openvpn: shellpki upstream release 22.12.2

CHANGELOG.md

@@ -45,7 +45,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * varnish: better package facts usage with check mode and tags
 * varnish: systemd override depends on Varnish version instead of Debian version
 * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running)
-* openvpn: shellpki upstream release 22.12
+* openvpn: shellpki upstream release 22.12.2
 * openvpn: specifies that the mail for expirations is for OpenVPN
 
 ### Fixed

openvpn/files/shellpki/openssl.cnf

@@ -1,4 +1,4 @@
-# VERSION="22.04"
+# VERSION="22.12.2"
 
 [ ca ]
 default_ca      = CA_default
@@ -14,7 +14,7 @@ crl             = $dir/crl.pem
 private_key     = $dir/cakey.key
 RANDFILE        = $dir/.rand
 default_days    = 365
-default_crl_days= 365
+default_crl_days= 730
 default_md      = sha256
 preserve        = no
 policy          = policy_match

openvpn/files/shellpki/shellpki

@@ -5,7 +5,7 @@
 
 set -u
 
-VERSION="22.12"
+VERSION="22.12.2"
 
 show_version() {
     cat <<END
@@ -224,7 +224,7 @@ replace_existing_or_abort() {
 init() {
     umask 0177
 
-    [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
+    [ -d "${CA_DIR}" ] || mkdir -m 0751 "${CA_DIR}"
     [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
     [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
     [ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr"
@@ -1103,9 +1103,11 @@ main() {
 
     # fix right
     chown -R "${PKI_USER}":"${PKI_USER}" "${CA_DIR}"
-    chmod 750 "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
+    chmod 750 "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
-    chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}" "${CRL}"
+    chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}"
     chmod 640 "${CA_CERT}"
+    chmod 604 "${CRL}"
+    chmod 751 "${CA_DIR}"
 }
 
 main "$@"