]>
Commit | Line | Data |
---|---|---|
bd42f9f9 EK |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | ############################################################################### | |
23 | # # | |
24 | # Script Location/Name: /etc/fcron.daily/openvpn-crl-updater # | |
25 | # # | |
26 | # Description: This script checks the "Next Update:" field of the CRL # | |
27 | # and renews it if needed, which prevents the expiration of OpenVPNs CRL. # | |
28 | # With OpenVPN 2.4.x the CRL handling has been refactored, # | |
29 | # whereby the verification logic has been removed # | |
30 | # from ssl_verify_<backend>.c . # | |
31 | # # | |
32 | # Run Information: If OpenVPNs CRL is present, # | |
33 | # this script provides a cronjob which checks daily if an update # | |
34 | # of the CRL is needed. If the expiring date reaches the value # | |
35 | # (defined in the 'UPDATE' variable in days) before the CRL expiration, # | |
36 | # an openssl command will be executed to renew the CRL. # | |
37 | # Script execution will be logged into /var/log/messages. # | |
38 | # # | |
39 | ############################################################################### | |
40 | ||
41 | ## Paths | |
42 | OVPN="/var/ipfire/ovpn" | |
43 | CRL="${OVPN}/crls/cacrl.pem" | |
44 | CAKEY="${OVPN}/ca/cakey.pem" | |
45 | CACERT="${OVPN}/ca/cacert.pem" | |
46 | OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" | |
47 | ||
48 | # Check if CRL is presant or if OpenVPN is active | |
49 | if [ ! -e "${CAKEY}" ]; then | |
50 | exit 0; | |
51 | fi | |
52 | ||
53 | ## Values | |
54 | # Actual time in epoch format | |
55 | NOW="$(date +%s)" | |
56 | ||
57 | # Investigate CRLs 'Next Update' date | |
58 | EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" | |
59 | ||
60 | # Convert 'Next Update:' date from epoch to seconds | |
61 | EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")" | |
62 | ||
63 | # Seconds left until CRL expires | |
64 | EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))" | |
65 | ||
66 | # Day in seconds to calculate | |
67 | DAYINSEC="86400" | |
68 | ||
69 | # Convert seconds to days | |
70 | NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))" | |
71 | ||
72 | # Update of the CRL in days before CRL expiring date | |
73 | UPDATE="14" | |
74 | ||
75 | ||
76 | ## Mainpart | |
77 | # Check if OpenVPNs CRL needs to be renewed | |
78 | if [ ${NEXTUPDATE} -le ${UPDATE} ]; then | |
79 | if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then | |
80 | logger -t openvpn "CRL has been updated" | |
81 | else | |
82 | logger -t openvpn "error: Could not update CRL" | |
83 | fi | |
84 | fi | |
85 | ||
86 | exit 0 | |
87 | ||
88 | ||
89 | # EOF | |
90 |