openvpn: shellpki upstream release 22.12
gitea/ansible-roles/pipeline/head This commit looks good
Details
gitea/ansible-roles/pipeline/head This commit looks good
Details
This commit is contained in:
parent
cd2c1931b1
commit
cca072425b
|
|
@ -41,6 +41,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* varnish: better package facts usage with check mode and tags
|
||||
* varnish: systemd override depends on Varnish version instead of Debian version
|
||||
* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running)
|
||||
* openvpn: shellpki upstream release 22.12
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
|||
|
|
@ -1,26 +1,124 @@
|
|||
#!/bin/sh
|
||||
|
||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
||||
VERSION="22.12"
|
||||
|
||||
if [ "$carp" = "backup" ]; then
|
||||
exit 0
|
||||
fi
|
||||
show_version() {
|
||||
cat <<END
|
||||
cert-expirations.sh version ${VERSION}
|
||||
|
||||
echo "Warning : all times are in UTC !\n"
|
||||
Copyright 2020-2022 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Jérémy Dubois <jdubois@evolix.fr>
|
||||
and others.
|
||||
|
||||
echo "CA certificate:"
|
||||
openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \
|
||||
| cut -d '=' -f 2 \
|
||||
| sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
|
||||
cert-expirations.sh comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the MIT Licence for details.
|
||||
END
|
||||
}
|
||||
|
||||
echo ""
|
||||
show_usage() {
|
||||
cat <<END
|
||||
Usage: ${0} [--version]
|
||||
END
|
||||
}
|
||||
|
||||
echo "Client certificates:"
|
||||
cat /etc/shellpki/index.txt \
|
||||
| grep ^V \
|
||||
| awk -F "/" '{print $1,$5}' \
|
||||
| awk '{print $2,$5}' \
|
||||
| sed 's/CN=//' \
|
||||
| sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
|
||||
| awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
|
||||
| sort -n -k 2 -k 3M -k 4
|
||||
check_ca_expiration() {
|
||||
echo "CA certificate:"
|
||||
openssl x509 -enddate -noout -in ${cacert_path} \
|
||||
| cut -d '=' -f 2 \
|
||||
| sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
|
||||
}
|
||||
|
||||
check_certs_expiration() {
|
||||
# Syntax "cmd | { while read line; do var="foo"; done echo $var }" needed, otherwise $var is empty at the end of while loop
|
||||
grep ^V ${index_path} \
|
||||
| awk -F "/" '{print $1,$5}' \
|
||||
| awk '{print $2,$5}' \
|
||||
| sed 's/CN=//' \
|
||||
| sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
|
||||
| awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
|
||||
| sort -n -k 2 -k 3M -k 4 | {
|
||||
while read -r line; do
|
||||
|
||||
# Predicting expirations - OpenBSD case (date is not the same than in Linux)
|
||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||
# Already expired if expiration date is before now
|
||||
if [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -le "$(date +%s)" ]; then
|
||||
expired_certs="${expired_certs}$line\n"
|
||||
# Expiring soon if expiration date is after now and before now + $somedays days
|
||||
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
||||
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
||||
# Still valid for a time if expiration date is after now + $somedays days
|
||||
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
||||
still_valid_certs="${still_valid_certs}$line\n"
|
||||
fi
|
||||
# Non OpenBSD cases
|
||||
else
|
||||
# Already expired if expiration date is before now
|
||||
if [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -le "$(date +%s)" ]; then
|
||||
expired_certs="${expired_certs}$line\n"
|
||||
# Expiring soon if expiration date is after now and before now + $somedays days
|
||||
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
||||
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
||||
# Still valid for a time if expiration date is after now + $somedays days
|
||||
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
||||
still_valid_certs="${still_valid_certs}$line\n"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Expired client certificates:"
|
||||
echo "${expired_certs}"
|
||||
echo "Valid client certificates expiring soon (in less than $((somedays / 60 / 60 / 24)) days):"
|
||||
echo "${expiring_soon_certs}"
|
||||
echo "Valid client certificates expiring later (in more than $((somedays / 60 / 60 / 24)) days):"
|
||||
echo "${still_valid_certs}"
|
||||
}
|
||||
}
|
||||
|
||||
main() {
|
||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
||||
|
||||
if [ "$carp" = "backup" ]; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
|
||||
index_path="/etc/openvpn/ssl/ca/index.txt"
|
||||
somedays="3456000" # 40 days currently
|
||||
expired_certs=""
|
||||
expiring_soon_certs=""
|
||||
still_valid_certs=""
|
||||
|
||||
case "$1" in
|
||||
version|--version)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
|
||||
help|--help)
|
||||
show_usage
|
||||
exit 0
|
||||
;;
|
||||
|
||||
"")
|
||||
echo "Warning : all times are in UTC !"
