--fix-offset behaviour is incorrect

[rpv-tomsk]

Hi,

I'm trying to issue certificate which would be valid from 22/Dec/2022 to 13/Jan/2023
Found following options in easyrsa help options which expected to give me all I need:

Certificate & Request options: (these impact cert/req field values)

--days=#        : sets the signing validity to the specified number of days
                  Also applies to renewal period. For details, see: 'help days'
--fix-offset=#  : Generate certificate with fixed start and end dates.
                  Range 1 to 365
                  start-date is 01 January 00:00:01 of the current year
                  plus the --fix-offset=# number of days.
                  end-date is configured via --days=# (Default: 825 days)

Using OpenOffice Calc, offset and number of days are calculated, result is:

easyrsa --batch --days 22 --fix-offset 355 build-client-full COMMONNAME

But hit a bug - certificate unexpectedly created with dates in a past:

        Validity
            Not Before: Dec 22 00:00:01 2021 GMT
            Not After : Jan 13 00:00:01 2022 GMT

Something needs to be corrected in easyrsa.
Thanks.

---

# ./easyrsa version
EasyRSA Version Information
Version:     3.1.1
Generated:   Thu Oct 13 06:37:48 CDT 2022
SSL Lib:     OpenSSL 1.1.0l  10 Sep 2019
Git Commit:  2083fb29b512c5b2fccf65db8e5f89771fbf90f5
Source Repo: https://github.com/OpenVPN/easy-rsa

[TinCanTech]

hit a bug - certificate unexpectedly created with dates in a past

In fact, that is how it is meant to work.

The fixed-offset feature is in a very early stage and so may not do what you expect, at this time.

When fixed-offset was first introduced, EasyRSA did not (and still does not) generate post-dated certificates. All certificates are Valid from the moment they are created.

It can be improved from the original design. But working with date, across multiple platforms, is even less fun than it sounds..

The closest you can get to what you want is to use --days=<Number> to set an expiry date of your choosing.

[TinCanTech]

This is essentially a Feature-request for specifying start and end dates, which would really be more logical than the current implementation.

[TinCanTech]

Next time you hit a snag, please try again without --batch.

If you have time to test then apply this patch and try again
(It should work, if you clone git/master locally):

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 3d23c4f..bda3143 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3459,18 +3459,6 @@ fixed_cert_dates() {
                this_year_n="$(busybox date -u +%y)"
                today_n="$(busybox date -u +%j)"
 
-               # If the start day number is into the future then back-date by one year
-               if [ "$start_fix_day_n" -gt "$today_n" ]; then
-                       not_valid_until_d="$(( start_fix_day_n - today_n ))"
-                       this_year_n="$(( this_year_n - 1 ))"
-                       # Get user confirmation
-                       # This needs to be less rigid ;-)
-                       confirm "  Create certificate with one year back-dated date ? " \
-                               "yes" "\
-This certificate will not be valid for '${not_valid_until_d} days'.
-The fixed date will be rolled backward by one year."
-               fi
-
                New_Year_day_s="$(
                        busybox date -u -d "${this_year_n}01010000.01" '+%s'
                        )"
@@ -3492,17 +3480,6 @@ The fixed date will be rolled backward by one year."
                this_year_n="$(date -j +%y)"
                today_n="$(date -u -j +%j)"
 
-               # If the start day number is into the future then back-date by one year
-               if [ "$start_fix_day_n" -gt "$today_n" ]; then
-                       not_valid_until_d="$(( start_fix_day_n - today_n ))"
-                       this_year_n="$(( this_year_n - 1 ))"
-                       # Get user confirmation
-                       confirm "  Create certificate with one year back-dated date ? " \
-                               "yes" "\
-This certificate will not be valid for ${not_valid_until_d} days.
-The fixed date will be rolled backward by one year."
-               fi
-
                New_Year_day_d="$(
                        date -u -j -f %y%m%d%H%M%S "${this_year_n}0101000001" \
                                +%Y%m%d%H%M.%SZ
@@ -3530,17 +3507,6 @@ The fixed date will be rolled backward by one year."
                # Day of Year number today
                today_n="$(date -u +%j)"
 
-               # If the start day number is into the future then back-date by one year
-               if [ "$start_fix_day_n" -gt "$today_n" ]; then
-                       not_valid_until_d="$(( start_fix_day_n - today_n ))"
-                       this_year_n="$(( this_year_n - 1 ))"
-                       # Get user confirmation
-                       confirm "  Create certificate with one year back-dated date ? " \
-                               "yes" "\
-This certificate will not be valid for ${not_valid_until_d} days.
-The fixed date will be rolled backward by one year."
-               fi
-
                # New Years day date
                New_Year_day_d="$(
                        date -u -d "${this_year_n}-01-01 00:00:01Z" '+%Y-%m-%d %H:%M:%SZ'

[TinCanTech]

Example cert, see dates:

* tmp/issued/c1-fd.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a0:b0:e6:e5:5f:fd:46:98:01:29:d4:6e:f2:5f:2a:ac
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            countryName               = 00
            stateOrProvinceName       = home
            localityName              = wiscii glaß
            organizationName          = tct
            organizationalUnitName    = tct @ $&$
            commonName                = Easy-RSA CA
            emailAddress              = me@example.net
        Validity
            Not Before: Dec 22 00:00:01 2022 GMT
            Not After : Jan 13 00:00:01 2023 GMT
        Subject:
            countryName               = 00
            stateOrProvinceName       = home
            localityName              = wiscii glaß
            organizationName          = tct
            organizationalUnitName    = tct @ $&$
            commonName                = c1-fd
            emailAddress              = me@example.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                86:36:21:D3:2E:8E:40:5A:51:04:F4:74:69:D6:9B:3D:70:D6:CF:07
            X509v3 Authority Key Identifier: 
                keyid:C7:AD:80:27:CB:46:33:E4:E2:C2:7C:68:2E:DC:D7:18:0D:95:EA:C9
                DirName:/C=00/ST=home/L=wiscii gla\xC3\x9F/O=tct/OU=tct @ $&$/CN=Easy-RSA CA/emailAddress=me@example.net
                serial:42:07:BA:06:A1:0C:0C:98:1D:BB:43:67:18:56:10:43:93:FD:20:24

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

[TinCanTech]

A very easy fix.

[rpv-tomsk]

Commenting "back-date by one year" code helps, thanks.

[TinCanTech]

@rpv-tomsk does this work for you or did you find subsequent issues ?

I have a patch ready to merge: #804

Thanks.