Opened 7 years ago
Closed 7 years ago
#788 closed Bug / Defect (duplicate)
EASYRSA_KEY_SIZE, EASYRSA_DIGEST in vars is ignored
Reported by: | bsaner | Owned by: | Eric Crist |
---|---|---|---|
Priority: | trivial | Milestone: | |
Component: | easy-rsa | Version: | easyrsa-3.x |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | keysize |
Cc: |
Description
(Please see the associated github issue)
easyrsa ignores both EASYRSA_KEY_SIZE in vars...:
[root@g bdisk]# grep KEY vars set_var EASYRSA_KEY_SIZE 4096 [root@g bdisk]# easyrsa init-pki && yes '' | easyrsa build-ca nopass init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/servers/keygen/bdisk/pki Generating a 2048 bit RSA private key ...+++ .............+++ writing new private key to '/etc/openvpn/servers/keygen/bdisk/pki/private/ca.key.Orh3ijGp3Z' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/servers/keygen/bdisk/pki/ca.crt [root@g bdisk]# openssl rsa -in pki/private/ca.key -noout -text | head -n1 Private-Key: (2048 bit)
and EASYRSA_DIGEST in vars:
[root@g bdisk]# grep DIGEST vars set_var EASYRSA_DIGEST "sha512" [root@g bdisk]# openssl x509 -in pki/ca.crt -noout -text | grep 'Signature Algorithm' Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption
As a sidenote, if you use Trac for bugs, you should either have a member focused on watching GitHub? Issues for new reports or simply disable Issues on GH- otherwise it gives the impression that you are ignoring bug reports.
Change History (7)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
Not sure about easy-rsa 3.x - but in older versions, you need to source "vars" from the shell *before* running any of the
scripts, as in
$ . ./vars $ ./build-key foobar
maybe that's still the same? (Note the "." in front of the "./vars" = "execute in local shell")
comment:3 Changed 7 years ago by
Owner: | set to Eric Crist |
---|---|
Status: | new → assigned |
comment:4 Changed 7 years ago by
I have generated dozens of test PKIs and can not replicate this problem.
If vars contains set_var EASYRSA_KEY_SIZE 4096
then I get a 4096bit PKI.
Edit:
In the github report above, I notice the command in use is:
# easyrsa foo bah
For my tests, from the directory where I have copied Easyrsa to, I use the command:
$ ./easyrsa foo bar
comment:5 Changed 7 years ago by
"For my tests, from $PWD, I use the command:
$ ./easyrsa foo bar"
well, this is exactly the important difference: The vars file is not sourced if it's in the working directory or in pki/ -- only if it's e.g. also in the directory of the executable. However, many distributions ship easyrsa with its binary in /usr/bin/.
Have a look here:
https://github.com/OpenVPN/easy-rsa/issues/119
and here:
https://github.com/OpenVPN/easy-rsa/pull/120
comment:6 Changed 7 years ago by
It seems to me that this issue has been adequately addressed.
From easyrsa3/vars.example
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit # this file in place -- instead, you should copy the entire easy-rsa directory # to another location so future upgrades don't wipe out your changes.
comment:7 Changed 7 years ago by
Priority: | critical → trivial |
---|---|
Resolution: | → duplicate |
Status: | assigned → closed |
Closing this ticket - we only need a ticket in either the EasyRSA project on github (preferred), or here. We'll handle this one on github.
(I should note if you'd like to rewrite easyrsa in python, I recently wrote a PKI creation implementation viewable here. It may prove to be less painful than bash, albeit it requires a non-STDLIB module.)