webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 19:23:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
cd1b059731815a45075892f5c2fa32c8d19c287c
bpfire/config/ovpn/openvpn-crl-updater
Michael Tremer 4697a1f7f7 OpenVPN: Move the OpenSSL configuration file out of /var/ipfire 
We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2024-06-07 16:04:29 +00:00

90 lines
4.0 KiB
Bash
Raw Blame History

#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# #
# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
# #
# Description: This script checks the "Next Update:" field of the CRL #
# and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
# With OpenVPN 2.4.x the CRL handling has been refactored, #
# whereby the verification logic has been removed #
# from ssl_verify_<backend>.c . #
# #
# Run Information: If OpenVPNs CRL is present, #
# this script provides a cronjob which checks daily if an update #
# of the CRL is needed. If the expiring date reaches the value #
# (defined in the 'UPDATE' variable in days) before the CRL expiration, #
# an openssl command will be executed to renew the CRL. #
# Script execution will be logged into /var/log/messages. #
# #
###############################################################################
## Paths
OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
exit 0;
fi
## Values
# Actual time in epoch format
NOW="$(date +%s)"
# Investigate CRLs 'Next Update' date
EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
# Convert 'Next Update:' date from epoch to seconds
EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
# Seconds left until CRL expires
EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
# Day in seconds to calculate
DAYINSEC="86400"
# Convert seconds to days
NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
# Update of the CRL in days before CRL expiring date
UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
fi
fi
exit 0
# EOF
Reference in New Issue View Git Blame Copy Permalink