vars file: set_var EASYRSA_PKI is ignored?

[Tabiskabis]

After upgrading Debian stable and getting the new easyrsa, it doesn't find my ca anymore, because it ignores EASYRSA_PKI in vars where the correct path is specified.
I'll have to manually rename directories and adjust paths in ovpn conffiles on a several dozens of servers.

Why, though? What good does this breaking change serve?
And why is the variable even there in the vars.example file, when it's ignored anyways?

Also, make-cadir is incosistent with the new behaviour. It still copies vars to cadir, not cadir/pki, resulting in a "WARNING" suggesting that this is not "safe".
Given that init-pki clears the pki folder, how is the vars file "safe" there?

[ecrist]

We don't control what various linux distro package maintainers do with our project. We didn't break that. What version are you running? Was this an upgrade from EasyRSA 2 to EasyRSA3? There is an upgrade process for that migration. Eric F Crist

…

________________________________ From: Tabis Kabis ***@***.***> Sent: Sunday, August 27, 2023 6:12:33 AM To: OpenVPN/easy-rsa ***@***.***> Cc: Subscribed ***@***.***> Subject: [OpenVPN/easy-rsa] vars file: set_var EASYRSA_PKI is ignored? (Issue #1003) After upgrading Debian stable and getting the new easyrsa, it doesn't find my ca anymore, because it ignores EASYRSA_PKI in vars where the correct path is specified. I'll have to manually rename directories and adjust paths in ovpn conffiles on a several dozens of servers. Why, though? What good does this breaking change serve? And why is the variable even there in the vars.example file, when it's ignored anyways? Also, make-cadir is incosistent with the new behaviour. It still copies vars to cadir, not cadir/pki, resulting in a "WARNING" suggesting that this is not "safe". — Reply to this email directly, view it on GitHub<#1003>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AANXQPZA4EWKAIDJOVAWF7LXXMTSDANCNFSM6AAAAAA4AHWNB4>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[TinCanTech]

@Tabiskabis

After upgrading Debian stable

From what to what ?

doesn't find my ca anymore

What is the error message ?

it ignores EASYRSA_PKI in vars

That would be a most serious bug!

I'll have to manually rename directories and adjust paths in ovpn conffiles on a several dozens of servers.

Dozens ..

make-cadir is incosistent with the new behaviour

Easy-RSA3 from Debian 12.1 does not ship with make-cadir.

resulting in a "WARNING" suggesting that this is not "safe".

From:

easy-rsa/easyrsa3/easyrsa

Lines 5574 to 5588 in f03eb74

	# Insecure Windows directory
	if [ "$easyrsa_host_os" = win ]; then
	if echo "$PWD" | grep -q '/Prog.*/OpenVPN/easy-rsa'
	then
	warn "\
	Using Windows-System-Folders for your PKI is NOT SECURE!
	Your Easy-RSA PKI CA Private Key is WORLD readable.
	To correct this problem, it is recommended that you either:
	* Copy Easy-RSA to your User folders and run it from there, OR
	* Define your PKI to be in your User folders. EG:
	'easyrsa --pki-dir=\"C:/Users/<your-user-name>/easy-rsa/pki\"\
	<command>'"
	fi
	fi

Easy-RSA3 shipped by ALL versions of Debian does not include that code snippet, therefore, it is impossible for you to see that error.

[Tabiskabis]

From what to what ?

Old stable to current stable -> Debian 11 / easy-rsa 3.0.6 to Debian 12 / easy-rsa 3.1.0, nothing big (I thought).

Easy-RSA3 from Debian 12.1 does not ship with make-cadir.

And yet, it's there.
cat /etc/debian_version-> 12.1
apt list easy-rsa -> easy-rsa/stable,now 3.1.0-1 all [installed]
apt-file list easy-rsa -> easy-rsa: /usr/bin/make-cadir [...]

Easy-RSA3 shipped by ALL versions of Debian does not include that code snippet

Correct, that's not the message I saw. I just interpret "WARNING: Move your vars file to your PKI folder, where it is safe" as equivalent to "your vars file is currently in an unsafe directory".

That would be a most serious bug!

Indeed. Apparently, it's fixed in the current 3.1.6 release. But it was borked from 3.0.9 to 3.1.5. Tested every release starting from 3.0.6

Apart from that, there is a hen and egg problem when declaring EASYRSA_PKI in vars, which in turn is preferred to be in EASYRSA_PKI. I find that a serious bug as well.

What is the error message ?

Should have done some testing before posting imprecise information. So here's what I found so far (testing on a Mac with releases from this github only, to make sure there is none of the occasional debian fuckery involved).

I cd into the extracted release (duh) and create a vars file, because there's already a vars.example there and this is what i used to be sure was the way to use easyrsa (right?).

As I want the test to reflect my debian servers upgrade, I only declare EASYRSA_PKI to "$PWD/NOT-PKI".
./easyrsa prints "PKI:" path at the end of its output, which is correct until 3.0.9, where it stubbornly starts to use "./pki" instead of NOT-PKI.

Let's try ./easy-rsa init-pki. This is a fresh install with only one custom variables, what could possibly go wrong?
Oh boy, 3.0.9 and 3.1.0 say: IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above. Let's see ls vars */vars: Hey! It did copy, not move and I have two conflicting vars files now. easyrsa won't do anything anymore.

