[openssl-users] 'openssl ca -serial' command line always exit with error 1 ?

tincanteksup tincanteksup at gmail.com
Tue Apr 28 13:01:46 UTC 2020


Greetings openssl users,

I'm a long time lurker..

I am trying to use 'openssl ca' command to verify the status of a 
certificate
by serial number only.  I can successfully complete this task, however, the
'openssl ca' command always returns an error on completion.

I must point out, in advance, that I am using EasyRSA and EasyTLS to 
build my
PKI and I am using OpenSSL command line to get the serial number status. 
  So,
apologies in advance if this is an off-topic or spammy question.

Also, I am not asking for help with either EasyRSA or EasyTLS, I only 
want to
ascertain if my observation regarding openssl "always returns error 1" is
correct. Unfortunately, my C skills are too basic to be able to verify this
from openssl source code, which is why I must ask here.

Thank you in advance for all of your time and any feedback.

Anyway, "in for a penny .." and so I shall continue ..

For reference:
uname -a:
Linux arch-hyv-live-64 5.6.4-arch1-1 #1 SMP PREEMPT Mon, 13 Apr 2020 
12:21:19
+0000 x86_64 GNU/Linux
OpenSSL: OpenSSL 1.1.1f  31 Mar 2020
EasyRSA: https://github.com/OpenVPN/easy-rsa/releases/tag/v3.0.7
EasyTLS: https://github.com/TinCanTech/easy-tls



The steps to reproduce this problem could not be simpler:

[tct at arch-hyv-live-64 ~]$ mkdir easytls
[tct at arch-hyv-live-64 ~]$ cd easytls/
[tct at arch-hyv-live-64 easytls]$ git clone
https://github.com/TinCanTech/easy-tls.git master
[tct at arch-hyv-live-64 easytls]$ cd master/
[tct at arch-hyv-live-64 master]$ ./op_test.sh

If you choose to run op_test.sh it will:
1. download 'easyrsa' script only (the complete repo is not required).
2. download 'openssl-easyrsa.cnf' (the specific EasyRSA config file to use
openssl).
3. download a pre-built version of openvpn-git/master which is required to
build tls-crypt-v2 keys and therefore allow the script to complete.
4. build a complete EasyRSA PKI with valid and revoked certificates.
5. build an EasyTLS "PKI" (not a real PKI but I don't have a better name)

Steps 1-5 only take a few seconds to complete.

Next:
[tct at arch-hyv-live-64 master]$ cd pki
[tct at arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt

This will essentially list out index.txt

[tct at arch-hyv-live-64 pki]$ echo $?

Note exit status

Then use a valid and then revoked serial no. from the index.txt above 
and run:

[tct at arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert ca.crt -status $serial_number

[tct at arch-hyv-live-64 pki]$ echo $?

Note exit status

Repeat this last step with another serial number.

Again, my apologies if this email appears to be overly spammy but this 
was the
most effective way for me to explain my issue with sufficient details.

I am prepared to learn, in advance, that either:
* this is not an openssl error and exit code 1 is expected
or
* if I built the PKI myself then openssl would not return an error

but, at this time, this appears to me to be a problem with openssl.

Thank you for reading and I welcome any/all feedback.

--
Richard Bonhomme. (Independent)


More information about the openssl-users mailing list