--- easyrsa.orig	2018-09-15 06:21:19.000000000 +0200
+++ easyrsa	2018-12-03 23:38:04.420888219 +0100
@@ -315,7 +315,7 @@
 EASYRSA_PKI env-var undefined"
 
 	# make safessl-easyrsa.cnf
-	make_ssl_config
+	[ "$1" == "no_safe_ssl_config" ] || make_ssl_config
 
 	# Verify EASYRSA_OPENSSL command gives expected output
 	if [ -z "$EASYRSA_SSL_OK" ]; then
@@ -415,7 +415,7 @@
 
 # init-pki backend:
 init_pki() {
-	vars_source_check
+	vars_source_check no_safe_ssl_config
 
 	# If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_BATCH)
 	if [ -e "$EASYRSA_PKI" ]; then
@@ -1124,7 +1124,7 @@
 	vars=
 
 	# set up program path
-	prog_vars="${0%/*}/vars"
+	prog_vars="/etc/easy-rsa/vars"
 	# set up PKI path
 	pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
 
@@ -1154,7 +1154,7 @@
 	fi
 	
 	# Set defaults, preferring existing env-vars if present
-	set_var EASYRSA		"${0%/*}"
+	set_var EASYRSA		"/etc/easy-rsa"
 	set_var EASYRSA_OPENSSL	openssl
 	set_var EASYRSA_PKI	"$PWD/pki"
 	set_var EASYRSA_DN	cn_only
@@ -1185,7 +1185,11 @@
 		set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
 		set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
 	else	set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"
-		set_var EASYRSA_SAFE_CONF	"$EASYRSA/safessl-easyrsa.cnf"
+		if touch "$EASYRSA/safessl-easyrsa.cnf" &>/dev/null; then
+			set_var EASYRSA_SAFE_CONF	"$EASYRSA/safessl-easyrsa.cnf"
+		else
+			set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
+		fi
 	fi
 
 	# Same as above for the x509-types extensions dir
--- vars.example.orig	2018-12-03 23:06:35.863084842 +0100
+++ vars.example	2018-12-03 23:07:12.538808022 +0100
@@ -47,7 +47,7 @@
 # itself, which is also where the configuration files are located in the
 # easy-rsa tree.
 
-#set_var EASYRSA	"${0%/*}"
+#set_var EASYRSA	"/etc/easy-rsa"
 
 # If your OpenSSL command is not in the system PATH, you will need to define the
 # path to it here. Normally this means a full path to the executable, otherwise