easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

ff_date_to_cert_date() - busybox date *sometimes* fails.

Open TinCanTech opened this issue 3 years ago • 1 comments

Discovery: https://github.com/OpenVPN/easy-rsa/issues/626#issuecomment-1208478100

While the invalid entries in index.txt caused an illegal number error, valid entries do not ?

TinCanTech avatar Aug 08 '22 18:08 TinCanTech

No warnings anymore on my invalid PKI db. Before:

root@host:~/easy-rsa/easyrsa3# ./easyrsa --renew-days=99999 show-expire

Notice
------
* Showing certificates which expire in less than 99999 days (--renew-days):

./easyrsa: 3482: [: Illegal number: 
./easyrsa: 3482: [: Illegal number: 

root@host:~/easy-rsa/easyrsa3#

After applied fix with: busybox date -u -D "%Y-%m-%d %H:%M:%S%Z" ......

root@host:~/easy-rsa/easyrsa3# ./easyrsa --renew-days=99999 show-expire

Notice
------
* Showing certificates which expire in less than 99999 days (--renew-days):

V | Serial: A347D033EBB501418145AC840E2E4A5B | Expires: Nov 10 15:56:12 24 UTC | CN: client-1
V | Serial: A6FAE9867E46635386C490CAF91F81FC | Expires: Nov 10 15:56:12 24 UTC | CN: client-1

root@host:~/easy-rsa/easyrsa3#

tecoboot avatar Aug 09 '22 05:08 tecoboot

Error appears on entries that do not exist on filesystem. If certificate file itself is removed and entry in index.txt is still present, part of the code in mentioned method fails to convert it properly. Format of openssl DB records is given here: https://pki-tutorial.readthedocs.io/en/latest/cadb.html I would not say that DB is wrong. Maybe there is a difference between Win and Linux OpenSSL.

Correct line (3568) is: cert_type_date="$( busybox date -u -D "%y-%m-%d %H:%M:%S%Z" -d "$in_date"
"+%b %d %H:%M:%S %Y %Z" 2>/dev/null )"

gjakovljevic avatar Dec 01 '22 17:12 gjakovljevic

@gjakovljevic Thank you for taking a look.

Have you experienced a similar problem with easyrsa or are you just looking for bugs to fix ?

TinCanTech avatar Dec 01 '22 17:12 TinCanTech

I had this problem.

There is also other problem related to index.txt DB / that should be reported separately - when you do update-db / you will get a code E for expired certificates - and this is also not supported by easyrsa.

gjakovljevic avatar Dec 01 '22 22:12 gjakovljevic

I had this problem.

Can you show the output of the command that you used ?

Also, post your index.txt file ..

Have you used easyrsa to renew any certificates ?

TinCanTech avatar Dec 01 '22 23:12 TinCanTech

With fix

easyrsa@sbs1:~/EasyRSA-3.1.1$ ./easyrsa -v show-expire
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

* Using Easy-RSA configuration: /home/easyrsa/EasyRSA-3.1.1/pki/vars


Notice
------
* Showing certificates which expire in less than 90 days (--days):

V | Serial: 5205A9D7F9417D5D015AF2D12BDCA2D1 | Expires: Feb 05 13:53:25 2023 UTC | CN: somehost.somedomein
V | Serial: 96820F663D6E5DD7FE8A20D5CC8B1EB8 | Expires: Feb 12 11:25:03 2023 GMT | CN: user1
V | Serial: D1674415DBF34CC5EF4A554DE90612CC | Expires: Feb 12 17:44:03 2023 GMT | CN: user2
V | Serial: 5F05A8889EC28FACD28D0FF87B5F3D68 | Expires: Feb 23 12:08:06 2023 GMT | CN: user3
V | Serial: 56C48DEB9DEFB566E6BF41C151F912BD | Expires: Feb 25 20:23:36 2023 GMT | CN: user4
V | Serial: 56D832F8FF89352A92CF77E54E81FB3D | Expires: Feb 25 21:20:48 2023 GMT | CN: user5

Without fix:

easyrsa@sbs1:~/EasyRSA-3.1.1$ ./easyrsa -v show-expire
* Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

* Using Easy-RSA configuration: /home/easyrsa/EasyRSA-3.1.1/pki/vars


Notice
------
* Showing certificates which expire in less than 90 days (--days):

