1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Origin: backport, https://github.com/OpenVPN/easy-rsa/commit/fe3cced16c62de5dd33f3a230ee03e904306a55b
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu, 8 Sep 2022 11:42:56 +0100
Subject: Option --req-cn: Restore original behavior from v30x series
Due to my previous misunderstanding of the intended use of --req-cn,
it is no longer possible to set commonName for command gen-req.
Ref: #524 #456
This commit restores v30x series behavior:
* --req-cn can only be used in batch mode.
* --req-cn can only be used by commands build-ca and gen-req.
* SSL layer prompts are restored to original behavior.
Important: The use of internal batch mode is no longer required
for command sign_req(), when called by build_full(). This code
has been disabled but remains in place. This is a considerable
change under the hood but there is no user observable difference.
---
--- a/easyrsa 2023-03-02 16:44:48.526049371 +0100
+++ b/easyrsa 2023-03-02 16:49:00.478040360 +0100
@@ -1130,18 +1130,29 @@
[ -n "$1" ] || die "\
Error: gen-req must have a file base as the first argument.
Run easyrsa without commands for usage and commands."
+
+ # Initialisation
+ unset -v text nopass ssl_batch
+
+ # Set ssl batch mode and Default commonName, as required
+ if [ "$EASYRSA_BATCH" ]; then
+ ssl_batch=1
+ [ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1"
+ else
+ # --req-cn must be used with --batch, otherwise use default
+ export EASYRSA_REQ_CN="$1"
+ fi
+
+ # Output files
key_out="$EASYRSA_PKI/private/$1.key"
req_out="$EASYRSA_PKI/reqs/$1.req"
- # Set the request commonName
- EASYRSA_REQ_CN="$1"
- shift
+ shift # scrape off file-name
# Require SSL Lib version for 'nopass' -> $no_password
verify_pki_init
# function opts support
- unset -v text nopass ssl_batch
while [ -n "$1" ]; do
case "$1" in
text) text=1 ;;
@@ -1365,7 +1376,7 @@
rm -f "$ext_tmp"
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
- unset -v EASYRSA_BATCH # This is why batch mode should not silence output
+ #unset -v EASYRSA_BATCH # This is why batch mode should not silence output
notice "\
Certificate created at: $crt_out"
@@ -1406,12 +1417,16 @@
[ -f "$key_out" ] && die "Key $err_exists $key_out"
[ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"
- # create request
+ # Set commonName
+ [ "$EASYRSA_REQ_CN" = ChangeMe ] || die "\
+Option conflict: '$cmd' does not support setting an external commonName"
EASYRSA_REQ_CN="$name"
+
+ # create request
gen_req "$name" batch ${nopass+ nopass}
# Sign it
- ( sign_req "$crt_type" "$name" batch ) || {
+ ( sign_req "$crt_type" "$name" ) || {
rm -f "$req_out" "$key_out"
die "Failed to sign '$name' - See error messages above for details."
}
|
