Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl execution fails when --enddate is used #1056

Closed
bjoern-r opened this issue Jan 3, 2024 · 7 comments · Fixed by #1055
Closed

openssl execution fails when --enddate is used #1056

bjoern-r opened this issue Jan 3, 2024 · 7 comments · Fixed by #1055
Assignees
@TinCanTech
Labels
BUG BUG-FIX Version 3.1.7 Version 3.2.0-beta2
Milestone
v3.2.0

Comments

@bjoern-r
Copy link

bjoern-r commented Jan 3, 2024
edited
Loading

EasyRSA Version Information

Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | Linux | /bin/zsh

description

When the --startdate and --enddate options are used the openssl execution fails with the error message:

req: Error on line 31 of config file "/home/xx/pki/openssl-easyrsa.cnf"
4077C545E97F0000:error:07000068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:751:line 31

where the line in openssl-easyrsa.cnf has the following content.

default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for

My understanding is that when --enddate is used EASYRSA_CERT_EXPIRE will be unset on line 5582 which will make openssl complain about the missing ENV variable.

When default_days is hard coded to a number then --enddate is working as expected.
@TinCanTech
Copy link
Collaborator

TinCanTech commented Jan 3, 2024
edited
Loading

@bjoern-r Thanks for this report - I confirm this is a bug.

@TinCanTech TinCanTech added the BUG label Jan 3, 2024
@TinCanTech
Copy link
Collaborator

The fix required is at line 5582:

unset -v EASYRSA_CERT_EXPIRE alias_days

Remove EASYRSA_CERT_EXPIRE from that line and it should work correctly.

@TinCanTech
Copy link
Collaborator

There is also the possibility to remove line:31 from openssl-easyrsa.cnf:

default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for

Easy-rsa always sets environment variables and SSL command options for dates.

@bjoern-r
Copy link
Author

bjoern-r commented Jan 4, 2024

chaning the unset line worked for me.

I first tried to remove line 31 from openssl-easyrsa.cnf but this get regenerated if the file missing so my understanding was that this file should stay like this.

@TinCanTech
Copy link
Collaborator

I have been considering possible solutions.

Changing easyrsa is simplest but changing openssl-easyrsa.cnf is a better long-term solution because it leaves less ambiguity concerning which commands are used for expiry dates.

@TinCanTech
Copy link
Collaborator

For Easy-RSA v3.2 the fix is: 2a8c0de

Fixing v3.1.7 is not necessary.

@TinCanTech TinCanTech linked a pull request Jan 6, 2024 that will close this issue
v3.2.0-beta2 #1055
Merged
@TinCanTech TinCanTech self-assigned this Jan 6, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone Jan 6, 2024
@TinCanTech TinCanTech mentioned this issue Jan 6, 2024
Merged
@TinCanTech
Copy link
Collaborator

@bjoern-r I appreciate this bug report.

@TinCanTech TinCanTech mentioned this issue Apr 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG BUG-FIX Version 3.1.7 Version 3.2.0-beta2
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging a pull request may close this issue.

v3.2.0-beta2 OpenVPN/easy-rsa
2 participants
@bjoern-r @TinCanTech