Merge branch 'TinCanTech-remove-renew-30day-grace'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
OpenVPN · Jun 8, 2022 · 72b84c4 · 72b84c4
2 parents ab39261 + 78f1717
commit 72b84c4
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 24 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -436,12 +436,6 @@ General options:
 Certificate & Request options: (these impact cert/req field values)
 
 --days=#        : sets the signing validity to the specified number of days
---renew-days=#  : Number of days grace period before allowing renewal
---fix-offset=#  : Generate certificate with fixed start and end dates.
-                : Range 1 to 365
-                : start date: 01 January 00:00:00 of the current year
-                : end date:   off-set days 01:00:00 of the final year
-				: Final year is configured via --days (Default: 825 days, 2 years)
 
 --digest=ALG    : digest to use in the requests & certificates
 --dn-mode=MODE  : DN mode to use (cn_only or org)
@@ -470,6 +464,16 @@ Deprecated features:
 --ns-cert=YES/NO      : yes or no to including deprecated NS extensions
 --ns-comment=COMMENT  : NS comment to include (value may be blank)
 "
+
+: << OLD_OPTS
+--renew-days=#  : Number of days grace period before allowing renewal
+--fix-offset=#  : Generate certificate with fixed start and end dates.
+                : Range 1 to 365
+                : start date: 01 January 00:00:00 of the current year
+                : end date:   off-set days 01:00:00 of the final year
+				: Final year is configured via --days (Default: 825 days, 2 years)
+OLD_OPTS
+
 } # => opt_usage()
 
 # Wrapper around printf - clobber print since it's not POSIX anyway
@@ -1417,7 +1421,7 @@ sign_req() {
 	crt_out="$EASYRSA_PKI/issued/$2.crt"
 
 	# Get fixed dates by --fix-offset
-	cert_dates
+	#cert_dates
 
 	# Randomize Serial number
 	if [ "$EASYRSA_RAND_SN" != "no" ]; then
@@ -1905,12 +1909,12 @@ Cannot renew this certificate because a conflicting file exists.
 	[ -e "$req_out" ] && die "$deny_msg request    : $req_out"
 	unset -v deny_msg
 
-	# Check if old cert is expired or expires within 30
-	cert_dates "$crt_in"
-
-	[ "$expire_date_s" -lt "$allow_renew_date_s" ] || die "\
-Certificate expires in more than $EASYRSA_CERT_RENEW days.
-Renewal not allowed."
+	#	# Check if old cert is expired or expires within 30
+	#	cert_dates "$crt_in"
+	#
+	#	[ "$expire_date_s" -lt "$allow_renew_date_s" ] || die "\
+	#Certificate expires in more than $EASYRSA_CERT_RENEW days.
+	#Renewal not allowed."
 
 	# Extract certificate usage from old cert
 	cert_ext_key_usage="$(
@@ -2413,6 +2417,9 @@ To revoke use: 'revoke-renewed $crt_cn'"
 
 # Set certificate expire date, renew date and variables needed for fixdate
 cert_dates() {
+
+	die "DISABLED: cert_dates()"
+
 	if [ -e "$1" ]; then
 		# Required for renewal
 		# Call openssl directly, otherwise this is not debug compatible
@@ -3047,7 +3054,7 @@ build_ff_date_string() {
 	ff_date="${ff_date#"$SS"}"
 	TZ="$ff_date"
 	ff_date="${yy}-${mm}-${dd} ${HH}:${MM}:${SS}${TZ}"
-} # => build_date_string()
+} # => build_ff_date_string()
 
 # SC2295: (info): Expansions inside ${..} need to be quoted separately,
 # otherwise they match as patterns. (what-ever that means .. ;-)
@@ -3187,6 +3194,11 @@ renew_status() {
 
 # cert status reports
 status() {
+	# Disabled until a universal date wrapper is complete
+	unset EASYRSA_BATCH EASYRSA_SILENT
+	message "Status reports are currently disabled."
+	return
+
 	[ "$#" -gt 0 ] || die "status - Incorrect input parameters"
 	report="$1"
 	target="$2"

diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
@@ -142,16 +142,6 @@ fi
 # publication date.
 #set_var EASYRSA_CRL_DAYS	180
 
-# How many days before its expiration date a certificate is allowed to be
-# renewed?
-#set_var EASYRSA_CERT_RENEW	30
-
-# For fixed certificate start/end dates - Range 1..365
-# If set here then command line option is always in effect.
-# The day number 183 is either July 2nd or 3rd (leap-year)
-# Replace with your chosen day-of-year value:
-#set_var  EASYRSA_FIX_OFFSET 183
-
 # Random serial numbers by default, set to no for the old incremental serial numbers
 #
 #set_var EASYRSA_RAND_SN	"yes"
@@ -233,3 +223,17 @@ fi
 # or most output. Setting this to any non-blank string enables batch mode.
 
 #set_var EASYRSA_BATCH		""
+
+# DISABLED - DO NOT USE
+# Ref: https://github.com/OpenVPN/easy-rsa/issues/593
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW	30
+
+# DISABLED - DO NOT USE
+# Ref: https://github.com/OpenVPN/easy-rsa/issues/593
+# For fixed certificate start/end dates - Range 1..365
+# If set here then command line option is always in effect.
+# The day number 183 is either July 2nd or 3rd (leap-year)
+# Replace with your chosen day-of-year value:
+#set_var  EASYRSA_FIX_OFFSET 183