Comments (18)
TinCanTech
commented on July 16, 2024
1
@joubertdj relax .. you can leave this open, for now.
from easy-rsa.
joubertdj
commented on July 16, 2024
1
@TinCanTech : Hehehe ... yeah, please don't ask why I never used the FQDN ... I think I "did" at one point but when I placed an "explanation" instead of FQDN it "looked better" (or something like that ... there was also some RFC that indicated CN's aren't really used/considered but the SAN is the priority (this works with most/all our systems ... ))
Ah well, thanks, I will just have to amend though then ...
from easy-rsa.
TinCanTech
commented on July 16, 2024
@joubertdj Please show the command and output using the --verbose switch.
from easy-rsa.
joubertdj
commented on July 16, 2024
@TinCanTech : Thanks for the quick response.
I was able to add the SAN stuff via the "--san" option when doing a "sign-req". But the CN I am still "stumped" ...
The command:
./easyrsa --req-cn="Trapeze South Africa - TSA-HTE - Router1 Server" --verbose gen-req "router1" nopass
The output of the above command with "--verbose" is:
select_vars: PWD/pki/vars
Using Easy-RSA 'vars' configuration:
* /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/vars
source_vars: CLEAN '/mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/vars'
source_vars: sourced OK '/mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/vars'
mutual_exclusions: COMPLETED
> EASYRSA_EXT_DIR: /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/x509-types
> EASYRSA_SSL_CONF: /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/openssl-easyrsa.cnf
> EASYRSA_TOOLS_LIB: undefined
locate_support_files: COMPLETED
verify_ssl_lib():
Using SSL:
* openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
verify_working_env: BEGIN
secure_session: CREATED: /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/ba92208a
write_easyrsa_ssl_cnf_tmp: SSL config EXISTS
write_easyrsa_ssl_cnf_tmp: SSL config IGNORED
easyrsa_mktemp: ssl_cnf_tmp OK: /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/ba92208a/temp.0.1
write_easyrsa_ssl_cnf_tmp: SSL config using temp-file
verify_algo_params: Params verified for algo 'rsa'
verify_working_env: COMPLETED Handover-to: gen-req
EasyRSA version 3.2.0
Error
-----
Option conflict --req-cn:
* 'gen-req' does not support setting an external commonName
mktemp_counter: 1 uses
remove_secure_session: DELETED: /mnt/c/Data/Work/Trapeze/Projects/2024/TSA-HTE/Backups/Certificate Authority/Current/pki/ba92208a
Exit: Known errors = true
from easy-rsa.
joubertdj
commented on July 16, 2024
When I try to use the sign-req for the --req-cn it also complains about that ...
from easy-rsa.
TinCanTech
commented on July 16, 2024
@joubertdj Thanks.
First: Upgrading from v3.0.8 to v3.2.0-D is understanably difficult.
With regard to your SAN use, you have figured out the solution. 👍
With regard to your use of --req-cn, that is no longer supported.
The commonName must be the same as the file_name_base.
The exception is build-ca, which allows setting the CA commonName.
This change was made in commit: 7227909
I will expand on this decision later.
However, you have to accept that your use of --req-cn is obscure and bizarre.
from easy-rsa.
