FS#57298 - [easy-rsa] wrong configuration path

Attached to Project: Arch Linux
Opened by Corubba (corubba) - Tuesday, 30 January 2018, 22:57 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 21 March 2023, 20:26 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The with  FS#55298  introduced fix-path-patch sets wrong paths.

You can think of the path in EASYRSA as the "global config path" and EASYRSA_PKI as the "userspace path" (see descriptions in vars.example file). I suggest to set EASYRSA to "/etc/easy-rsa" and leave EASYRSA_PKI unchanged at the default "$PWD/pki", because upstream expects the globals configs next to the executable but the packaging puts them into /etc. This way it does not break the ability to manage multiple pkis on one machine by simply changing into the appropriate directories (e.g. ~/foo_ca and ~/bar_ca) without the need to unneccessarily copying (or symlinking) all the config files into every pki. easyrsa even supports overriding the globals on a per-pki basis out of the box (see easyrsa script L1089ff).


Additional info:
* package version(s)
easy-rsa 3.0.4-1
This task depends upon

Closed by  Toolybird (Toolybird)
Tuesday, 21 March 2023, 20:26 GMT
Reason for closing:  Fixed
Comment by Corubba (corubba) - Wednesday, 31 January 2018, 05:20 GMT
It would probably be a good idea to also patch the vars.example file to reflect the changed default value.
Comment by Peter Wu (Lekensteyn) - Tuesday, 26 March 2019, 23:17 GMT
The paths are still wrong in easy-rsa 3.0.6-1 and breaks init-ca after init-pki since openssl-easyrsa.cnf is not copied.

From https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md
EASYRSA - should point to the Easy-RSA top-level dir, where the easyrsa script is located.
EASYRSA_PKI (CLI: --pki-dir) - dir to use to hold all PKI-specific files, defaults to $PWD/pki.

So EASYRSA seems to contain the readonly configuration (vars, openssl config) while EASYRSA_PKI seems to contain the local PKI config.

$EASYRSA should probably become ${0%/*}/../../etc/easy-rsa while EASYRSA_PKI should be restored to $PWD/pki. I have tested this and it works.
   fix-easyrsa-v2.patch (0.3 KiB)
Comment by Nick (kousu) - Tuesday, 23 February 2021, 17:17 GMT
This is still a problem for me with

```
$ pacman -Qi easy-rsa
Name : easy-rsa
Version : 3.0.8-2
Description : Simple shell based CA utility
Architecture : any
URL : https://github.com/OpenVPN/easy-rsa
Licenses : custom
Groups : None
Provides : None
Depends On : openssl sh grep
Optional Deps : None
Required By : None
Optional For : openvpn
Conflicts With : None
Replaces : None
Installed Size : 124.94 KiB
Packager : Christian Hesse <arch@eworm.de>
Build Date : Sat 10 Oct 2020 02:51:55 PM
Install Date : Tue 23 Feb 2021 11:46:28 AM
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
```

If I try to use it I see the same error everyone else is:

```
$ mkdir test
$ cd test
$ easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/kousu/src/certs/test/test/pki


$ easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1j 16 Feb 2021

Easy-RSA error:

The OpenSSL config file cannot be found.
Expected location: /home/kousu/src/certs/test/test/pki/openssl-easyrsa.cnf

```

I can workaround it by just:

```
mkdir test
cd test
easyrsa init-pki
cp /etc/easy-rsa/openssl-easyrsa.cnf pki/
easyrsa build-ca
```

Comment by Nick (kousu) - Tuesday, 23 February 2021, 17:17 GMT

Would it be more robust to patch init_pki instead of the EASYRSA variable?

```
--- /usr/bin/easyrsa 2020-10-10 14:51:55.000000000 -0400
+++ easyrsa 2021-02-23 12:15:20.407264578 -0500
@@ -551,9 +551,9 @@
done

# Create $EASYRSA_SAFE_CONF ($OPENSSL_CONF) prevents bogus warnings (especially useful on win32)
- if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "$EASYRSA/openssl-easyrsa.cnf" ];
+ if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "/etc/easy-rsa/openssl-easyrsa.cnf" ];
then
- cp "$EASYRSA/openssl-easyrsa.cnf" "$EASYRSA_SSL_CONF"
+ cp "/etc/easy-rsa/openssl-easyrsa.cnf" "$EASYRSA_SSL_CONF"
easyrsa_openssl makesafeconf
fi
```
Comment by Nick (kousu) - Tuesday, 23 February 2021, 17:54 GMT
I also vouch that EASYRSA_PKI should be restored to $PWD/pki. Otherwise, trying to work around this with `export EASYRSA=/etc/easy-rsa` gets you get warnings that should probably be errors but aren't:

$ export EASYRSA=/etc/easy-rsa
$ easyrsa sign-req server don
Can't open /home/kousu/src/certs/test/test/pki/safessl-easyrsa.cnf for reading, No such file or directory
140691190113664:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/home/kousu/src/certs/test/test/pki/safessl-easyrsa.cnf','r')
140691190113664:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
Comment by Lex Black (TrialnError) - Monday, 20 March 2023, 11:01 GMT
The patch that caused issues got removed with the upgrade to 3.0.9[0]
Is this still of concern? If not, maybe someone, who was hit by that in the past, could confirm and request closure?
_________
[0] https://github.com/archlinux/svntogit-packages/commit/eaf8e184443c8b4dd907f2b751538a00cbc0035c
Comment by Corubba (corubba) - Tuesday, 21 March 2023, 18:27 GMT
Yes, works like intended now. Can be closed.

Loading...