Origin: backport, https://github.com/OpenVPN/easy-rsa/commit/fe3cced16c62de5dd33f3a230ee03e904306a55b From: Richard T Bonhomme Date: Thu, 8 Sep 2022 11:42:56 +0100 Subject: Option --req-cn: Restore original behavior from v30x series Due to my previous misunderstanding of the intended use of --req-cn, it is no longer possible to set commonName for command gen-req. Ref: #524 #456 This commit restores v30x series behavior: * --req-cn can only be used in batch mode. * --req-cn can only be used by commands build-ca and gen-req. * SSL layer prompts are restored to original behavior. Important: The use of internal batch mode is no longer required for command sign_req(), when called by build_full(). This code has been disabled but remains in place. This is a considerable change under the hood but there is no user observable difference. --- --- a/easyrsa 2023-03-02 16:44:48.526049371 +0100 +++ b/easyrsa 2023-03-02 16:49:00.478040360 +0100 @@ -1130,18 +1130,29 @@ [ -n "$1" ] || die "\ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." + + # Initialisation + unset -v text nopass ssl_batch + + # Set ssl batch mode and Default commonName, as required + if [ "$EASYRSA_BATCH" ]; then + ssl_batch=1 + [ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1" + else + # --req-cn must be used with --batch, otherwise use default + export EASYRSA_REQ_CN="$1" + fi + + # Output files key_out="$EASYRSA_PKI/private/$1.key" req_out="$EASYRSA_PKI/reqs/$1.req" - # Set the request commonName - EASYRSA_REQ_CN="$1" - shift + shift # scrape off file-name # Require SSL Lib version for 'nopass' -> $no_password verify_pki_init # function opts support - unset -v text nopass ssl_batch while [ -n "$1" ]; do case "$1" in text) text=1 ;; @@ -1365,7 +1376,7 @@ rm -f "$ext_tmp" [ "$EASYRSA_SILENT" ] || print # Separate Notice below - unset -v EASYRSA_BATCH # This is why batch mode should not silence output + #unset -v EASYRSA_BATCH # This is why batch mode should not silence output notice "\ Certificate created at: $crt_out" @@ -1406,12 +1417,16 @@ [ -f "$key_out" ] && die "Key $err_exists $key_out" [ -f "$crt_out" ] && die "Certificate $err_exists $crt_out" - # create request + # Set commonName + [ "$EASYRSA_REQ_CN" = ChangeMe ] || die "\ +Option conflict: '$cmd' does not support setting an external commonName" EASYRSA_REQ_CN="$name" + + # create request gen_req "$name" batch ${nopass+ nopass} # Sign it - ( sign_req "$crt_type" "$name" batch ) || { + ( sign_req "$crt_type" "$name" ) || { rm -f "$req_out" "$key_out" die "Failed to sign '$name' - See error messages above for details." }