Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If your common name and certificate filename are not the same, easy-tls cannot find it #317

Open
mike406 opened this issue Dec 8, 2024 · 5 comments
Open

If your common name and certificate filename are not the same, easy-tls cannot find it #317

mike406 opened this issue Dec 8, 2024 · 5 comments
Labels
Improvement

Comments

@mike406
Copy link

mike406 commented Dec 8, 2024

Despite the verbiage during ./easytls build stating that you do not need the complete file name, at least on Windows, this is not the case. For example if I perform the following steps with easyrsa:

./easyrsa gen-req testing-server nopass
Enter common name testing
./easyrsa sign-req server testing-server
This will create a certificate testing-server.crt with CN=testing

Now in easy-tls if I perform ./easytls build and attempt to create a TLS Crypt v2 key, entering the common name of "testing" does not work because it tries to find a file name "testing.crt" which doesn't exist. If I specify "testing-server" as my common name easy-tls will find the certificate but the problem is that is not actually the common name of the cert. While this doesn't seem to actually cause any issues with the keys, the script verbiage should be updated so that it does not contradict itself here.
@TinCanTech
Copy link
Owner

TinCanTech commented Dec 8, 2024
edited
Loading

This is why you should not mess with the certificate commonName.

However, the interactive prompt is indeed incorrect.

It is disappointing that your report did not show easytls data.

@mike406
Copy link
Author

mike406 commented Dec 9, 2024
edited
Loading

I'm not messing with anything, that's a base feature of easy-rsa. Otherwise why would it ask if you want to type in a different CN? File name and CN are not the same thing, your prompt doesn't make sense because it assumes file name always matches. You realize it is possible to have more than one server with the same CN if working in different environments, hence having the flexibility of having file name != commonName. Also I'm not really sure what data you are looking for, I've provided adequate steps to re-create the bug.

@TinCanTech
Copy link
Owner

I'm not messing with anything, that's a base feature of easy-rsa.

What is your reason to use it ?

@mike406
Copy link
Author

mike406 commented Dec 9, 2024
edited
Loading

I have needed to issue certs for different servers that use the same CN or for different services on the same server. This could be a server in a different environment or test environment so in this case I would just give a file name like "server-prod.crt" or "server-test.crt" with the same CN applied to the certs. Sometimes you also could run into cases where you have a server running multiple services (web server, openvpn, etc) and need to provide different certificates to those services, but both would have the same CN.

@TinCanTech
Copy link
Owner

Your use case is far from typical.

You have identified the work-around, use file-name-base not commonName.

The prompt will be corrected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mike406 @TinCanTech