Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-req: --cop-ext is removed by --force-safe-ssl #1162

Closed
TinCanTech opened this issue Jun 5, 2024 · 0 comments · Fixed by #1163
Closed

sign-req: --cop-ext is removed by --force-safe-ssl #1162

TinCanTech opened this issue Jun 5, 2024 · 0 comments · Fixed by #1163
Assignees
@TinCanTech
Labels
BUG Version 3.2.0-Release

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented Jun 5, 2024
edited
Loading

EasyRSA v3.2.0

To reproduce:
Generate a request with a SAN:

  • ./easyrsa --verbose --nopass --san=DNS:s04.tct.org --san=IP:10.0.0.4 gen-req s04

Sign the request using --copy-ext, to copy the SAN; and --force-safe-ssl, to force here-doc expansion of openssl-easyrsa.cnf:

  • ./easyrsa --verbose --nopass --copy-ext --force-safe-ssl sign-req server s04

The forced here-doc expansion over-writes the SSL config in use. This removes "copy_extensions = copy" which has been previously inserted.

The signed certificate does not have the expected SAN.

Link: #1158
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG Version 3.2.0-Release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce Global Safe SSL config and Local SSL config TinCanTech/easy-rsa
1 participant
@TinCanTech