]> git.ipfire.org Git - ipfire-2.x.git/blame - config/ovpn/openvpn-crl-updater
ids.cgi: Stop suricata when the rulest source has been changed
[ipfire-2.x.git] / config / ovpn / openvpn-crl-updater
CommitLineData
bd42f9f9
EK
1#!/bin/bash
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21
22###############################################################################
23# #
24# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
25# #
26# Description: This script checks the "Next Update:" field of the CRL #
27# and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
28# With OpenVPN 2.4.x the CRL handling has been refactored, #
29# whereby the verification logic has been removed #
30# from ssl_verify_<backend>.c . #
31# #
32# Run Information: If OpenVPNs CRL is present, #
33# this script provides a cronjob which checks daily if an update #
34# of the CRL is needed. If the expiring date reaches the value #
35# (defined in the 'UPDATE' variable in days) before the CRL expiration, #
36# an openssl command will be executed to renew the CRL. #
37# Script execution will be logged into /var/log/messages. #
38# #
39###############################################################################
40
41## Paths
42OVPN="/var/ipfire/ovpn"
43CRL="${OVPN}/crls/cacrl.pem"
44CAKEY="${OVPN}/ca/cakey.pem"
45CACERT="${OVPN}/ca/cacert.pem"
46OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
47
48# Check if CRL is presant or if OpenVPN is active
49if [ ! -e "${CAKEY}" ]; then
50 exit 0;
51fi
52
53## Values
54# Actual time in epoch format
55NOW="$(date +%s)"
56
57# Investigate CRLs 'Next Update' date
58EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
59
60# Convert 'Next Update:' date from epoch to seconds
61EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
62
63# Seconds left until CRL expires
64EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
65
66# Day in seconds to calculate
67DAYINSEC="86400"
68
69# Convert seconds to days
70NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
71
72# Update of the CRL in days before CRL expiring date
73UPDATE="14"
74
75
76## Mainpart
77# Check if OpenVPNs CRL needs to be renewed
78if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
79 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
80 logger -t openvpn "CRL has been updated"
81 else
82 logger -t openvpn "error: Could not update CRL"
83 fi
84fi
85
86exit 0
87
88
89# EOF
90