This is currently in debian 12 stable? No way! Can I reproduce that behaviour on debian?
Nope. init-pki "successfully" initializes the wrong pki directory, but says nothing about having moved vars. So things should at least work out in that pki directory, correct?
Nope again. EASYRSA_PKI does not exist (perhaps you need to run init-pki)?. So... my custom EASYRSA_PKI is honored by build-ca, but init-pki ignores it?! Will it take me another sunday to figure out this prime example of occasional debian fuckery?

Back to untainted EasyRSA.
3.1.1 reverts this behaviour. Since i just successfully initialized the PKI, even when in the wrong directory, I should be able to build a CA now, ./easyrsa build-ca nopass, right?
Riiight. Instead, I now get EASYRSA_PKI does not exist (perhaps you need to run init-pki)?

3.1.6 fixes this, by recognizing my custom EASYRSA_PKI from the start. However, it lets me know that IMPORTANT: The preferred location for 'vars' is within the PKI folder.
Hence my question on how is e.g. /etc/openvpn/server-name/pki/vars any safer than let's say /etc/openvpn/server-name/vars, where i symlinked easyrsa itself, too? My intuition tells me the opposite.

In case this has not been verbose enough already, here's the console output from these tests: easyrsa-wtfs.zip

Dozens ..

There's evidence that the guy before me got that down from several hundreds which the guy before him set up. I'm lucky.

But sure aF do I not want to do vars "correction" work in vain.
For the moment, it's probably safe to use this repo's latest release instead of Debian's.
But ... is there a plan on where this is going?

[TinCanTech]

Old stable to current stable -> Debian 11 / easy-rsa 3.0.6 to Debian 12 / easy-rsa 3.1.0, nothing big (I thought).

Should be simple.

Next..

1. make-cadir

EasyRSA has made no breaking changes to make-cadir, which is a Debian tool, not Easy-RSA.

2. Warnings pertaining to the location of vars file.

These warnings simply inform you that the preferred location of vars is within your PKI. There are no breaking changes.

You can still use your current vars file, albeit, with the repeated warnings. If you want to suppress those warnings then heed what the warning tells you.

If you continue to experience a problem which indicates that vars has not been used then please post any relevant information, for that problem ONLY.

[TinCanTech]

On further investigation, make-cadir does create a vars file in the new directory and then expects the user to change to that new directory and use the link to ./easyrsa from there.

You can ignore this warning:

* WARNING:

  Move your vars file to your PKI folder, where it is safe!

I may ask Debian to consider updating make-cadir.

[Tabiskabis]

Let's forget about make-cadir, it isn't the problem here. All it does is copy and symlink easyrsa.
Let's forget that Debian's easyrsa-3.1.0 behaves slightly different than actual EasyRSA 3.1.0 - from your point of view, that issue is currently fixed by reverting things that were introduced not too long ago. It's understandable.

In all this testing, I've seen very different behaviour within a few releases. Where is this going?
And again, why the warning about vars not being in ./pki? A warning is worth nothing unless it explains consequences, too.

Are you going to drop EASYRSA_PKI within vars entirely? Because that would solve the hen and egg problem at least.
Please tell me there is plan about this.

[TinCanTech]

The direction here is to move the vars file to the PKI.

vars has too many options that can be set, some which are PKI specific and some which are not.

For that reason, the decision was made to prioritize PKI specific customization.

Which means that vars must be PKI specific and, therefore, reside in the PKI itself.

To suppress all of the warnings regarding vars, you can simply declare your vars file on the command line, like so:

$ easyrsa --vars=./vars foo

If vars is declared by the user then EasyRSA will not complain.

You can also simply ignore the warnings.
On an error, easyrsa will error out.

[Tabiskabis]

Now that's a clear answer, thank you.
May I suggest then that you explain this in the vars.example as well? It's the place where users are most likely to read and understand.
First after encountering the problem, I "read" the changelogs but nothing struck me as relevant. The docs seem mostly outdated, and howtos on the interwebs certainly are not helpfull at all when it comes the current development.

Sidenote: init-pki creates identical vars and a vars.example files in pki. Why not drop vars.example entirely.

[TinCanTech]

Now that's a clear answer, thank you.

You are welcome.

This change was likely to cause some friction, now we can smooth things out.

May I suggest then that you explain this in the vars.example as well?

Yes, that is a good idea.

Sidenote: init-pki creates identical vars and a vars.example files in pki

Only multiple and possibly conflicting vars are important.

The bottom line here:

These warnings are issued for good reason.

That you have experienced and reported problems regarding those warnings is exactly as intended.

No new serious issues have been uncovered but there is room for some improvement on EasyRSA documentation. Noted!

And thank you for your feedback.

[TinCanTech]

There is another problem that you may encounter:

tct@deb12:~/kpi$ ./easyrsa --vars=./vars init-pki

Easy-RSA error:

Use of '--vars=FILE init-pki' is prohibited, use '--pki-dir=DIR'

Command init-pki does not require a vars file but you can declare any PKI.

But, then again, this error could be downgraded to a warning.

This is the chicken vs egg problem again.

If the vars file is in the current directory AND EASYRSA_PKI is declared within the vars file then, in default configuration, EasyRSA can only support a single PKI from the current location.

The changes relating to this issue are essentially an attempt to resolve that problem.

In the LONG TERM, EASYRSA_PKI should not be included in the vars file, however, that change may take some time.

[TinCanTech]

Yes, there is a problem with easyrsa init-pki vs make-cadir.

Follow-up: #1004

The issue is caused by version 3.1.0 shipped by Debian ONLY.

The solution is to use EasyRSA version 3.1.6 from Releases

[TinCanTech]

The out come of this investigation has lead to reverting the preference for vars in the PKI.

vars will no longer be preferred in the PKI.

#1014