./easyrsa: 3757: [: Illegal number:
V | Serial: 96820F663D6E5DD7FE8A20D5CC8B1EB8 | Expires: Feb 12 11:25:03 2023 GMT | CN: user1
V | Serial: D1674415DBF34CC5EF4A554DE90612CC | Expires: Feb 12 17:44:03 2023 GMT | CN: user2
V | Serial: 5F05A8889EC28FACD28D0FF87B5F3D68 | Expires: Feb 23 12:08:06 2023 GMT | CN: user3
V | Serial: 56C48DEB9DEFB566E6BF41C151F912BD | Expires: Feb 25 20:23:36 2023 GMT | CN: user4
V | Serial: 56D832F8FF89352A92CF77E54E81FB3D | Expires: Feb 25 21:20:48 2023 GMT | CN: user5
./easyrsa: 3757: [: Illegal number:
./easyrsa: 3757: [: Illegal number:
./easyrsa: 3757: [: Illegal number:

Few extra records that you see in second post (and the first one) produce error because for them .cer files do not exist and easyrsa has to parse index.txt date to list expiry information.

Content of index.txt

V       230205135325Z           5205A9D7F9417D5D015AF2D12BDCA2D1        unknown /CN=somehost.somedomain
V       230212112503Z           96820F663D6E5DD7FE8A20D5CC8B1EB8        unknown /CN=user1
R       230212114637Z   200228115048Z   CE3EEE4722F0C86B9F4C4E974DC1A1BE        unknown /CN=revoketest
V       230212174403Z           D1674415DBF34CC5EF4A554DE90612CC        unknown /CN=user2
V       230223120806Z           5F05A8889EC28FACD28D0FF87B5F3D68        unknown /CN=user3
V       230225202336Z           56C48DEB9DEFB566E6BF41C151F912BD        unknown /CN=user4
V       230225212048Z           56D832F8FF89352A92CF77E54E81FB3D        unknown /CN=user5
R       230225212456Z   220816172745Z   ACF5E104AB664E0D250C8144D70C19AC        unknown /CN=revoked2
V       230621102348Z           DF91730EF3C3E3B12029D83130DAB5BC        unknown /CN=user6
V       230727205327Z           DA96972A1CCBF90450A6243B6433FEA2        unknown /CN=somehost2.somedomain

(Note: contents is obfuscated / real names are removed)

Regarding the second question, I tried to renew one of them, but with 3.0.6 version which produces completely new keys so I discarded that. I will probably not be able to renew certificates with easyrsa because I have setup on 2 hosts. One of the hosts, holds private keys, cert requests and at the end deployed certs in OpenVPN setup and other host is like a CA so on it I import cert requests, I do the signing and then return the .cer files to the first host. In this setup I think you cannot do renew because in my understanding you would need user's private key to create new CSR and then you have to sign it with CA or signing certificate (whichever you use).

gjakovljevic avatar Dec 02 '22 19:12 gjakovljevic 

cert_type_date="$(
busybox date -u -D "%y-%m-%d %H:%M:%S%Z" -d "$in_date"
"+%b %d %H:%M:%S %Y %Z" 2>/dev/null
)"

@gjakovljevic Thanks! This does work.

TinCanTech avatar Dec 07 '22 22:12 TinCanTech

I experienced this issue also, for certificates listed in index.txt but .crt files not present in issued/. Here's a patch, would a PR be helpful?

ff_date_to_cert_date.patch

Nevermind I found https://github.com/OpenVPN/easy-rsa/pull/806/commits/3c0d90799fe7c396bc30eefe3ffcf153a23400b8

zmanion avatar Dec 20 '22 20:12 zmanion

@zmanion Thank you for you help, however, your proposed change has already been made: https://github.com/OpenVPN/easy-rsa/blob/fc8c1c4b2ac3b9c5c0ec41f6a867d7a654bb9a31/easyrsa3/easyrsa#L3704-L3712

Edit: I see you found it ;-)

TinCanTech avatar Dec 20 '22 20:12 TinCanTech

There will probably be further problems with dates but for now things appear to work ok.

TinCanTech avatar Feb 07 '23 22:02 TinCanTech