Your message dated Mon, 13 Jul 2015 17:34:12 +0000
with message-id <[email protected]>
and subject line Bug#773925: fixed in easy-rsa 2.2.2-2
has caused the Debian Bug report #773925,
regarding [easy-rsa] Patch for ALTNAMES doesn't patch out commandline arguments
count
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: easy-rsa
Version: 2.2.2-1
Severity: normal
Tags: patch
The patch for ALTNAMES is correctly working, but it fails to remove the
pkitool check for number of arguments to pkitool script. Hence there is no
possibility to actually pass more domain names to be included in ALTNAMES.
Please consider corrected patch in attachment.
Cheers
Michal
Description: allows creating RSA keys valid for more than one domain by
using the subjectAltName attribute.
Origin: http://www.msquared.id.au/articles/easy-rsa-subjectaltname/
Forwarded: no
Author: Vicente Aguilar <[email protected]> and Msquared <http://www.msquared.id.au/>
Last-Update: 2012-11-12
Index: easy-rsa-2.2.2/openssl-0.9.6.cnf
===================================================================
--- easy-rsa-2.2.2.orig/openssl-0.9.6.cnf
+++ easy-rsa-2.2.2/openssl-0.9.6.cnf
@@ -191,6 +191,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -212,6 +213,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
Index: easy-rsa-2.2.2/openssl-0.9.8.cnf
===================================================================
--- easy-rsa-2.2.2.orig/openssl-0.9.8.cnf
+++ easy-rsa-2.2.2/openssl-0.9.8.cnf
@@ -200,6 +200,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -221,6 +222,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
Index: easy-rsa-2.2.2/pkitool
===================================================================
--- easy-rsa-2.2.2.orig/pkitool
+++ easy-rsa-2.2.2/pkitool
@@ -269,31 +269,37 @@ if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
+ KEY_ALTNAMES="DNS:${KEY_CN}"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
+ KEY_ALTNAMES="$KEY_CN"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN"
+ KEY_ALTNAMES="$KEY_CN"
fi
FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN"
+ KEY_ALTNAMES="$KEY_CN"
FN="$KEY_CN"
if [ "$1" ]; then
FN="$1"
fi
else
- if [ $# -ne 1 ]; then
- usage
- exit 1
- else
- KEY_CN="$1"
- fi
+ KEY_CN="$1"
+ KEY_ALTNAMES="DNS:$1"
+ shift
+ while [ "x$1" != "x" ]
+ do
+ KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
+ shift
+ done
FN="$KEY_CN"
fi
-export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
@@ -305,6 +311,7 @@ if [ $DEBUG -eq 1 ]; then
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
+ echo KEY_ALTNAMES $KEY_ALTNAMES
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
Index: easy-rsa-2.2.2/README.subjectAltName
===================================================================
--- /dev/null
+++ easy-rsa-2.2.2/README.subjectAltName
@@ -0,0 +1,38 @@
+easy-rsa with subjectAltName support
+by Vicente Aguilar <[email protected]>
+http://www.bisente.com/proyectos/easy-rsa-subjectaltname
+updates by Msquared <http://www.msquared.id.au/>
+http://www.msquared.id.au/articles/easy-rsa-subjectaltname/
+
+
+INTRODUCTION
+============
+
+This is a modified version of OpenVPN's easy-rsa script, that allows you to
+create RSA keys valid for more than one domain by using the subjectAltName
+attribute.
+
+While I don't see this as a good practice when using the certificate for
+identity validation (like in establishing a VPN), it can be useful if you
+have a web server with just one IP address and want to provide HTTPS service
+for several virtual domains without the browser complaining that the site
+domain doesn't match the certificate's domain.
+
+
+USAGE
+=====
+
+Use the script as usual, see README.orig and http://openvpn.net/easyrsa.html.
+If you want to make a key with several domains, just add them as parameters
+on the command line:
+
+ # ./build-key-server www.domain1.com www.domain2.com www.domain3.com
+
+The key's certificate in ./keys/www.domain1.com.crt will contain a section
+like:
+
+ X509v3 Subject Alternative Name:
+ DNS:www.domain1.com, DNS:www.domain2.com, DNS:www.domain3.com
+
+Any modern browser should accept the certificate for all these domains
+without complaining.
