyrsa.cnf and vars into /usr/local/share/easy-rsa (= $DATADIR), and install a wrapper that defines EASYRSA.
#! /bin/sh : ${EASYRSA:="/usr/local/share/easy-rsa"} export EASYRSA exec "/usr/local/share/easy-rsa/easyrsa.real" "$@"
This apparently used to work nicely in 3.0.8 (no bug reports in months), we now received a report about a 3.0.8 -> 3.1.0 upgrade breaking this, please see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264415 for details.
Greetings!
I believe that the correct solution, in this case, is for the packaging to not create the vars file.
easyrsa will create the vars file from the same source, vars.example, in the defined PKI at init-pki.
The script now heavily favors vars to be found in the PKI only.
The script searches these pre-defined areas for vars files:
Edit: Update $area
# "$EASYRSA_PKI" - Preferred
# "$EASYRSA" - Old default and Windows
# "$PWD" - Usually the same as above, avoid
# "${0%/*}" - Usually the same as above, avoid
# '/usr/local/share/easy-rsa' - Default user installed
# '/usr/share/easy-rsa' - Default system installed
# Room for more..
# '/etc/easy-rsa' - Last resort
# Find and optionally copy data-files, in specific order
for area in \
"$EASYRSA_PKI" \
"$EASYRSA" \
"$PWD" \
"${0%/*}" \
'/usr/local/share/easy-rsa' \
'/usr/share/easy-rsa' \
'/etc/easy-rsa' \
# EOL
do
If multiple viable vars files are found then this is considered to be an error.
Edit: ~~If only one vars file is found and this is init-pki then that found vars file will be moved to the PKI automatically and a user message is issued (No message in batch mode).~~
If only one vars file is found it will be used but not moved to the PKI.
A warning may be issued to move the vars file to the PKI, this is under review #651
If only one vars file is found but this is not init-pki then a warning is issued to move vars to the PKI , no further action is taken.
This is current and moving forward with version 3.1.x
Footnote: The vars file is considered to be PKI specific, which is why the bias for $PKI/vars only.
The problem is: "chicken vs egg" .. PKI or vars comes first ?
This directly contradicts the idea of declaring $EASYRSA_PKI in the vars file.
The long term plan being promoted is:
- Banning use of
easyrsa --vars=FILE init-pki - In favor of
easyrsa --pki-dir=DIR init-pki
A vars file should not exist until the PKI does
AND the vars should only exist in the PKI.
Feedback welcome
To be absolutely specific, in the case of the FreeBSD bug report:
/usr/local/share/easy-rsa/vars should never exist.
It should never have existed in the past either ..
Thank you. Fixed in FreeBSD's port as of version 3.1.0_1, which no longer creates this file and only installs .../share/easy-rsa/vars.example, and ships with a post-install message to explain what needs to be done and that init-pki is a dangerous beast.
A
varsfile should not exist until the PKI does AND thevarsshould only exist in the PKI.Feedback welcome
@TinCanTech Please explain the purpose of the set_var EASYRSA_PKI "$PWD/custom/pki" line inside a vars file, when a vars file should be only exist after creating that directory? The EASYRSA_PKI does not make any sense then.
A working workflow until >=3.0.8 was to create first a vars file, adjust the EASYRSA_PKI inside and then execute any commands without trouble - this doesn't work anymore.
Always providing for each command the --pki-dir= via cmd line is a pain.
@FireEmerald Having a vars file which is external to the PKI in Easy-RSA version 3.1x is considered to be DEPRECATED.
These lines should really be removed from vars.example:
# Edit this variable to point to your soon-to-be-created key directory. By
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
#set_var EASYRSA_PKI "$PWD/pki"
# Define directory for temporary subdirectories.
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
However, they remain for the time being.
Commit https://github.com/OpenVPN/easy-rsa/commit/f4a604438d3ce5fe67a1f4db956dc42fc4ae5588 now allows the vars file to remain in the PKI parent folder, much like the old behavior.
It also allows for a user defined vars file, option --vars=foo, to remain in place, provided that it is always called via --vars=foo
I am personally convinced that this is the correct way for easyrsa to behave .. but I've been wrong before.
@mandree (And others) I would appreciate your thoughts and will do my best to answer any questions.
I am not in a rush to close this, simply looking to drum up some interest in a sticky wicket.
FTR: The changes made so far do prefer vars to be found in the PKI .. but those changes have essentially been reverted back to previous behavior. I hope to find a middle ground for all, or, at least, most. :-)