'openssl ca -serial' command line always exit with error 1 ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

'openssl ca -serial' command line always exit with error 1 ?

tincanteksup
Greetings openssl users,

I'm a long time lurker..

I am trying to use 'openssl ca' command to verify the status of a
certificate
by serial number only.  I can successfully complete this task, however, the
'openssl ca' command always returns an error on completion.

I must point out, in advance, that I am using EasyRSA and EasyTLS to
build my
PKI and I am using OpenSSL command line to get the serial number status.
  So,
apologies in advance if this is an off-topic or spammy question.

Also, I am not asking for help with either EasyRSA or EasyTLS, I only
want to
ascertain if my observation regarding openssl "always returns error 1" is
correct. Unfortunately, my C skills are too basic to be able to verify this
from openssl source code, which is why I must ask here.

Thank you in advance for all of your time and any feedback.

Anyway, "in for a penny .." and so I shall continue ..

For reference:
uname -a:
Linux arch-hyv-live-64 5.6.4-arch1-1 #1 SMP PREEMPT Mon, 13 Apr 2020
12:21:19
+0000 x86_64 GNU/Linux
OpenSSL: OpenSSL 1.1.1f  31 Mar 2020
EasyRSA: https://github.com/OpenVPN/easy-rsa/releases/tag/v3.0.7
EasyTLS: https://github.com/TinCanTech/easy-tls



The steps to reproduce this problem could not be simpler:

[tct@arch-hyv-live-64 ~]$ mkdir easytls
[tct@arch-hyv-live-64 ~]$ cd easytls/
[tct@arch-hyv-live-64 easytls]$ git clone
https://github.com/TinCanTech/easy-tls.git master
[tct@arch-hyv-live-64 easytls]$ cd master/
[tct@arch-hyv-live-64 master]$ ./op_test.sh

If you choose to run op_test.sh it will:
1. download 'easyrsa' script only (the complete repo is not required).
2. download 'openssl-easyrsa.cnf' (the specific EasyRSA config file to use
openssl).
3. download a pre-built version of openvpn-git/master which is required to
build tls-crypt-v2 keys and therefore allow the script to complete.
4. build a complete EasyRSA PKI with valid and revoked certificates.
5. build an EasyTLS "PKI" (not a real PKI but I don't have a better name)

Steps 1-5 only take a few seconds to complete.

Next:
[tct@arch-hyv-live-64 master]$ cd pki
[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt

This will essentially list out index.txt

[tct@arch-hyv-live-64 pki]$ echo $?

Note exit status

Then use a valid and then revoked serial no. from the index.txt above
and run:

[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt -status $serial_number

[tct@arch-hyv-live-64 pki]$ echo $?

Note exit status

Repeat this last step with another serial number.

Again, my apologies if this email appears to be overly spammy but this
was the
most effective way for me to explain my issue with sufficient details.

I am prepared to learn, in advance, that either:
* this is not an openssl error and exit code 1 is expected
or
* if I built the PKI myself then openssl would not return an error

but, at this time, this appears to me to be a problem with openssl.

Thank you for reading and I welcome any/all feedback.

--
Richard Bonhomme. (Independent)
Reply | Threaded
Open this post in threaded view
|

RE: 'openssl ca -serial' command line always exit with error 1 ?

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> tincanteksup
> Sent: Tuesday, April 28, 2020 07:02


> [tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
> -keyfile private/ca.key -cert ca.crt -status $serial_number
>
> [tct@arch-hyv-live-64 pki]$ echo $?
>
> Note exit status

Yes, with a pure OpenSSL-based test CA I get an exit code of 1 for this command too.

That was with OpenSSL 1.1.1 (which I apparently still have installed on this machine as my default dev openssl utility version, even though we're using 1.1.1g in the actual products). My guess is this hasn't changed with 1.1.1g, though, since I don't remember seeing anything in the change log about it.

I don't have time to debug it at the moment, though.

The openssl utility appears to exit with exit code 1 in a lot of situations. And it doesn't use the standard C exit code macros (EXIT_SUCCESS and EXIT_FAILURE). The exit codes for the utility seem to be a holdover from the days when OpenSSL was very idiosyncratic, instead of merely quite idiosyncratic as it is now.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



Reply | Threaded
Open this post in threaded view
|

Re: 'openssl ca -serial' command line always exit with error 1 ?

tincanteksup
Hi Michael,

On 28/04/2020 15:21, Michael Wojcik wrote:

>> From: openssl-users [mailto:[hidden email]] On Behalf Of
>> tincanteksup
>> Sent: Tuesday, April 28, 2020 07:02
>
>
>> [tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
>> -keyfile private/ca.key -cert ca.crt -status $serial_number
>>
>> [tct@arch-hyv-live-64 pki]$ echo $?
>>
>> Note exit status
>
> Yes, with a pure OpenSSL-based test CA I get an exit code of 1 for this command too.


Thank you very much for testing this and confirming my suspicions .. I
can now at least move forward with my project.




> That was with OpenSSL 1.1.1 (which I apparently still have installed on this machine as my default dev openssl utility version, even though we're using 1.1.1g in the actual products). My guess is this hasn't changed with 1.1.1g, though, since I don't remember seeing anything in the change log about it.
>
> I don't have time to debug it at the moment, though.
>
> The openssl utility appears to exit with exit code 1 in a lot of situations. And it doesn't use the standard C exit code macros (EXIT_SUCCESS and EXIT_FAILURE). The exit codes for the utility seem to be a holdover from the days when OpenSSL was very idiosyncratic, instead of merely quite idiosyncratic as it is now.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>