Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate command revoke in favour of revoke-issued #1265

Closed
TinCanTech opened this issue Dec 2, 2024 · 1 comment · Fixed by #1266
Closed

Deprecate command revoke in favour of revoke-issued #1265

TinCanTech opened this issue Dec 2, 2024 · 1 comment · Fixed by #1266
Assignees
@TinCanTech
Labels
BUG renew I cannot go back; No. But if you could, would you really want to?
Milestone
v3.2.2

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented Dec 2, 2024
edited
Loading

There exists in easyrsa command revoke, the unfortunate possibility to revoke an incorrect certificate, far too easily.

To reproduce:

build-client-full tct-c1
renew tct-c1
renew tct-c1

This will fill the renew file buffer, so that further renewal of tct-c1 will require that the renewed certificate for tct-c1 is revoked. This requires use of command revoke-renewed not revoke.

  • If command revoke-renewed is used now then the correct, old renewed certificate is revoked.

  • If command revoke is used now then the incorrect, new issued certificate is revoked.

This is caused by command revoke not being specific about the target file.

Command revoke must be changed to revoke-issued, to ensure that the correct certificate is selected.

How to do this effectively ?
@TinCanTech TinCanTech self-assigned this Dec 2, 2024
@TinCanTech TinCanTech added BUG renew I cannot go back; No. But if you could, would you really want to? labels Dec 2, 2024
@TinCanTech
Copy link
Collaborator Author

To avoid the unnecessary file checks needed to guard command revoke, I propose this solution:

For batch mode, command revoke will behave exactly as before and all conflicting file checks will be ignored. Using revoke in batch mode suggest that the user has selected the correct command.

For non-batch mode, command revoke will error out. The error message will instruct the user to select the correct revoke-* command.

@TinCanTech TinCanTech added this to the v3.2.2 milestone Dec 2, 2024
@TinCanTech TinCanTech linked a pull request Dec 3, 2024 that will close this issue
Introduce new command revoke-issued #1266
Merged
@TinCanTech TinCanTech mentioned this issue Dec 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG renew I cannot go back; No. But if you could, would you really want to?
Projects
None yet
Milestone
v3.2.2
Development

Successfully merging a pull request may close this issue.

Introduce new command revoke-issued TinCanTech/easy-rsa
1 participant
@TinCanTech