]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/ovpn/openvpn-crl-updater
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 ###############################################################################
24 # Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
26 # Description: This script checks the "Next Update:" field of the CRL #
27 # and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
28 # With OpenVPN 2.4.x the CRL handling has been refactored, #
29 # whereby the verification logic has been removed #
30 # from ssl_verify_<backend>.c . #
32 # Run Information: If OpenVPNs CRL is present, #
33 # this script provides a cronjob which checks daily if an update #
34 # of the CRL is needed. If the expiring date reaches the value #
35 # (defined in the 'UPDATE' variable in days) before the CRL expiration, #
36 # an openssl command will be executed to renew the CRL. #
37 # Script execution will be logged into /var/log/messages. #
39 ###############################################################################
42 OVPN
="/var/ipfire/ovpn"
43 CRL
="${OVPN}/crls/cacrl.pem"
44 CAKEY
="${OVPN}/ca/cakey.pem"
45 CACERT
="${OVPN}/ca/cacert.pem"
46 OPENSSLCONF
="${OVPN}/openssl/ovpn.cnf"
48 # Check if CRL is presant or if OpenVPN is active
49 if [ ! -e "${CAKEY}" ]; then
54 # Actual time in epoch format
57 # Investigate CRLs 'Next Update' date
58 EXPIRES_CRL
="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
60 # Convert 'Next Update:' date from epoch to seconds
61 EXPIRES_AT
="$(date -d "${EXPIRES_CRL}" "+%s
")"
63 # Seconds left until CRL expires
64 EXPIRINGDATEINSEC
="$(( EXPIRES_AT - NOW ))"
66 # Day in seconds to calculate
69 # Convert seconds to days
70 NEXTUPDATE
="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
72 # Update of the CRL in days before CRL expiring date
77 # Check if OpenVPNs CRL needs to be renewed
78 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
79 if openssl ca
-gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
80 logger
-t openvpn
"CRL has been updated"
82 logger
-t openvpn
"error: Could not update CRL"