Easy-RSA error: Use of '--vars=FILE init-pki' is prohibited, use '--pki-dir=DIR'

Question

Easy-RSA error: Use of '--vars=FILE init-pki' is prohibited, use '--pki-dir=DIR'

apiening opened this issue 2 years ago · 3 comments

Using current master (e97efb7) I get the following error on Debian 11:

TASK [nkakouros.easyrsa : Initiate PKI] ************************************************************************************************************************************************************************
Thursday 02 June 2022  14:24:45 +0200 (0:00:01.147)       0:00:40.501 ********* 
fatal: [example.com]: FAILED! => changed=true 
  cmd:
  - easyrsa
  - init-pki
  delta: '0:00:00.005123'
  end: '2022-06-02 14:24:46.114659'
  msg: non-zero return code
  rc: 1
  start: '2022-06-02 14:24:46.109536'
  stderr: |2-
  
    Easy-RSA error:
  
    Use of '--vars=FILE init-pki' is prohibited, use '--pki-dir=DIR'
  stderr_lines: <omitted>
  stdout: |2-
  
    Version: dev | nix | Linux | /bin/zsh
  stdout_lines: <omitted>

I receive the same error, when I try to execute easyrsa init-pki on the commandline. I also tried to du easyrsa init-pki --pki-dir=/etc/easyrsa/pki but it doesn't work either (same message).

Any idea why this is and how to fix this?

Answer 1 · 2022-06-02T14:03:32.000Z

I was able to get around this issue by manually executing

/tmp/easy-rsa/easyrsa3/easyrsa --pki-dir=/etc/easyrsa/pki init-pki

After this, the playbook finished without any issues.

It looks to me as if there is a version of easyrsa installed in /tmp/easy-rsa/ and another (newer) version in /tmp/easy-rsa/easyrsa3/easyrsa. The later / newer version does not seem to support environment variables anymore, instead it expects a file which defines the variables. Also the required parameters are different.

It may be a possible fix to make sure that the init-pki command is called with the fully qualified path and with the parameter --pki-dir=/etc/easyrsa/pki init-pki, while the other easyrsa commands (build ca etc.) would use the version of easyrsa from the system path. But I'm not sure if this is the right and clean way to do it, since the two versions are confusing me.

Answer 2 · 2022-06-02T14:57:58.000Z

Yes, this changed in easyrsa. I have a fix in the fixes branch of this role. You can either try that branch, or use the easyrsa_version variable of the role to use an older version of easyrsa. I will try to merge the fixes branch soon though.

Answer 3 · 2022-08-21T22:21:15.000Z

I merged that branch. The role works ok now.