Review how vars is processed during install_data_to_pki()

[TinCanTech]

Review/reword warning messages and only show such warnings under specific circumstances. (To be decided)

[TinCanTech]

At init-pki v3.1.1:

• No vars file present -> * IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.
• ./vars present -> No message - Old behavior is preserved.

This is correct.

[TinCanTech]

At build-ca v3.1.1:

• Automatic pki/vars present -> CA is built with no additional warning.
• ./vars present:

* The preferred location for 'vars' is within the PKI folder:
    /foo/test/pki
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=./vars

• easyrsa --vars=./vars build-ca -> vars is defined, No message issued.

This is correct.

[TinCanTech]

Above is the correct behavior for v3.1.x

[TinCanTech]

At init-pki v3.0.9:

• No vars file present -> * IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.
  This is correct.
• ./vars present -> * IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.
  This is a BUG.

BUG: A conflicting vars file now exists: ./vars vs pki/vars.

[TinCanTech]

At build-ca v3.0.9:

• Automatic pki/vars present -> CA is built with no additional warning.
  This is correct.
• ./vars present:

Found: /foo/easy-rsa/EasyRSA-v3.0.9/pki/vars
Found: /foo/easy-rsa/EasyRSA-v3.0.9/vars
Found: ./vars

Easy-RSA error:

Conflicting 'vars' files found.

Priority should be given to your PKI vars file:
* /foo/easy-rsa/EasyRSA-v3.0.9/pki/vars

This is a BUG.

This BUG is Resolved in v3.1.1.

Note: The duplicate ./vars vs /foo/easy-rsa/EasyRSA-v3.0.9/vars is also Resolved in v3.1.1.

[TinCanTech]

I will try to build from 3.0.9 and patch in the fixes as 3.0.10
to a development branch named 3.0.10-dev.

[Renfrew]

Hi @TinCanTech ,

I am using the version 3.1.6 and getting the error

% easyrsa build-server-full test nopass
Found: /opt/homebrew/etc/pki/vars
Found: /opt/homebrew/etc/pki/vars

EasyRSA version ~VER~

Error
-----
Conflicting 'vars' files found.

Priority should be given to your PKI vars file:
* /opt/homebrew/etc/pki/vars

I think this is a regression issue and still not be fixed. I can use this before upgrading but I forgot the version I used.

The issue exists as long as I put the vars file within the pki directory.

Below is the info printed when running easyrsa

% easyrsa 
Found: /opt/homebrew/etc/pki/vars
Found: /opt/homebrew/etc/pki/vars

Easy-RSA 3 usage and overview

USAGE: easyrsa [global-options] COMMAND [command-options]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  rewind-renew <certificate_serial_number>
  rebuild <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  make-safe-ssl
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: /opt/homebrew/etc/easy-rsa
         PKI: /opt/homebrew/etc/pki
   vars-file: WARNING: Multiple conflicting vars files!
  x509-types: /opt/homebrew/etc/easy-rsa/x509-types
   CA status: OK
  CA subject: 
    commonName                = Test Common Name

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

[TinCanTech]

@Renfrew Thank you for the report.

The issue exists as long as I put the vars file within the pki directory.

Please do not put the vars file in the PKI. See #1009

I'm not sure how you managed to configure this:

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: /opt/homebrew/etc/easy-rsa
         PKI: /opt/homebrew/etc/pki

[Renfrew]

Hi @TinCanTech

Thank you for your reply.

the directory configuration is managed by the Homebrew and the easyrsa command is a wrapper of the installed easyrsa executable with necessary environment variable, so running it would get the location information above.

Here is the easyrsa script

#!/bin/bash
EASYRSA="/opt/homebrew/etc/easy-rsa" EASYRSA_OPENSSL="/opt/homebrew/opt/openssl@3/bin/openssl" EASYRSA_PKI="${EASYRSA_PKI:-/opt/homebrew/etc/pki}" exec "/opt/homebrew/Cellar/easy-rsa/3.1.6/libexec/easyrsa"  "$@"

Meanwhile, I narrowed down the issue I reported. It only happened when I am in the pki directory. If I cd to other location, it works as expected.

This may be an edge case, and may be improved by not checking the vars in the current location if the current location is the pki directory.

[TinCanTech]

@Renfrew I will look into the duplicate vars problem.

As a work around, you should be able to use global option --vars=<FILE>.
Or assign EASYRSA_VARS_FILE, as your wrapper does for other variables.

By declaring the vars file, easyrsa does not need to search for it.