Mike
2016-07-28 14:51:47 UTC
First, some quick background.
I wrote some scripts to help me manage a self-signing cert authority for
my home network, partly to use the certs and partly to learn about TLS
and such.
The CA is currently running on FreeBSD (AMD64, 10.3) using OpenSSL. I
have wanted to move it over to LibreSSL, so I started to look into that
aspect. I installed the LibreSSL port of FreeBSD and started testing
the scripts.
I immediately ran into a problem, values did not seem to be passed into
the openssl config file via the environment. It worked with OpenSSL but
not with LibreSSL.
Wanting to eliminate one factor, I moved the testing over to OpenBSD
(AMD64, current). I still see the issue.
The command I run, and the resulting error message are:
===
/usr/bin/openssl req -new -newkey rsa:4096 -text -subj
/C=US/ST=State/L=Area/O=Disorganized/OU=InternetServices/emailAddress=***@example.com/CN=zCA
-reqexts ca_req -config /usr/local/etc/zca/zca-openssl.conf -keyout
/var/zca/private/zca-key.pem -out /var/zca/ca-certs/zca-req.pem
error on line 4 of /usr/local/etc/zca/zca-openssl.conf
2020983463892:error:0E065068:configuration file
routines:STR_COPY:variable has no
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_def.c:573:line
4
===
The first few lines of zca-openssl.conf are:
===
[ zca ]
certs = $ENV::zca_CertsDBDir
new_certs_dir = $certs
database = $ENV::zca_IndexFile
serial = $ENV::zca_SerialFile
crldir = $ENV::zca_CRLDir
crlnumber = $ENV::zca_CRLNumberFile
===
(line #4 starts with "certs")
Before the command is run, the values are exported to the environment:
===
# export all the variables that ${mc_OpenSSLConfig} file requires
export zca_CertsDBDir=${mc_CertsDBDir}
export zca_IndexFile=${mc_IndexFile}
export zca_SerialFile=${mc_SerialFile}
export zca_CRLDir=${mc_CRLDir}
export zca_CRLNumberFile=${mc_CRLNumberFile}
export zca_CRL_URI=${CRL_URI}
env | grep zca
===
The env command shows the correct values in the environment at this point.
As I mentioned earlier, OpenSSL has no issues with this, but LibreSSL
picks up an error. The error is probably right in front of my eyes, but
I cannot find it. What am I doing wrong?
The full script and conf files can be downloaded from my site:
https://archive.mgm51.com/cache/zca-otest.tar.gz
thx.
I wrote some scripts to help me manage a self-signing cert authority for
my home network, partly to use the certs and partly to learn about TLS
and such.
The CA is currently running on FreeBSD (AMD64, 10.3) using OpenSSL. I
have wanted to move it over to LibreSSL, so I started to look into that
aspect. I installed the LibreSSL port of FreeBSD and started testing
the scripts.
I immediately ran into a problem, values did not seem to be passed into
the openssl config file via the environment. It worked with OpenSSL but
not with LibreSSL.
Wanting to eliminate one factor, I moved the testing over to OpenBSD
(AMD64, current). I still see the issue.
The command I run, and the resulting error message are:
===
/usr/bin/openssl req -new -newkey rsa:4096 -text -subj
/C=US/ST=State/L=Area/O=Disorganized/OU=InternetServices/emailAddress=***@example.com/CN=zCA
-reqexts ca_req -config /usr/local/etc/zca/zca-openssl.conf -keyout
/var/zca/private/zca-key.pem -out /var/zca/ca-certs/zca-req.pem
error on line 4 of /usr/local/etc/zca/zca-openssl.conf
2020983463892:error:0E065068:configuration file
routines:STR_COPY:variable has no
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_def.c:573:line
4
===
The first few lines of zca-openssl.conf are:
===
[ zca ]
certs = $ENV::zca_CertsDBDir
new_certs_dir = $certs
database = $ENV::zca_IndexFile
serial = $ENV::zca_SerialFile
crldir = $ENV::zca_CRLDir
crlnumber = $ENV::zca_CRLNumberFile
===
(line #4 starts with "certs")
Before the command is run, the values are exported to the environment:
===
# export all the variables that ${mc_OpenSSLConfig} file requires
export zca_CertsDBDir=${mc_CertsDBDir}
export zca_IndexFile=${mc_IndexFile}
export zca_SerialFile=${mc_SerialFile}
export zca_CRLDir=${mc_CRLDir}
export zca_CRLNumberFile=${mc_CRLNumberFile}
export zca_CRL_URI=${CRL_URI}
env | grep zca
===
The env command shows the correct values in the environment at this point.
As I mentioned earlier, OpenSSL has no issues with this, but LibreSSL
picks up an error. The error is probably right in front of my eyes, but
I cannot find it. What am I doing wrong?
The full script and conf files can be downloaded from my site:
https://archive.mgm51.com/cache/zca-otest.tar.gz
thx.