Index: easy-rsa-2.2.2/revoke-full
===================================================================
--- easy-rsa-2.2.2.orig/revoke-full
+++ easy-rsa-2.2.2/revoke-full
@@ -20,6 +20,9 @@ if [ "$KEY_DIR" ]; then
export KEY_OU=""
export KEY_NAME=""
+ # required due to hack in openssl.cnf that supports Subject Alternative Names
+ export KEY_ALTNAMES=""
+
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
Index: easy-rsa-2.2.2/openssl-1.0.0.cnf
===================================================================
--- easy-rsa-2.2.2.orig/openssl-1.0.0.cnf
+++ easy-rsa-2.2.2/openssl-1.0.0.cnf
@@ -195,6 +195,7 @@ keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
@@ -216,6 +217,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
+subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
--- End Message ---
--- Begin Message ---
Source: easy-rsa
Source-Version: 2.2.2-2
We believe that the bug you reported is fixed in the latest version of
easy-rsa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[email protected]> (supplier of updated easy-rsa
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Jul 2015 19:23:18 +0200
Source: easy-rsa
Binary: easy-rsa
Architecture: source all
Version: 2.2.2-2
Distribution: unstable
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Alberto Gonzalez Iniesta <[email protected]>
Description:
easy-rsa - Simple shell based CA utility
Closes: 773925
Changes:
easy-rsa (2.2.2-2) unstable; urgency=medium
.
* Update subjectAltName to fix command arguments count.
(Closes: #773925) Thanks Michal Humpula for the patch.
Checksums-Sha1:
dd774080a1adedabdda065b609a522354a91536e 1703 easy-rsa_2.2.2-2.dsc
c53815d228a9db63d3c83642363e07923a6f55e8 7856 easy-rsa_2.2.2-2.debian.tar.xz
57a1a878f613cc8d15348fbc52e325fece01c029 17162 easy-rsa_2.2.2-2_all.deb
Checksums-Sha256:
1426620374e0fc2eff5d65ac0e1a155dd908d13ff22312490ca293727642ea09 1703
easy-rsa_2.2.2-2.dsc
66ad3d5aa4db5b7e0fe1c649816f1bb2ff536e72563de30af40f65b2603167aa 7856
easy-rsa_2.2.2-2.debian.tar.xz
3555b18895bccafd5de7f4723d168d7aef7c5ab91d651184fea7b7893a909b01 17162
easy-rsa_2.2.2-2_all.deb
Files:
3aaede0d6219a16394f97abde8c18561 1703 utils extra easy-rsa_2.2.2-2.dsc
60def643fc7e52844d743219232c8cb8 7856 utils extra
easy-rsa_2.2.2-2.debian.tar.xz
98eefe0b6cf1f5bf363e86da3bba359b 17162 utils extra easy-rsa_2.2.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVo/RuAAoJEACbM3VrmqpVsbQP/2qLbE22uSMigv43faPCctJJ
V0VWySMoFA194I99/1VPg3xOupgcJK+XrpCDF3JgsNKU4tUExAZPBJr/Nekg4TXU
tuikYLpZEjLMcN4xBoyzVLZ+4HCUBDe/8mIEBr9LA86T1dhtlRpqWKzOXWpNc3sS
J9g3P6Ywg57Nq9NINoOhu29RBG4PYibGBN38r0JrZqVvj9EgDc6XUGGk4DY9aeyd
GUjkRFj0u0+SVU00damUGD2gbLa/hp8X53nl0FQwYb2xItCUAcLI+IQ3fKAThkhw
CkQ9jaQJoXteSH8W21BBvJEXoI/PUkygtFa6F1tWHgcnJo733wPy3P+aKVWsoamv
by8Fu0TMwE2uoum2FoSSNuoce18XgVHjN40lpPfUwEFyWh7XX5A0x6q78Tvltxsc
2pt+urYsxKf4YlqXG9EjtOs0wAIzHzgKGu3FB48ltm1HYMRVa7wHTiqQjx53MN32
2xi3ZXrpmUoGIXqf0ujoro9ByeK8gtOBTRCgZ7lVv1z4kDE2nFGL0IaqSMV/Jx2d
48K7PcTierr6Cz0PTxgDT2PZo2cjn1ummMABNacuggXfZ93jQgDRrVYdptDgsw9M
0PqOZRYdm+dK9xP6oYIxMr6rHySF2yvxp1aCJPP041zi52FwwhQ5/X0Vk6wGbiTS
0wW3wdQORABGlsRRIRX4
=KnWO
-----END PGP SIGNATURE-----
--- End Message ---
