diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 30201871..d39d66f4 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1338,7 +1338,7 @@ $help_note"
 
 # Verify core CA files present
 verify_ca_init() {
-	help_note="\
+	verify_ca_help_note="\
 Run easyrsa without commands for usage and command help."
 
 	# Verify expected files are present.
@@ -1356,31 +1356,23 @@ Missing expected CA file: $i
 
 (perhaps you need to run build-ca?)
 
-$help_note"
+$verify_ca_help_note"
 		fi
 	done
 
 	# When operating in 'test' mode, return success.
 	# test callers don't care about CA-specific dir structure
-	if [ "$1" = "test" ]; then
-		unset -v help_note
-		return 0
-	fi
+	[ "$1" = "test" ] && return 0
 
 	# verify expected CA-specific dirs:
-	for i in issued certs_by_serial
-	do
+	for i in issued certs_by_serial; do
 		[ -d "$EASYRSA_PKI/$i" ] || user_error "\
 Missing expected CA dir: $i
 
 (perhaps you need to run build-ca?)
 
-$help_note"
+$verify_ca_help_note"
 	done
-
-	# explicitly return success for callers
-	unset -v help_note
-	return 0
 } # => verify_ca_init()
 
 # init-pki backend:
@@ -5399,18 +5391,20 @@ source_easyrsa_tools_lib() {
 
 		# Verify tools version
 		if [ "$EASYRSA_TOOLS_VERSION" -lt 321 ]; then
-			warn "\
+			tools_error_txt="\
 EasyRSA Tools version is out of date:
 * EASYRSA_TOOLS_VERSION: $EASYRSA_TOOLS_VERSION"
+			return 1
 		fi
 	else
 		verbose "Missing: easyrsa-tools.lib"
-		tools_error="Missing: easyrsa-tools.lib
+		tools_error_txt="Missing: easyrsa-tools.lib
 
 Use of command '$cmd' requires Easy-RSA tools library, source:
 * https://github.com/OpenVPN/easy-rsa/dev/easyrsa-tools.lib
 
 Place a copy of easyrsa-tools.lib in a standard system location."
+		return 1
 	fi
 } # => source_easyrsa_tools_lib()
 
@@ -5466,7 +5460,7 @@ unset -v \
 	selfsign_eku \
 	internal_batch mv_temp_error \
 	easyrsa_exit_with_error error_info \
-	write_recursion tools_error
+	write_recursion tools_error tools_error_txt
 
 	# Used by build-ca->cleanup to restore prompt
 	# after user interrupt when using manual password
@@ -5924,44 +5918,34 @@ case "$cmd" in
 		verify_working_env
 
 		# easyrsa-tools.lib is required
-		source_easyrsa_tools_lib
+		source_easyrsa_tools_lib || tools_error=1
 
 		case "$cmd" in
 			renew)
-				if [ "$tools_error" ]; then
-					user_error "$tools_error
+				[ "$tools_error" ] && user_error "$tools_error_txt
 
 A certificate can be renewed without EasyRSA Tools. Expire the certificate
 using command 'expire' and sign the original request with 'sign-req'."
-				fi
 				[ -z "$alias_days" ] || \
 					export EASYRSA_CERT_EXPIRE="$alias_days"
 				renew "$@"
 				;;
 			show-expire)
-				if [ "$tools_error" ]; then
-					user_error "$tools_error"
-				fi
+				[ "$tools_error" ] && user_error "$tools_error_txt"
 				[ -z "$alias_days" ] || \
 					export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days"
 				status expire "$@"
 				;;
 			show-revoke)
-				if [ "$tools_error" ]; then
-					user_error "$tools_error"
-				fi
+				[ "$tools_error" ] && user_error "$tools_error_txt"
 				status revoke "$@"
 				;;
 			show-renew)
-				if [ "$tools_error" ]; then
-					user_error "$tools_error"
-				fi
+				[ "$tools_error" ] && user_error "$tools_error_txt"
 				status renew "$@"
 				;;
 			verify-cert)
-				if [ "$tools_error" ]; then
-					user_error "$tools_error"
-				fi
+				[ "$tools_error" ] && user_error "$tools_error_txt"
 				# Called with --batch, this will return error
 				# when the certificate fails verification.
 				# Therefore, on error, exit with error.
@@ -5975,10 +5959,8 @@ using command 'expire' and sign the original request with 'sign-req'."
 		verify_working_env
 
 		# easyrsa-tools.lib is required
-		source_easyrsa_tools_lib
-		if [ "$tools_error" ]; then
-			user_error "$tools_error"
-		fi
+		source_easyrsa_tools_lib || tools_error=1
+		[ "$tools_error" ] && user_error "$tools_error_txt"
 
 		case "$cmd" in
 			gen-tls-auth|gen-tls-auth-*)