If your common name and certificate filename are not the same, easy-tls cannot find it

[mike406]

Despite the verbiage during ./easytls build stating that you do not need the complete file name, at least on Windows, this is not the case. For example if I perform the following steps with easyrsa:

./easyrsa gen-req testing-server nopass
Enter common name testing
./easyrsa sign-req server testing-server
This will create a certificate testing-server.crt with CN=testing

Now in easy-tls if I perform ./easytls build and attempt to create a TLS Crypt v2 key, entering the common name of "testing" does not work because it tries to find a file name "testing.crt" which doesn't exist. If I specify "testing-server" as my common name easy-tls will find the certificate but the problem is that is not actually the common name of the cert. While this doesn't seem to actually cause any issues with the keys, the script verbiage should be updated so that it does not contradict itself here.

[TinCanTech]

This is why you should not mess with the certificate commonName.

However, the interactive prompt is indeed incorrect.

It is disappointing that your report did not show easytls data.

[mike406]

I'm not messing with anything, that's a base feature of easy-rsa. Otherwise why would it ask if you want to type in a different CN? File name and CN are not the same thing, your prompt doesn't make sense because it assumes file name always matches. You realize it is possible to have more than one server with the same CN if working in different environments, hence having the flexibility of having file name != commonName. Also I'm not really sure what data you are looking for, I've provided adequate steps to re-create the bug.

[TinCanTech]

I'm not messing with anything, that's a base feature of easy-rsa.

What is your reason to use it ?

[mike406]

I have needed to issue certs for different servers that use the same CN or for different services on the same server. This could be a server in a different environment or test environment so in this case I would just give a file name like "server-prod.crt" or "server-test.crt" with the same CN applied to the certs. Sometimes you also could run into cases where you have a server running multiple services (web server, openvpn, etc) and need to provide different certificates to those services, but both would have the same CN.

[TinCanTech]

Your use case is far from typical.

You have identified the work-around, use file-name-base not commonName.

The prompt will be corrected.