Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoke keep request #1109

Merged
merged 9 commits into from
Apr 9, 2024
Merged

Revoke keep request #1109

merged 9 commits into from
Apr 9, 2024
+130 −449

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Apr 6, 2024
edited
Loading

EasyRSA command 'renew' has been flawed since its ill-fated inception.

The first version of 'renew' did not renew a certificate from
the original request. Instead, it built a new request, key and
certificate which bore no relation to the original request or key.

Also, certificates which had been "renewed" left a dangling, valid
certificate, which could not be revoked by EasyRSA.

After many attempts to rectify the process of renewal, it is clear
that this is an unnecessary maintenance burden.

This change replaces the renewal process by simply allowing the
original request to be signed again, exactly as it was first signed,
without the need for code to jump through absurd hoops.

In honor of Wayne's World. oooooo baby!

@TinCanTech
Keep request files [CSR] when revoking original/renewed certificates
6d6e8d8 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Introduce commands: 'expire' and 'revoke-expired'
47e0923 
Command: expire
Move certificates from 'pki/issued' to 'pki/expired'.
Allows existing requests to be signed again. (IE. Renewal)

Command: revoke-expired
Revoke certificates in the 'pki/expired' directory.
This is achieved by allowing command 'revoke' to also work
with files from 'pki/expired'.

This is intended to completely replace renewal commands.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Remove all 'renew' code
9d94207 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
help: Replace 'renew' text with 'expire' text
f9d1aa1 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Apr 6, 2024
@TinCanTech TinCanTech added the development Possible changes label Apr 6, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone Apr 7, 2024
@TinCanTech
revoke: Re-enable 'revoke-renewed' using the new method
066a440 
Command 'revoke' accepts a source directory as a variable, to determine
which type of certificate to revoke.  The types are: 'issued' (standard
certificates), 'expired' expired certificates) and 'renewed' (the old
renewed directory). The source directory is determined by the command
in use.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
help: Improve help for various revocation commands
2bcfef3 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the revoke-keep-request branch from cf5407e to 2bcfef3 Compare April 7, 2024 21:56
@TinCanTech TinCanTech merged commit 6111169 into OpenVPN:master Apr 9, 2024
3 checks passed
@TinCanTech TinCanTech linked an issue Apr 9, 2024 that may be closed by this pull request
Remove ALL renew commands #1108
Closed
@BrewTestBot BrewTestBot mentioned this pull request May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
ChangeLog Item Full-Approval Merge is imminent MAJOR CHANGE Version 3.2.0-Release
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.

Remove ALL renew commands
1 participant
@TinCanTech