|
||||
echo ""
|
||||
check_ca_expiration
|
||||
echo ""
|
||||
check_certs_expiration
|
||||
;;
|
||||
|
||||
*)
|
||||
show_usage >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# VERSION="22.04"
|
||||
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
set -u
|
||||
|
||||
VERSION="22.04"
|
||||
VERSION="22.12"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
|
|
@ -137,14 +137,14 @@ warning() {
|
|||
}
|
||||
|
||||
verify_ca_password() {
|
||||
"${OPENSSL_BIN}" rsa \
|
||||
"${OPENSSL_BIN}" pkey \
|
||||
-in "${CA_KEY}" \
|
||||
-passin pass:"${CA_PASSWORD}" \
|
||||
>/dev/null 2>&1
|
||||
}
|
||||
get_real_path() {
|
||||
# --canonicalize is supported on Linux
|
||||
# -f is supported on Linux and OpenBSD
|
||||
# -f is supported on Linux and OpenBSD
|
||||
readlink -f -- "${1}"
|
||||
}
|
||||
|
||||
|
|
@ -227,6 +227,7 @@ init() {
|
|||
[ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
|
||||
[ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
|
||||
[ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
|
||||
[ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr"
|
||||
[ -f "${CRL}" ] || touch "${CRL}"
|
||||
[ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
|
||||
|
||||
|
|
@ -278,17 +279,18 @@ init() {
|
|||
|
||||
passout_arg=""
|
||||
if [ -n "${CA_PASSWORD:-}" ]; then
|
||||
passout_arg="-passout pass:${CA_PASSWORD}"
|
||||
passout_arg="-pass pass:${CA_PASSWORD}"
|
||||
elif [ "${non_interactive}" -eq 1 ]; then
|
||||
error "In non-interactive mode, you must pass CA_PASSWORD as environment variable."
|
||||
fi
|
||||
|
||||
if [ ! -f "${CA_KEY}" ]; then
|
||||
"${OPENSSL_BIN}" genrsa \
|
||||
"${OPENSSL_BIN}" genpkey \
|
||||
-algorithm RSA \
|
||||
-out "${CA_KEY}" \
|
||||
${passout_arg} \
|
||||
-aes256 \
|
||||
"${CA_KEY_LENGTH}" \
|
||||
-pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \
|
||||
>/dev/null 2>&1
|
||||
# shellcheck disable=SC2181
|
||||
if [ "$?" -ne 0 ]; then
|
||||
|
|
@ -355,9 +357,10 @@ ocsp() {
|
|||
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
||||
|
||||
if [ ! -f "${OCSP_KEY}" ]; then
|
||||
"${OPENSSL_BIN}" genrsa \
|
||||
"${OPENSSL_BIN}" genpkey \
|
||||
-algorithm RSA \
|
||||
-out "${OCSP_KEY}" \
|
||||
"${KEY_LENGTH}" \
|
||||
-pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
|
||||
>/dev/null 2>&1
|
||||
# shellcheck disable=SC2181
|
||||
if [ "$?" -ne 0 ]; then
|
||||
|
|
@ -680,17 +683,19 @@ create() {
|
|||
# generate private key
|
||||
pass_args=""
|
||||
if [ -n "${password_file:-}" ]; then
|
||||
pass_args="-aes256 -passout file:${password_file}"
|
||||
pass_args="-aes256 -pass file:${password_file}"
|
||||
elif [ -n "${PASSWORD:-}" ]; then
|
||||
pass_args="-aes256 -passout pass:${PASSWORD}"
|
||||
pass_args="-aes256 -pass pass:${PASSWORD}"
|
||||
fi
|
||||
"${OPENSSL_BIN}" genrsa \
|
||||
"${OPENSSL_BIN}" genpkey \
|
||||
-algorithm RSA \
|
||||
-out "${key_file}" \
|
||||
${pass_args} \
|
||||
"${KEY_LENGTH}" \
|
||||
-pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
|
||||
>/dev/null 2>&1
|
||||
# shellcheck disable=SC2181
|
||||
if [ "$?" -eq 0 ]; then
|
||||
chmod 600 "${key_file}"
|
||||
echo "The KEY file is available at \`${key_file}'"
|
||||
else
|
||||
error "Error generating the private key"
|
||||
|
|
|
|||
Loading…
Reference in New Issue