Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugfix renew ca and renew #1267

Merged
merged 4 commits into from
Dec 3, 2024
Merged

Bugfix renew ca and renew #1267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3a689c1
help: Add 'renew-ca' details
TinCanTech Dec 3, 2024
204ea0c
expire: Improve conflicting file error message, add instructions
TinCanTech Dec 3, 2024
b47d2af
easyrsa-tools.lib: renew, use temp-file to extract full metadata
TinCanTech Dec 3, 2024
8d6051a
ChangeLog: bugfix: easyrsa-tools.lib: renew, write metadata to temp-file
TinCanTech Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267)
* Introduce new command 'revoke-issued' (38bf2d8) (#1266)
Commands 'revoke' and 'revoke-issued' are identical.
Command 'revoke' can ONLY be used in batch mode.
Expand Down
17 changes: 15 additions & 2 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ A list of commands is shown below:
build-serverClient-full <file_name_base> [ cmd-opts ]
inline <file_name_base>
expire <file_name_base>
renew-ca
renew <file_name_base>
revoke <file_name_base> [ cmd-opts ] #(DEPRECATED)
revoke-issued <file_name_base> [ cmd-opts ] #(REPLACEMENT)
Expand Down Expand Up @@ -259,6 +260,16 @@ REQUIRED COMMANDS:
to the 'pki/expired' directory.

Allows an existing request to be signed again."
;;
renew-ca)
text="
* renew-ca

Renew CA certificate.

This will build a new CA certificate and archive the old one.
Before changes are made to the current PKI, user confirmation
is required."
;;
renew)
text="
Expand Down Expand Up @@ -3434,8 +3445,10 @@ Run easyrsa without commands for usage and command help."
# Do not over write existing cert
if [ -f "$crt_out" ]; then
user_error "\
Existing file must be revoked:
* $crt_out"
Cannot expire this certificate, a conflicting file exists:
* certificate: $crt_out

Use command 'revoke-exired' to revoke this certificate."
fi

# deprecate ALL options
Expand Down
45 changes: 28 additions & 17 deletions easyrsa3/easyrsa-tools.lib
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -772,26 +772,34 @@ Missing request file:
crt_out="$out_dir/issued/${file_name_base}.crt"

# NEVER over-write a renewed cert, revoke it first
deny_msg="\
if [ -f "$crt_out" ]; then
user_error "\
Cannot renew this certificate, a conflicting file exists:
*"
[ -f "$crt_out" ] && \
user_error "$deny_msg certificate: $crt_out"
unset -v deny_msg
* certificate: $crt_out

# Make inline directory
[ -d "$EASYRSA_PKI/inline" ] || \
mkdir -p "$EASYRSA_PKI/inline" || \
die "Failed to create inline directoy."
Use command 'revoke-renewed' to revoke this certificate."
fi

# Extract certificate usage from old cert
ssl_cert_x509v3_eku "$crt_in" cert_type

# create temp-file for full cert text
full_crt_tmp=
easyrsa_mktemp full_crt_tmp || \
die "easyrsa_mktemp full_crt_tmp"

# write full cert text tempfile data
"$EASYRSA_OPENSSL" x509 -in "$crt_in" \
-noout -text > "$full_crt_tmp" || \
die "write full cert text"

# Use SAN from old cert ONLY
if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
if grep -q 'X509v3 Subject Alternative Name' \
"$full_crt_tmp"
then
EASYRSA_SAN="$(
"$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | \
grep -A 1 'X509v3 Subject Alternative Name' | \
grep -A 1 'X509v3 Subject Alternative Name' \
"$full_crt_tmp" | \
sed -e s/'^\ *'// \
-e /'X509v3 Subject Alternative Name'/d \
-e s/'IP Address:'/'IP:'/g
Expand All @@ -801,7 +809,7 @@ Cannot renew this certificate, a conflicting file exists:
# --san-crit
unset -v EASYRSA_SAN_CRIT
if grep -q 'X509v3 Subject Alternative Name: critical' \
"$crt_in"
"$full_crt_tmp"
then
export EASYRSA_SAN_CRIT='critical,'
verbose "renew: --san-crit ENABLED"
Expand All @@ -814,28 +822,31 @@ subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
fi

# --bc-crit
if grep -q 'X509v3 Basic Constraints: critical' "$crt_in"
if grep -q 'X509v3 Basic Constraints: critical' \
"$full_crt_tmp"
then
export EASYRSA_BC_CRIT=1
verbose "renew: --bc-crit ENABLED"
fi

# --ku-crit
if grep -q 'X509v3 Key Usage: critical' "$crt_in"
if grep -q 'X509v3 Key Usage: critical' \
"$full_crt_tmp"
then
export EASYRSA_KU_CRIT=1
verbose "renew: --ku-crit ENABLED"
fi

# --eku-crit
if grep -q 'X509v3 Extended Key Usage: critical' "$crt_in"
if grep -q 'X509v3 Extended Key Usage: critical' \
"$full_crt_tmp"
then
export EASYRSA_EKU_CRIT=1
verbose "renew: --eku-crit ENABLED"
fi

# Disable options not supported by renew
unset -v EASYRSA_CP_EXTS EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT
unset -v EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT

# confirm operation by displaying Warning
confirm "Continue with 'renew' ? " yes "\
Expand Down
Loading