diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 2214fd993..f5e75746f 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -826,11 +826,8 @@ make_safe_ssl() {
 	verify_pki_init
 	EASYRSA_FORCE_SAFE_SSL=1
 	easyrsa_openssl makesafeconf
-	[ -e "$easyrsa_safe_ssl_conf" ] || die "\
-make_safe_ssl - Missing ssl conf: $easyrsa_safe_ssl_conf"
 	verbose "\
 make_safe_ssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
-
 } # => make_safe_ssl_copy()
 
 # Escape hazardous characters
@@ -988,10 +985,6 @@ easyrsa_openssl: easyrsa_rewrite_ssl_config COMPLETED"
 easyrsa_openssl - easyrsa_rewrite_ssl_config"
 			fi
 
-			# VERIFY safe temp-file exists
-			[ -e "$easyrsa_safe_ssl_conf" ] || die "\
-easyrsa_openssl - Missing ssl conf: $easyrsa_safe_ssl_conf"
-
 			# Save the the safe conf file-name
 			working_safe_ssl_conf="$easyrsa_safe_ssl_conf"
 			verbose "\
@@ -1003,6 +996,15 @@ easyrsa_openssl: NEW SSL cnf file: $easyrsa_safe_ssl_conf"
 		easyrsa_safe_ssl_conf="$EASYRSA_SSL_CONF"
 	fi
 
+	# VERIFY safe temp-file exists
+	if [ -e "$easyrsa_safe_ssl_conf" ]; then
+		verbose "\
+easyrsa_openssl: Safe SSL conf OK: $easyrsa_safe_ssl_conf"
+	else
+		die "\
+easyrsa_openssl - Safe SSL conf MISSING: $easyrsa_safe_ssl_conf"
+	fi
+
 	# set $OPENSSL_CONF - Use which-ever file is assigned above
 	export OPENSSL_CONF="$easyrsa_safe_ssl_conf"
 
@@ -1060,11 +1062,16 @@ verify_ssl_lib() {
 		# OpenSSL does require a safe config-file for ampersand
 		OpenSSL)
 			ssl_lib=openssl
-			[ "$EASYRSA_NO_SAFE_SSL" ] || require_safe_ssl_conf=1
+			if [ -z "$EASYRSA_NO_SAFE_SSL" ]; then
+				require_safe_ssl_conf=1
+			fi
 		;;
 		LibreSSL)
 			ssl_lib=libressl
 			require_safe_ssl_conf=1
+			if [ "$EASYRSA_NO_SAFE_SSL" ]; then
+				die "Cannot use '--no-safe-ssl' with LibreSSL"
+			fi
 		;;
 		*)
 			error_msg="$("$EASYRSA_OPENSSL" version 2>&1)"
@@ -4346,8 +4353,7 @@ read_db() {
 		secure_session || \
 			die "read_db - secure_session"
 		if [ "$require_safe_ssl_conf" ];  then
-			EASYRSA_SILENT=1 make_safe_ssl || \
-				die "read_db - make_safe_ssl"
+			make_safe_ssl || die "read_db - make_safe_ssl"
 		fi
 
 		# Interpret the db/certificate record
@@ -4510,9 +4516,6 @@ expire_status: FALL-BACK completed"
 	# Only verify if there is a certificate
 	if [ "$expire_status_cert_exists" ]; then
 
-		[ -e "$easyrsa_safe_ssl_conf" ] || \
-			die "Missing ssl conf: $easyrsa_safe_ssl_conf"
-
 		# Check cert expiry against window
 		# openssl direct call because error is expected
 		if "$EASYRSA_OPENSSL" x509 -in "$cert_issued" \
@@ -4954,6 +4957,7 @@ EasyRSA '$cmd' does not support --startdate or --enddate"
 		esac
 	fi
 
+	# Insecure Windows directory
 	if [ "$easyrsa_host_os" = win ]; then
 		if echo "$PWD" | grep -q '/P.*/OpenVPN/easy-rsa'; then
 			warn "\