On Thu, 2 Mar 2023 16:23:01 +0100 Dennis Camera <dennis.camera+deb...@riiengineering.ch> wrote: > The correct behaviour of the --req-cn option was restored in upstream > version 3.1.1.
I attached a patch based on upstream commit fe3cced16c62de5dd33f3a230ee03e904306a55b which fixes the behaviour of --req-cn.
--- a/easyrsa3/easyrsa 2023-03-02 16:44:48.526049371 +0100 +++ b/easyrsa3/easyrsa 2023-03-02 16:49:00.478040360 +0100 @@ -1130,18 +1130,29 @@ [ -n "$1" ] || die "\ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." + + # Initialisation + unset -v text nopass ssl_batch + + # Set ssl batch mode and Default commonName, as required + if [ "$EASYRSA_BATCH" ]; then + ssl_batch=1 + [ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1" + else + # --req-cn must be used with --batch, otherwise use default + export EASYRSA_REQ_CN="$1" + fi + + # Output files key_out="$EASYRSA_PKI/private/$1.key" req_out="$EASYRSA_PKI/reqs/$1.req" - # Set the request commonName - EASYRSA_REQ_CN="$1" - shift + shift # scrape off file-name # Require SSL Lib version for 'nopass' -> $no_password verify_pki_init # function opts support - unset -v text nopass ssl_batch while [ -n "$1" ]; do case "$1" in text) text=1 ;; @@ -1365,7 +1376,7 @@ rm -f "$ext_tmp" [ "$EASYRSA_SILENT" ] || print # Separate Notice below - unset -v EASYRSA_BATCH # This is why batch mode should not silence output + #unset -v EASYRSA_BATCH # This is why batch mode should not silence output notice "\ Certificate created at: $crt_out" @@ -1406,12 +1417,16 @@ [ -f "$key_out" ] && die "Key $err_exists $key_out" [ -f "$crt_out" ] && die "Certificate $err_exists $crt_out" - # create request + # Set commonName + [ "$EASYRSA_REQ_CN" = ChangeMe ] || die "\ +Option conflict: '$cmd' does not support setting an external commonName" EASYRSA_REQ_CN="$name" + + # create request gen_req "$name" batch ${nopass+ nopass} # Sign it - ( sign_req "$crt_type" "$name" batch ) || { + ( sign_req "$crt_type" "$name" ) || { rm -f "$req_out" "$key_out" die "Failed to sign '$name' - See error messages above for details." }