On Sun, 05 Mar 2023 18:15:02 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hi, >Bo, > >first, please accept my apologies for putting you through this torture. >Somebody had to test it one day, that day has come. >Second, thank you for persevering with me. >Hopefully, I have found a reasonably simple solution. >Required changes: >Keep the "mismatched CA to vars file" as a warning ONLY, keep that current >change. > >Now, locate this code in function up23_do_upgrade_23(): > > up23_verify_new_pki > up23_verify_current_pki > up23_verify_current_ca > up23_backup_current_pki > up23_create_new_pki > up23_upgrade_ca > up23_move_easyrsa2_programs > up23_build_v3_vars > up23_create_openssl_cnf > >Change that to this (Copy/paste as is): > > up23_verify_new_pki > up23_create_new_pki > up23_create_openssl_cnf > up23_verify_current_pki > up23_verify_current_ca > up23_backup_current_pki > up23_upgrade_ca > up23_move_easyrsa2_programs > up23_build_v3_vars > >Then, locate this code (Almost at the very end of the entire file): > > upgrade) > up23_manage_upgrade_23 "$@" > ;; > > >Change to this: > > upgrade) > secure_session > up23_manage_upgrade_23 "$@" > ;; > > Thanks, this worked a lot better! See below. <snip> > >This should ensure a temporary session and files can be created. > >Finally, run the upgrade like so: > >$ EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 easyrsa upgrade pki So here is one item that I probably got wrong: I thought the environment var setting should be: $ EASYRSA_TEMP_DIR="$PWD/tmp" but it seems like it should be the easyrsa main directory, right? And this should be: "VERBOSE=1 ./easyrsa upgrade pki" in order to work... So all is done now and I could run successfully with this command line: $ EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 ./easyrsa upgrade pki I will send *you* the session logfile I created for this run separately. > >If it complains that your new pki already exists then please remove it and try >once more.. There was no pki dir when I started, but now it is there. :-) And the dir I have used to do the tests inside did not contain any easy-rsa2 files except for vars, so all the small scriptfiles that it tried to move away were non-existing during the test run so it complained it could not find them and move to the safe dir. But no matter it did work anyway. :-) The new pki dir now contains this: -rw------- 1 bosse bosse 1728 2023-03-05 22:00 ca.crt drwx------ 2 bosse bosse 4096 2023-03-05 22:00 certs_by_serial -rw------- 1 bosse bosse 1966 2023-03-05 22:00 index.txt -rw------- 1 bosse bosse 20 2023-03-05 22:00 index.txt.attr drwx------ 2 bosse bosse 4096 2023-03-05 22:00 issued -rw------- 1 bosse bosse 5043 2023-03-05 22:00 openssl-easyrsa.cnf drwx------ 2 bosse bosse 4096 2023-03-05 22:00 private drwx------ 2 bosse bosse 4096 2023-03-05 22:00 reqs -rw------- 1 bosse bosse 5213 2023-03-05 22:00 safessl-easyrsa.cnf -rw------- 1 bosse bosse 3 2023-03-05 22:00 serial Question: I have looked inside the pki dir and found that the files originally in my keys dir have been copied over to a few subdirectories: certs_by_serial *.pem files issued *.crt files reqs *.csr files private *.key files So is the main upgrade process to restructure the unwieldy keys dir so files with the same purpose go to dedicated dirs? And restructure the vars file? >Highest regards >Richard Next after these tests is to actually upgrade the live easy-rsa2 directory... But first I have to adapt my script for creating the client files including the OVPN file they need to connect. That script uses a number of calls to the original easy-rsa constituent scripts and handled user input during the full process. It must now change to use easy-rsa calls with commands corresponding to the discrete scripts existing earlier in v2. So I will have to test this in the newly created v3 sandbox. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
