--- /dev/null
+#!/bin/bash
+
+#########################################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire. If not, see <http://www.gnu.org/licenses/>. #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+#########################################################################################
+# #
+# Script Name: openvpn-crl-updater #
+# Description: This script checks the "Next Update:" field of the CRL #
+# and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
+# With OpenVPN 2.4.x the CRL handling has been refactored, #
+# whereby the verification logic has been removed from ssl_verify_<backend>.c . #
+# For more infos: #
+# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 #
+# #
+# Run Information: If OpenVPNs CRL is presant, #
+# this script provides a cronjob which checks daily if an update of the CRL #
+# is needed. If the expiring date reaches the value #
+# (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl #
+# command will be executed to renew the CRL. #
+# Script execution will be logged into /var/log/messages. #
+# #
+# Author: Erik Kapfer #
+# #
+# Date: 06.02.2018 #
+# #
+#########################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+ exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn"
+CRL="${OVPN}/crls/cacrl.pem"
+CAKEY="${OVPN}/ca/cakey.pem"
+CACERT="${OVPN}/ca/cacert.pem"
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+
+## Values
+# CRL check for the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$((
+$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \
+ /bin/grep -oP 'Next Update: *\K.*')" +%s) - \
+ $(/bin/date +%s) \
+))"
+
+# Day in seconds to calculate
+DAYINSEC="86400"
+
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"
+
+# Update of the CRL in days before CRL expiring date
+UPDATE="14"
+
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
+ if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+ logger -t openvpn "CRL has been updated"
+ else
+ logger -t openvpn "error: Could not update CRL"
+ fi
+fi
+
+exit 0
+
+
+# EOF
+
projects / people / ummeegge / ipfire-2.x.git / commitdiff
