Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Procedure to replace renew command useless #1199

Closed
malibata opened this issue Aug 5, 2024 · 4 comments
Closed

Procedure to replace renew command useless #1199

malibata opened this issue Aug 5, 2024 · 4 comments
Assignees
@TinCanTech
Labels
BUG Solution applied Version 3.2.0-Release

Comments

@malibata
Copy link

malibata commented Aug 5, 2024
edited
Loading

New procedure meant to replace simple renew command is kind of useless.
If you issue expire command followed by sign-req command easyrsa will sign new certificate but will not generate new inline file and will leave the old one with expired certificate...
If you then issue revoke-expired command it will not remove request file so that it can be signed again as it should be but will remove private key file making request file useless.
revoke-renewed does not work anymore because it looks for a certificate in pki/renewed directory instead of pki/renewed/issued where the files actually are...
All this makes new procedure basically dysfunctional and using something like revoke followed by build-TYPE-full commands, although not as simple as renew, the way to go for now.
@TinCanTech
Copy link
Collaborator

@malibata Which version of EasyRSA are you using ?

@malibata
Copy link
Author

malibata commented Aug 5, 2024

Easy-RSA version 3.2.0, I beleive this change is introduced in this version...
I see now on github that it is a development snapshot, but was pulled by Fedora as the latest stable version and installed by dnf upgrade...

@malibata
Copy link
Author

malibata commented Aug 5, 2024

Probably NOT removing key file would be a good idea since you are already not moving request file because it could be signed again:

--- easyrsa.saved       2024-05-18 14:20:59.000000000 +0200
+++ easyrsa     2024-08-05 13:46:46.301014865 +0200
@@ -3054,14 +3054,11 @@
        # do NOT move the req - can be signed again

        # move crt to renewed_then_revoked folders
        mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

-       # only move the key if we have it
-       if [ -e "$key_in" ]; then
-               mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
-       fi
+       # do NOT move the key - req can be signed again

        # remove any pkcs files
        for pkcs in p12 p7b p8 p1; do
                if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
                        # issued

@TinCanTech
Copy link
Collaborator

TinCanTech commented Aug 5, 2024
edited
Loading

OK and thanks for testing.

This has been addressed in git/master a.k.a. v3.2.1.

In the following way:

  • revoke will revoke the cert and move .req and .key files to the revoked sub-dir.
  • expire will only move the cert to the expired sub-dir, allowing the original CSR to be signed again, as in renew but with more flexibility.
  • renew has been reinstated but is more strict in order that a renewed cert has the same attributes as the original. renew also uses the original .req and .key files, so they are not moved.

If you care to try this then please clone this repo and test it. Otherwise, v3.2.1 is intended for release in early September 2024.

Edit: Inlining files has also been/about to be addressed #1200

@TinCanTech TinCanTech self-assigned this Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG Solution applied Version 3.2.0-Release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TinCanTech @malibata