cannot fully automate with --batch option

[john564]

cannot fully automate with --batch option, and cannot enter passphrase from file or inline

The following gives an Error

mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa --batch gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch gen-req server nopass
./easyrsa --batch sign-req server server
./easyrsa --batch import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa --batch sign-req client client1

ERROR

$ ./easyrsa --batch sign-req client client1
Using configuration from ....serverside/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'ChangeMe'
.....
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

workaround don't batch the following line

./easyrsa gen-req server nopass
*** manually press return ***

[ecrist]

This is a bug, and it isn't at the same time. Your procedure above makes no modifications to the common name environment variable. The error you're seeing is due to both the server CN being set to ChangeMe along with the client1 certificate CN being the same.

Obviously, the program should provide an option to define CN and the --batch option should handle this gracefully.

[john564]

yes, modify client and server with unique CN works
thanks

mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
cp vars.example vars
echo 'set_var EASYRSA_REQ_CN "Change_me_CN1"' >> vars
./easyrsa --batch gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
cp vars.example vars
echo 'set_var EASYRSA_REQ_CN "Change_me_CN2"' >> vars
./easyrsa --batch build-ca nopass
./easyrsa --batch gen-req server nopass
./easyrsa --batch sign-req server server
./easyrsa --batch import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa --batch sign-req client client1

[fzipi]

Found at least how to use options in batch mode:

./easyrsa --batch --req-cn=test gen-req test nopass

There are many parameters for batch mode, including:

Certificate & Request options: (these impact cert/req field values)

--days=#        : sets the signing validity to the specified number of days
--digest=ALG    : digest to use in the requests & certificates
--dn-mode=MODE  : DN mode to use (cn_only or org)
--keysize=#     : size in bits of keypair to generate
--req-cn=NAME   : default CN to use
--subca-len=#   : path length of signed sub-CA certs; must be >= 0 if used
--subject-alt-name : Add a subjectAltName. For more info and syntax, see:
                     ./easyrsa help altname
--use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
--curve=NAME    : for elliptic curve, sets the named curve to use

Organizational DN options: (only used with the 'org' DN mode)
  (values may be blank for org DN options)

--req-c=CC        : country code (2-letters)
--req-st=NAME     : State/Province
--req-city=NAME   : City/Locality
--req-org=NAME    : Organization
--req-email=NAME  : Email addresses
--req-ou=NAME     : Organizational Unit

[g105b]

Hi everyone. I hope this will help solve this issue.

I'm using Docker as a mechanism to get a perfectly reproducable environment to isolate this bug. Within a fresh Docker container running Bash on Ubuntu, docker run -ti --rm ubuntu /bin/bash, issue the following:

# Install EasyRSA
cd
apt update && apt install -y openssl wget
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar -xzf EasyRSA-3.0.8.tgz
cd EasyRSA*/

# Set Variables:
cat << EOF > vars
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"
set_var EASYRSA_BATCH          "yes"
set_var EASYRSA_REQ_COUNTRY    "GB"
set_var EASYRSA_REQ_PROVINCE   "ExampleProvince"
set_var EASYRSA_REQ_CITY       "ExampleCity"
set_var EASYRSA_REQ_ORG        "ExampleOrg"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "Community"
EOF

# Init PKI directory:
./easyrsa init-pki
# Build CA with default settings:
./easyrsa build-ca --req-cn=test-ca nopass
# Generate a request with the client's CN of "test-client"
./easyrsa gen-req test-client nopass
./easyrsa --req-cn=test-client sign-req client test-client
# Output what the actual CN is created as:
grep "Subject: CN" pki/issued/test-client.crt

Output I see:

root@7c0959319f56:~/EasyRSA-3.0.8# grep "Subject: CN" pki/issued/test-client.crt
        Subject: CN=ChangeMe

I expect to see test-client as the CN. There doesn't seem to be a mechanism that works to set the CN from a script (using batch mode).

[TinCanTech]

Please try again with current git/master.

[TinCanTech]

This appears to be resolved:

tct@home:~/git/easy-rsa/test/installed$ easyrsa --pki-dir=pki2 gen-req c1 nopass text

Note: using Easy-RSA configuration from: pki2/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
...........................................................................................................................+++++
.............................................................+++++
writing new private key to 'pki2/easy-rsa-1995900.J5aV0V/tmp.ace468'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [00]:
State or Province Name (full name) [test]:
Locality Name (eg, city) [TEST ,./<>  ?;:@~  []!%^  *()-=  _+| (23) TEST]:
Organization Name (eg, company) [example.org]:
Organizational Unit Name (eg, section) [TEST esc { } £ ¬ (4) TEST]:
Common Name (eg: your user, host, or server name) [c1]:
Email Address [me@example.net]:

Keypair and certificate request completed. Your files are:
req: pki2/reqs/c1.req
key: pki2/private/c1.key


tct@home:~/git/easy-rsa/test/installed$ easyrsa --batch --pki-dir=pki2 gen-req c2 nopass text
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
..+++++
...+++++
writing new private key to 'pki2/easy-rsa-1995944.UtQxhy/tmp.b4e30e'
-----

The two reqs:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = 00, ST = test, L = "TEST ,./<>  ?;:@~  []!%^  *()-=  _+| (23) TEST", O = example.org, OU = TEST esc { } \C2\A3 \C2\AC (4) TEST, CN = c1, emailAddress = me@example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
<snip>
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
<snip>
-----BEGIN CERTIFICATE REQUEST-----
<snip>
-----END CERTIFICATE REQUEST-----

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = 00, ST = test, L = "TEST ,./<>  ?;:@~  []!%^  *()-=  _+| (23) TEST", O = example.org, OU = TEST esc { } \C2\A3 \C2\AC (4) TEST, CN = c2, emailAddress = me@example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
<snip>
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
<snip>
-----BEGIN CERTIFICATE REQUEST-----
<snip>
C82EpUV9yA==
-----END CERTIFICATE REQUEST-----