From be2a195bb5eb3eda29b6b79f37ef8b8901f77698 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 13 Dec 2025 19:48:07 +0100
Subject: [PATCH] chore(deps): update dependency openvpn/easy-rsa to v3.2.5
 (#1381)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [OpenVPN/easy-rsa](https://redirect.github.com/OpenVPN/easy-rsa) |
patch | `3.2.4` -> `3.2.5` |

---

### Release Notes

<details>
<summary>OpenVPN/easy-rsa (OpenVPN/easy-rsa)</summary>

###
[`v3.2.5`](https://redirect.github.com/OpenVPN/easy-rsa/releases/tag/v3.2.5):
3.2.5

[Compare
Source](https://redirect.github.com/OpenVPN/easy-rsa/compare/v3.2.4...v3.2.5)

#### What's Changed

- Replace `local` / `global` `openssl-easyrsa.cnf` by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1394](https://redirect.github.com/OpenVPN/easy-rsa/pull/1394)
- init-pki: Introduce configurable cryptography by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1397](https://redirect.github.com/OpenVPN/easy-rsa/pull/1397)
- Drop x509 type kdc built-in by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1399](https://redirect.github.com/OpenVPN/easy-rsa/pull/1399)
- Always generate an `openssl-easyrsa.cnf` or `x509-types` tmp-file by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1401](https://redirect.github.com/OpenVPN/easy-rsa/pull/1401)
- Libressl use `$EASYRSA_FORCE_SAFE_SSL` by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1402](https://redirect.github.com/OpenVPN/easy-rsa/pull/1402)
- Update EasyRSA-Advanced.md by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1403](https://redirect.github.com/OpenVPN/easy-rsa/pull/1403)
- `source_vars()`: Add `grep` regex for assign by equal `=` by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1405](https://redirect.github.com/OpenVPN/easy-rsa/pull/1405)
- export\_pkcs(), PKCS12 inline: Respect $EASYRSA\_NO\_INLINE by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1407](https://redirect.github.com/OpenVPN/easy-rsa/pull/1407)
- Introduce peer-fingerprint inline lists by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1410](https://redirect.github.com/OpenVPN/easy-rsa/pull/1410)
- help: Add '-b' alias for --batch and correct default 'vars' file by
[@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1411](https://redirect.github.com/OpenVPN/easy-rsa/pull/1411)
- New function ssl\_cert\_sig\_digest(); Extract certificae digest name
by [@&#8203;TinCanTech](https://redirect.github.com/TinCanTech) in
[#&#8203;1414](https://redirect.github.com/OpenVPN/easy-rsa/pull/1414)
- Upgrading OpenSSL for Windows to 3.6.0 by
[@&#8203;ecrist](https://redirect.github.com/ecrist) in
[#&#8203;1416](https://redirect.github.com/OpenVPN/easy-rsa/pull/1416)

**Full Changelog**:
<https://github.com/OpenVPN/easy-rsa/compare/v3.2.4...v3.2.5>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/angristan/openvpn-install).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Stanislas Lange <git@slange.me>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .github/workflows/update-easyrsa-hash.yml | 3 +++
 openvpn-install.sh                        | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/update-easyrsa-hash.yml b/.github/workflows/update-easyrsa-hash.yml
index d3cff5c..8345c14 100644
--- a/.github/workflows/update-easyrsa-hash.yml
+++ b/.github/workflows/update-easyrsa-hash.yml
@@ -61,10 +61,13 @@ jobs:
 
       - name: Commit changes
         if: env.HASH_CHANGED == 'true'
+        env:
+          PAT: ${{ secrets.PAT }}
         run: |
           if ! git diff --quiet openvpn-install.sh; then
             git config user.name "github-actions[bot]"
             git config user.email "github-actions[bot]@users.noreply.github.com"
+            git remote set-url origin "https://x-access-token:${PAT}@github.com/${{ github.repository }}"
             git add openvpn-install.sh
             git commit -m "chore: update Easy-RSA SHA256 hash"
             git push
diff --git a/openvpn-install.sh b/openvpn-install.sh
index eb1fa80..02a57e8 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -9,8 +9,8 @@
 # Configuration constants
 readonly DEFAULT_CERT_VALIDITY_DURATION_DAYS=3650 # 10 years
 readonly DEFAULT_CRL_VALIDITY_DURATION_DAYS=5475  # 15 years
-readonly EASYRSA_VERSION="3.2.4"
-readonly EASYRSA_SHA256="ed65e88cea892268efa71eb1161ce13af3beded6754301e1e713e36ff3613cac"
+readonly EASYRSA_VERSION="3.2.5"
+readonly EASYRSA_SHA256="662ee3b453155aeb1dff7096ec052cd83176c460cfa82ac130ef8568ec4df490"
 
 # =============================================================================
 # Logging Configuration