Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In gen-req --batch option generates request with "subject=CN = ChangeMe" #456

Closed
tik806 opened this issue Aug 26, 2021 · 5 comments · Fixed by #524
Closed

In gen-req --batch option generates request with "subject=CN = ChangeMe" #456

tik806 opened this issue Aug 26, 2021 · 5 comments · Fixed by #524
Labels
BUG Priority Acknowledged priority
Milestone
v3.1.1 - RC1 - de...

Comments

@tik806
Copy link

tik806 commented Aug 26, 2021
edited

To reproduce:
easyrsa --batch gen-req CertName nopass
and look at it:
openssl req -in CertName.req -noout -subject

But
easyrsa gen-req CertName nopass batch
works fine
@TinCanTech
Copy link
Collaborator

Do you mean this ?

tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/tct/easy-rsa/EasyRSA-3.0.8/pki


tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa --batch gen-req test nopass
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
............+++++
...........+++++
writing new private key to '/home/tct/easy-rsa/EasyRSA-3.0.8/pki/easy-rsa-323704.0rfNru/tmp.UrWMVZ'
-----

tct@home:~/easy-rsa/EasyRSA-3.0.8$ openssl req -in pki/reqs/test.req -noout -subject
subject=CN = ChangeMe
tct@home:~/easy-rsa/EasyRSA-3.0.8$ ./easyrsa gen-req fred nopass batch
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
...........................................+++++
.............................................................................................................................+++++
writing new private key to '/home/tct/easy-rsa/EasyRSA-3.0.8/pki/easy-rsa-323797.UTUdtq/tmp.PTcBYQ'
-----

tct@home:~/easy-rsa/EasyRSA-3.0.8$ openssl req -in pki/reqs/fred.req -noout -subject
subject=CN = fred
tct@home:~/easy-rsa/EasyRSA-3.0.8$

@tik806
Copy link
Author

tik806 commented Aug 26, 2021

Yes, exactly

@Deantwo Deantwo mentioned this issue Oct 14, 2021
Closed
@u0m3
Copy link

u0m3 commented Nov 10, 2021

You can work around that with something like:

declare -a certnames
certnames=( 'cert1' 'cert2' 'cert3 )

for certname in ${certnames[@]}; do
    ./easyrsa --batch --req-cn=${certname} gen-req ${certname} nopass
    ./easyrsa --batch --req-cn=${certname} sign-req client ${certname} nopass
done

Also +1 for the

easyrsa gen-req CertName nopass batch

version of the command. I had no idea it of it's existence.

@ecrist
Copy link
Member

ecrist commented Mar 16, 2022

This is a bug for sure. We'll try to address this in v3.0.9.

@ecrist ecrist added the BUG label Mar 16, 2022
@ecrist ecrist added this to the v3.0.9 milestone Mar 16, 2022
@TinCanTech TinCanTech added Priority Acknowledged priority and removed initial-approval labels Mar 22, 2022
@TinCanTech TinCanTech modified the milestones: v3.0.9, v3.1.0 Mar 28, 2022
@TinCanTech
Copy link
Collaborator

This comment is completely wrong:

# gen-req backend:
gen_req() {
	# pull filename base and use as default interactive CommonName:

This is what actually happens:

# gen-req backend:
gen_req() {
	# pull filename base and use as default non-interactive CommonName:

This is another case of abusing EASYRSA_BATCH.

This was referenced Apr 2, 2022
Merged
Closed
@simone-viozzi simone-viozzi mentioned this issue Apr 28, 2022
Closed
@TinCanTech TinCanTech mentioned this issue Aug 30, 2022
Closed
TinCanTech added a commit to TinCanTech/easy-rsa that referenced this issue Sep 8, 2022
@TinCanTech
Option --req-cn: Restore original behavior from v30x series
fe3cced 
Due to my previous misunderstanding of the intended use of --req-cn,
it is no longer possible to set commonName for command gen-req.
Ref: OpenVPN#524  OpenVPN#456

This commit restores v30x series behavior:
* --req-cn can only be used in batch mode.
* --req-cn can only be used by commands build-ca and gen-req.
* SSL layer prompts are restored to original behavior.

Important: The use of internal batch mode is no longer required
for command sign_req(), when called by build_full(). This code
has been disabled but remains in place.  This is a considerable
change under the hood but there is no user observable difference.

Also, minor improvements to help and EasyRSA-Advanced.md

Tested manually and thoroughly.

Closes: OpenVPN#668

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech mentioned this issue Sep 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BUG Priority Acknowledged priority
Projects
None yet
Milestone
v3.1.1 - RC1 - development
Development

Successfully merging a pull request may close this issue.

Make gen_req() Always use EASYRSA_REQ_CN as intended
4 participants
@ecrist @u0m3 @TinCanTech @tik806