Re: [Openvpn-users] Easy-rsa 3 config questions

Sun, 05 Mar 2023 10:17:00 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Bo, 

first, please accept my apologies for putting you through this torture.

Somebody had to test it one day, that day has come.

Second, thank you for persevering with me.

Hopefully, I have found a reasonably simple solution.

Required changes:

Keep the "mismatched CA to vars file" as a warning ONLY, keep that current 
change.

Now, locate this code in function up23_do_upgrade_23():

        up23_verify_new_pki
        up23_verify_current_pki
        up23_verify_current_ca
        up23_backup_current_pki
        up23_create_new_pki
        up23_upgrade_ca
        up23_move_easyrsa2_programs
        up23_build_v3_vars
        up23_create_openssl_cnf

Change that to this (Copy/paste as is):

        up23_verify_new_pki
        up23_create_new_pki
        up23_create_openssl_cnf
        up23_verify_current_pki
        up23_verify_current_ca
        up23_backup_current_pki
        up23_upgrade_ca
        up23_move_easyrsa2_programs
        up23_build_v3_vars

Then, locate this code (Almost at the very end of the entire file):

        upgrade)
                up23_manage_upgrade_23 "$@"
                ;;


Change to this:

        upgrade)
                secure_session
                up23_manage_upgrade_23 "$@"
                ;;


The actual diff is:

@@ -5156,14 +5183,14 @@ up23_do_upgrade_23 ()
        up23_verbose ""
 
        up23_verify_new_pki
+       up23_create_new_pki
+       up23_create_openssl_cnf
        up23_verify_current_pki
        up23_verify_current_ca
        up23_backup_current_pki
-       up23_create_new_pki
        up23_upgrade_ca
        up23_move_easyrsa2_programs
        up23_build_v3_vars
-       up23_create_openssl_cnf
 
        if [ "$NOSAVE" -eq 0 ]
        then
@@ -5734,6 +5761,7 @@ case "$cmd" in
                make_safe_ssl "$@"
                ;;
        upgrade)
+               secure_session
                up23_manage_upgrade_23 "$@"
                ;;
        ""|help|-h|--help|--usage)

This should ensure a temporary session and files can be created.


Finally, run the upgrade like so:

$ EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 easyrsa upgrade pki

If it complains that your new pki already exists then please remove it and try 
once more..

I am cutting the rest of this email for brevity.

Highest regards
Richard
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAnBQJkBNwMCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAC6CAf+NnyNC1zDC59S6qGMY8t6t2bcH34+KT+HtoRhkh05aZRL34/4
oi6OfHyZ5HpEQf3Lx2Eb7vbIeIT4JMqr9MbVJlxgO9Fh7kqvrbBpUoUVKXzu
KH4RArdTU6dVjlfel05AoPLRykPZrPb1hSVhKniUDF2wnuscC0UDeLQkcM3k
ytTkNzG6CNTg/BBGS8ai2tQLrCJ63QZsTMO9qkEiBQJ7n4AbcmzXUeOJ3tep
ecGphC4eQkXgV12FVoEEFw6zkPeLSprQL5eghcLLkle4Mfj5KmPlJcGCjJz2
tP55kmDBMeCMrtYnWIqQvr96BzOeGWXrUNLNHZre81/38S/9HJOGcQ==
=ouEd
-----END PGP SIGNATURE-----

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

























					Reply via email to