VVD
commented on July 16, 2024
My usage is more easy:
/usr/local/bin/easyrsa gen-req "${USER}" nopass batch
/usr/local/bin/easyrsa --batch --passin=pass:"$CA_PASSWORD" sign-req client "${USER}"
but it is broken now too with same error:
EasyRSA version 3.2.0
Error
-----
Option conflict --req-cn:
* 'gen-req' does not support setting an external commonName
# /usr/local/bin/easyrsa --verbose gen-req USERNAME nopass batch
# select_vars: PWD/pki/vars
Using Easy-RSA 'vars' configuration:
* /usr/local/etc/openvpn/pki/vars
# source_vars: CLEAN '/usr/local/etc/openvpn/pki/vars'
# source_vars: sourced OK '/usr/local/etc/openvpn/pki/vars'
# mutual_exclusions: COMPLETED
# > EASYRSA_EXT_DIR: /usr/local/share/easy-rsa/x509-types
# > EASYRSA_SSL_CONF: /usr/local/etc/openvpn/pki/openssl-easyrsa.cnf
# > EASYRSA_TOOLS_LIB: undefined
# locate_support_files: COMPLETED
# verify_ssl_lib():
Using SSL:
* openssl OpenSSL 1.1.1w-freebsd 11 Sep 2023
# verify_working_env: BEGIN
# secure_session: CREATED: /usr/local/etc/openvpn/pki/23c4b028
# write_easyrsa_ssl_cnf_tmp: SSL config EXISTS
# write_easyrsa_ssl_cnf_tmp: SSL config IGNORED
# easyrsa_mktemp: ssl_cnf_tmp OK: /usr/local/etc/openvpn/pki/23c4b028/temp.0.1
# write_easyrsa_ssl_cnf_tmp: SSL config using temp-file
# verify_algo_params: Params verified for algo 'ed'
# verify_working_env: COMPLETED Handover-to: gen-req
EasyRSA version 3.2.0
Error
-----
Option conflict --req-cn:
* 'gen-req' does not support setting an external commonName
# mktemp_counter: 1 uses
# remove_secure_session: DELETED: /usr/local/etc/openvpn/pki/23c4b028
# Exit: Known errors = true
It'm using /usr/local/etc/openvpn/pki/vars with EASYRSA_REQ_CN set to our FQDN of the OpenVPN server:
# grep EASYRSA_REQ_CN /usr/local/etc/openvpn/pki/vars
set_var EASYRSA_REQ_CN "hostname.domain.name"
from easy-rsa.
VVD
commented on July 16, 2024
Commented in gen_req():
# [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
#Option conflict --req-cn:
#* '$cmd' does not support setting an external commonName"
Got same error, but for sign_req, commented in sign_req():
# [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
#Option conflict --req-cn:
#* '$cmd' does not support setting an external commonName"
After this my commands work as before (probably).
from easy-rsa.
TinCanTech
commented on July 16, 2024
It is good to see that EasyRSA code is easy to customise.
Version 3.1.7 also has the functionality that you desire.
Version 3.2.0 is a development snapshot.
from easy-rsa.
joubertdj
commented on July 16, 2024
@TinCanTech : This was the RFC I was referring to that indicated that the CN isn't preferred anymore, but SAN: https://www.rfc-editor.org/rfc/rfc2818.html, this portion:
"If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead."
from easy-rsa.
TinCanTech
commented on July 16, 2024
@joubertdj Thank you, I am aware of RFC2818.
from easy-rsa.
Related Issues (20)
- CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x HOT 7
- Add self-signed certificates to status reports
- Typo in 'verify-cert' output HOT 1
- Fully integrate self-signed certificates
- Remove `OPENSSL_CONF=/dev/null`
- [SECURITY] Possible Code Injection Issue HOT 6
- Revert ca76697: Remove escape_hazard()
- Add CA certificate to expiry report `show-expire`
- Revert changes made for Windows 10/11 `mkdir -p` failure
- `dev/easyrsa-tools.lib` missing in release build HOT 1
- mandatory SAN HOT 16
- LibreSSL: `build-*-full` uses an incorrect SSL config file HOT 1
- UT failure from `easyrsa-tools.lib` for command `show-expire`
- Importing the CA certificates for OpenVPN clients and internal domains. HOT 1
- Outline use and expansion of `openssl-easyrsa.cnf` HOT 1
- Windows 7: `gen-crl` always prompts for over-write
- `display_dn()`: Remove unnecessary subshell
- `sign-req`: `--cop-ext` is removed by `--force-safe-ssl`
- Command `write`: Allow to specify target file instead of directory
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-rsa.