Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove restrictive 30-day window hindering 'renew' #594

Merged
merged 1 commit into from
Jun 8, 2022
Merged

Remove restrictive 30-day window hindering 'renew' #594

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
40 changes: 26 additions & 14 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,12 +436,6 @@ General options:
Certificate & Request options: (these impact cert/req field values)

--days=# : sets the signing validity to the specified number of days
--renew-days=# : Number of days grace period before allowing renewal
--fix-offset=# : Generate certificate with fixed start and end dates.
: Range 1 to 365
: start date: 01 January 00:00:00 of the current year
: end date: off-set days 01:00:00 of the final year
: Final year is configured via --days (Default: 825 days, 2 years)

--digest=ALG : digest to use in the requests & certificates
--dn-mode=MODE : DN mode to use (cn_only or org)
Expand Down Expand Up @@ -470,6 +464,16 @@ Deprecated features:
--ns-cert=YES/NO : yes or no to including deprecated NS extensions
--ns-comment=COMMENT : NS comment to include (value may be blank)
"

: << OLD_OPTS
--renew-days=# : Number of days grace period before allowing renewal
--fix-offset=# : Generate certificate with fixed start and end dates.
: Range 1 to 365
: start date: 01 January 00:00:00 of the current year
: end date: off-set days 01:00:00 of the final year
: Final year is configured via --days (Default: 825 days, 2 years)
OLD_OPTS

} # => opt_usage()

# Wrapper around printf - clobber print since it's not POSIX anyway
Expand Down Expand Up @@ -1417,7 +1421,7 @@ sign_req() {
crt_out="$EASYRSA_PKI/issued/$2.crt"

# Get fixed dates by --fix-offset
cert_dates
#cert_dates

# Randomize Serial number
if [ "$EASYRSA_RAND_SN" != "no" ]; then
Expand Down Expand Up @@ -1905,12 +1909,12 @@ Cannot renew this certificate because a conflicting file exists.
[ -e "$req_out" ] && die "$deny_msg request : $req_out"
unset -v deny_msg

# Check if old cert is expired or expires within 30
cert_dates "$crt_in"

[ "$expire_date_s" -lt "$allow_renew_date_s" ] || die "\
Certificate expires in more than $EASYRSA_CERT_RENEW days.
Renewal not allowed."
# # Check if old cert is expired or expires within 30
# cert_dates "$crt_in"
#
# [ "$expire_date_s" -lt "$allow_renew_date_s" ] || die "\
#Certificate expires in more than $EASYRSA_CERT_RENEW days.
#Renewal not allowed."

# Extract certificate usage from old cert
cert_ext_key_usage="$(
Expand Down Expand Up @@ -2413,6 +2417,9 @@ To revoke use: 'revoke-renewed $crt_cn'"

# Set certificate expire date, renew date and variables needed for fixdate
cert_dates() {

die "DISABLED: cert_dates()"

if [ -e "$1" ]; then
# Required for renewal
# Call openssl directly, otherwise this is not debug compatible
Expand Down Expand Up @@ -3047,7 +3054,7 @@ build_ff_date_string() {
ff_date="${ff_date#"$SS"}"
TZ="$ff_date"
ff_date="${yy}-${mm}-${dd} ${HH}:${MM}:${SS}${TZ}"
} # => build_date_string()
} # => build_ff_date_string()

# SC2295: (info): Expansions inside ${..} need to be quoted separately,
# otherwise they match as patterns. (what-ever that means .. ;-)
Expand Down Expand Up @@ -3187,6 +3194,11 @@ renew_status() {

# cert status reports
status() {
# Disabled until a universal date wrapper is complete
unset EASYRSA_BATCH EASYRSA_SILENT
message "Status reports are currently disabled."
return

[ "$#" -gt 0 ] || die "status - Incorrect input parameters"
report="$1"
target="$2"
Expand Down
24 changes: 14 additions & 10 deletions easyrsa3/vars.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,16 +142,6 @@ fi
# publication date.
#set_var EASYRSA_CRL_DAYS 180

# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW 30

# For fixed certificate start/end dates - Range 1..365
# If set here then command line option is always in effect.
# The day number 183 is either July 2nd or 3rd (leap-year)
# Replace with your chosen day-of-year value:
#set_var EASYRSA_FIX_OFFSET 183

# Random serial numbers by default, set to no for the old incremental serial numbers
#
#set_var EASYRSA_RAND_SN "yes"
Expand Down Expand Up @@ -233,3 +223,17 @@ fi
# or most output. Setting this to any non-blank string enables batch mode.

#set_var EASYRSA_BATCH ""

# DISABLED - DO NOT USE
# Ref: https://github.com/OpenVPN/easy-rsa/issues/593
# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW 30

# DISABLED - DO NOT USE
# Ref: https://github.com/OpenVPN/easy-rsa/issues/593
# For fixed certificate start/end dates - Range 1..365
# If set here then command line option is always in effect.
# The day number 183 is either July 2nd or 3rd (leap-year)
# Replace with your chosen day-of-year value:
#set_var EASYRSA_FIX_OFFSET 183