]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/ovpn/openvpn-crl-updater
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
nfs: Update to 2.3.3
[people/pmueller/ipfire-2.x.git] / config / ovpn / openvpn-crl-updater
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 ###############################################################################
23 # #
24 # Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
25 # #
26 # Description: This script checks the "Next Update:" field of the CRL #
27 # and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
28 # With OpenVPN 2.4.x the CRL handling has been refactored, #
29 # whereby the verification logic has been removed #
30 # from ssl_verify_<backend>.c . #
31 # #
32 # Run Information: If OpenVPNs CRL is present, #
33 # this script provides a cronjob which checks daily if an update #
34 # of the CRL is needed. If the expiring date reaches the value #
35 # (defined in the 'UPDATE' variable in days) before the CRL expiration, #
36 # an openssl command will be executed to renew the CRL. #
37 # Script execution will be logged into /var/log/messages. #
38 # #
39 ###############################################################################
40
41 ## Paths
42 OVPN="/var/ipfire/ovpn"
43 CRL="${OVPN}/crls/cacrl.pem"
44 CAKEY="${OVPN}/ca/cakey.pem"
45 CACERT="${OVPN}/ca/cacert.pem"
46 OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
47
48 # Check if CRL is presant or if OpenVPN is active
49 if [ ! -e "${CAKEY}" ]; then
50 exit 0;
51 fi
52
53 ## Values
54 # Actual time in epoch format
55 NOW="$(date +%s)"
56
57 # Investigate CRLs 'Next Update' date
58 EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
59
60 # Convert 'Next Update:' date from epoch to seconds
61 EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
62
63 # Seconds left until CRL expires
64 EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
65
66 # Day in seconds to calculate
67 DAYINSEC="86400"
68
69 # Convert seconds to days
70 NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
71
72 # Update of the CRL in days before CRL expiring date
73 UPDATE="14"
74
75
76 ## Mainpart
77 # Check if OpenVPNs CRL needs to be renewed
78 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
79 if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
80 logger -t openvpn "CRL has been updated"
81 else
82 logger -t openvpn "error: Could not update CRL"
83 fi
84 fi
85
86 exit 0
87
88
89 # EOF
90
Peter's tree of IPFire 2.x