From c1e9ebd446d71fcf518aff87a615275d6f7c645f Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Thu, 13 Oct 2022 22:46:16 -0500
Subject: [PATCH] Update to easy-rsa v3.1.1

- Apply upstream change Nyr/openvpn-install commit f943387,
  with enhancements.
- --no-install-recommends is now required for Debian.
- Cleanup
---
 openvpn-install.sh | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index d0c50f2..b4a5478 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -465,7 +465,11 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
 		(
 			set -x
 			apt-get -yqq update || apt-get -yqq update
-			apt-get -yqq install openvpn openssl ca-certificates $firewall >/dev/null
+			apt-get -yqq --no-install-recommends install openvpn >/dev/null
+		) || exiterr2
+		(
+			set -x
+			apt-get -yqq install openssl ca-certificates $firewall >/dev/null
 		) || exiterr2
 	elif [[ "$os" = "centos" ]]; then
 		if grep -qs "Amazon Linux release 2" /etc/system-release; then
@@ -498,7 +502,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
 		)
 	fi
 	# Get easy-rsa
-	easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.0/EasyRSA-3.1.0.tgz'
+	easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.1/EasyRSA-3.1.1.tgz'
 	mkdir -p /etc/openvpn/server/easy-rsa/
 	{ wget -t 3 -T 30 -qO- "$easy_rsa_url" 2>/dev/null || curl -m 30 -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
 	if [ ! -f /etc/openvpn/server/easy-rsa/easyrsa ]; then
@@ -509,11 +513,11 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
 	(
 		set -x
 		# Create the PKI, set up the CA and the server and client certificates
-		./easyrsa init-pki >/dev/null
+		./easyrsa --batch init-pki >/dev/null
 		./easyrsa --batch build-ca nopass >/dev/null 2>&1
-		EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass >/dev/null 2>&1
-		EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass >/dev/null 2>&1
-		EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl >/dev/null 2>&1
+		./easyrsa --batch --days=3650 build-server-full server nopass >/dev/null 2>&1
+		./easyrsa --batch --days=3650 build-client-full "$client" nopass >/dev/null 2>&1
+		./easyrsa --batch --days=3650 gen-crl >/dev/null 2>&1
 	)
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
@@ -748,7 +752,7 @@ else
 			cd /etc/openvpn/server/easy-rsa/ || exit 1
 			(
 				set -x
-				EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass >/dev/null 2>&1
+				./easyrsa --batch --days=3650 build-client-full "$client" nopass >/dev/null 2>&1
 			)
 			# Generates the custom client.ovpn
 			new_client
@@ -827,7 +831,7 @@ else
 				(
 					set -x
 					./easyrsa --batch revoke "$client" >/dev/null 2>&1
-					EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl >/dev/null 2>&1
+					./easyrsa --batch --days=3650 gen-crl >/dev/null 2>&1
 				)
 				rm -f /etc/openvpn/server/crl.pem
 				cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem