Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using ANY environment variables in X509-types files is NOT officially supported #596

Open
Yannik opened this issue Jun 13, 2022 · 11 comments
Open

Using ANY environment variables in X509-types files is NOT officially supported #596

Yannik opened this issue Jun 13, 2022 · 11 comments
Labels
discussion documentation LibreSSL maybe-someday Sticky Remain open X509-types x509-types and related

Comments

@Yannik
Copy link

Yannik commented Jun 13, 2022
edited
Loading

I'm currently having issues signing a CSR for a Sub-CA (Windows ADCS):

After importing the csr, sign-req results in:

root@linux-ca:~# /usr/share/easy-rsa/easyrsa  --pki-dir=/etc/pki/r1 --days=500 --batch sign-req ca windows-sub-ca
Using SSL: openssl OpenSSL 1.1.1n  15 Mar 2022
Using configuration from /etc/pki/r1/easy-rsa-97041.vut21K/tmp.yirdjz
Enter pass phrase for /etc/pki/r1/private/ca.key:
ca: Error on line 8 of config file "/etc/pki/r1/easy-rsa-97041.vut21K/tmp.asUh5l"
140304590972224:error:0E065068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:638:line 8

Easy-RSA error:

signing failed (openssl output above may have more detail)

I have checked line 8 of the config file, it is [ CA_default ], so I don't really know how this could cause an issue.
Full config file here: https://pastebin.com/u8HfYDXK

I'm using easy-rsa 3.0.8 from the debian repo.
@Yannik
Copy link
Author

Yannik commented Jun 13, 2022

I was able to solve this:

By commenting out [ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session" in /usr/share/easy-rsa/easyrsa, I could keep the temporary config file. Turns out that it is dynamically generated from various files, and this issue was caused by a line in x509-types/COMMON which used $ENV::CA_NAME for the crlDistributionPoints.
Setting that variable fixed the issue.

@Yannik Yannik closed this as completed Jun 13, 2022
@TinCanTech
Copy link
Collaborator

TinCanTech commented Jun 13, 2022
edited
Loading

@Yannik Hi, thanks for reporting this and taking time to try to solve it.

However, your solution is certainly not an acceptable fix, so I'm reopening this for further investigation.

Is there a specific reason why you only put your openssl config file on pastebin ? Do you mind if I paste it here for the record ?

@TinCanTech TinCanTech reopened this Jun 13, 2022
@Yannik
Copy link
Author

Yannik commented Jun 13, 2022

Hey @TinCanTech

The issue was caused by having added the line

crlDistributionPoints = URI:http://pki.XX.de/$ENV::CA_NAME.crl

to the COMMON file of the x509-types and not having $CA_NAME set.

So it is an issue that is not present with the default easy-rsa config.

However, I would like to suggest to add an parameter to easyrsa which allows keeping (instead of removing) the dynamically generated temporary openssl config.

This would've made debugging this much easier, cause I wouldn't have needed to understand and then modify easyrsa to keep the config and find the root cause for this issue.

@TinCanTech
Copy link
Collaborator

I would like to suggest to add an parameter to easyrsa which allows keeping (instead of removing) the dynamically generated temporary openssl config.

This would've made debugging this much easier

That is certainly possible via a --debug switch or something like that. I have been trying to improve debug-ability moving forward.

@TinCanTech
Copy link
Collaborator

The issue was caused by having added the line

crlDistributionPoints = URI:http://pki.XX.de/$ENV::CA_NAME.crl

to the COMMON file of the x509-types and not having $CA_NAME set.

So

Ok. That is a nice catch. I'll have to think about some documentation or input checking for such.

@TinCanTech
Copy link
Collaborator

We don't need your SSL config, so I will not post that but I will leave this open as a reminder to look into it soon.

@TinCanTech TinCanTech self-assigned this Jun 13, 2022
@TinCanTech TinCanTech added X509-types x509-types and related improvement labels Jun 13, 2022
@TinCanTech TinCanTech added this to the 3.1.2 branch milestone Jun 13, 2022
@TinCanTech TinCanTech changed the title Signing CSR from Windows ADCS fails Using envirenment variables in X509-types files is not supported Jun 13, 2022
@TinCanTech TinCanTech changed the title Using envirenment variables in X509-types files is not supported Using environment variables in X509-types files is not supported Jun 13, 2022
@TinCanTech TinCanTech changed the title Using environment variables in X509-types files is not supported Using environment variables in X509-types files requires better error detection Jun 13, 2022
This was referenced Jun 13, 2022
Closed
Closed
@TinCanTech TinCanTech mentioned this issue Jun 21, 2022
Closed
@Yannik Yannik mentioned this issue Jun 23, 2022
Closed
@Yannik
Copy link
Author

Yannik commented Jun 23, 2022

I would like to suggest to add an parameter to easyrsa which allows keeping (instead of removing) the dynamically generated temporary openssl config.
This would've made debugging this much easier

That is certainly possible via a --debug switch or something like that. I have been trying to improve debug-ability moving forward.

On a further note, I also needed to comment out the following lines for debugging another issue

        rm -f "$easyrsa_openssl_conf"
        rm -f "$easyrsa_extra_exts"

I have opened a separate issue #610 to track this.

@TinCanTech
Copy link
Collaborator

TinCanTech commented Aug 30, 2022
edited
Loading

The absolute bottom line is this:

  • If you use new variables in any SSL config file then that is on you.
    PRs concerning the use thereof can be considered.

  • easyrsa only has to provide support where LibreSSL is concerned.
    If you are using LibreSSL then a PR is mandatory for consideration.

@TinCanTech
Copy link
Collaborator

TinCanTech commented Aug 30, 2022
edited
Loading

To remain open, indefinitely.

@TinCanTech TinCanTech changed the title Using environment variables in X509-types files requires better error detection Using NEW environment variables in X509-types files is NOT supported Aug 30, 2022
@TinCanTech TinCanTech added the Sticky Remain open label Sep 1, 2022
@TinCanTech TinCanTech removed this from the v3.1.1 - Release milestone Sep 7, 2022
@TinCanTech TinCanTech removed the Applicable to v3.0.x PRs welcome label Sep 7, 2022
@TinCanTech TinCanTech removed their assignment Sep 8, 2022
@TinCanTech TinCanTech mentioned this issue Sep 8, 2022
Closed
@TinCanTech TinCanTech assigned TinCanTech and unassigned TinCanTech Oct 21, 2022
@TinCanTech
Copy link
Collaborator

#673 (comment)

@TinCanTech TinCanTech changed the title Using NEW environment variables in X509-types files is NOT supported Using ANY environment variables in X509-types files is NOT officially supported Nov 16, 2022
@TinCanTech TinCanTech mentioned this issue Nov 16, 2022
Closed
@TinCanTech TinCanTech added the Sticky Remain open label Mar 11, 2023
@TinCanTech
Copy link
Collaborator

Using Easy-RSA built-in command write, x509-type file expansion is trivial.

Example: critical attribute could be expanded, instead of inserted; as it currently is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion documentation LibreSSL maybe-someday Sticky Remain open X509-types x509-types and related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Yannik @TinCanTech