OpenVPN: Move the OpenSSL configuration file out of /var/ipfire

We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
index 5fbe21080cb90187f5cf8398c7e7fdfbf1bd2e3b..5008d67254e031636a013f2b02be125fb285b352 100644 (file)
--- a/config/ovpn/openvpn-crl-updater
+++ b/config/ovpn/openvpn-crl-updater
@@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
 CRL="${OVPN}/crls/cacrl.pem"
 CAKEY="${OVPN}/ca/cakey.pem"
 CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
 
 # Check if CRL is presant or if OpenVPN is active
 if [ ! -e "${CAKEY}" ]; then
@@ -76,7 +75,7 @@ UPDATE="14"
 ## Mainpart
 # Check if OpenVPNs CRL needs to be renewed
 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
-    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
                logger -t openvpn "CRL has been updated"
     else
                logger -t openvpn "error: Could not update CRL"

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579cb8a33b52a9ab8c73bbe38861477925..c0d49bfad48261bc1dc2fd554616afcbc5820ddd 100644 (file)
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
 #usr/share/doc/openvpn/openvpn.8.html
 #usr/share/man/man5/openvpn-examples.5
 #usr/share/man/man8/openvpn.8
+usr/share/openvpn/openssl.cnf
 var/ipfire/ovpn/ca
 var/ipfire/ovpn/caconfig
 var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
 var/ipfire/ovpn/crls
 var/ipfire/ovpn/n2nconf
 #var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
 var/ipfire/ovpn/openvpn-authenticator
 var/ipfire/ovpn/ovpn-leases.db
 var/ipfire/ovpn/ovpnconfig

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d2d1372656d0d6a71d9b9ee5bc663c9a..f0172978f0ae315651d319a0625ef1e36b1353fa 100755 (executable)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1836,7 +1836,7 @@ END
                        '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
                        '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
                        '-out', "${General::swroot}/ovpn/ca/cacert.pem",
-                       '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+                       '-config', "/usr/share/openvpn/ovpn.cnf")) {
                $errormessage = "$Lang::tr{'cant start openssl'}: $!";
                goto ROOTCERT_ERROR;
            }
@@ -1868,7 +1868,7 @@ END
                        '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
                        '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
                        '-extensions', 'server',
-                       '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+                       '-config', "/usr/share/openvpn/ovpn.cnf" )) {
                $errormessage = "$Lang::tr{'cant start openssl'}: $!";
                unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
                unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END
                '-in',  "${General::swroot}/ovpn/certs/serverreq.pem",
                '-out', "${General::swroot}/ovpn/certs/servercert.pem",
                '-extensions', 'server',
-               '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+               '-config', "/usr/share/openvpn/ovpn.cnf");
        if ($?) {
            $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
            unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END
        # System call is safe, because all arguments are passed as array.
        system('/usr/bin/openssl', 'ca', '-gencrl',
                '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
-               '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+               '-config', "/usr/share/openvpn/ovpn.cnf" );
        if ($?) {
            $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
            unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else
 
        if ($confighash{$cgiparams{'KEY'}}) {
                # Revoke certificate if certificate was deleted and rewrite the CRL
-               &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
-               &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+               &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
+               &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
 
 ###
 # m.a.d net2net
@@ -2480,7 +2480,7 @@ else
                &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
 
                delete $confighash{$cgiparams{'KEY'}};
-               &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+               &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
                &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 
        } else {
@@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
                '-batch', '-notext',
                '-in', $filename,
                '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-               '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+               '-config', "/usr/share/openvpn/ovpn.cnf");
            if ($?) {
                $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
                unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
                        '-newkey', 'rsa:4096',
                        '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
                        '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
-                       '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+                       '-config', "/usr/share/openvpn/ovpn.cnf")) {
                    $errormessage = "$Lang::tr{'cant start openssl'}: $!";
                    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
                    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
                '-batch', '-notext',
                '-in',  "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
                '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-               '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+               '-config', "/usr/share/openvpn/ovpn.cnf");
            if ($?) {
                $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
                unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");

diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9e153bb939bcd87968e001cba8cbe150..0704aa438df6e20a83049cc45b9783ca6bedeaa4 100644 (file)
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        chown root:root /etc/fcron.daily/openvpn-crl-updater
        chmod 750 /etc/fcron.daily/openvpn-crl-updater
 
+       # Move the OpenSSL configuration file out of /var/ipfire
+       mkdir -pv /usr/share/openvpn
+       mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+               /usr/share/openvpn/
+       rmdir -v /usr/share/openvpn
+
        # Install authenticator
        install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
                /usr/sbin/openvpn-authenticator