Compare commits
8 commits
Author | SHA1 | Date | |
---|---|---|---|
fdf9357792 | |||
d04d68f6cb | |||
514cd2e50f | |||
30ef252ff5 | |||
e0c29cfcf1 | |||
2afa4ab449 | |||
a750b71e05 | |||
24249d829c |
5 changed files with 43 additions and 20 deletions
19
CHANGELOG.md
19
CHANGELOG.md
|
@ -12,10 +12,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
|
||||
### Fixed
|
||||
|
||||
* Fix mode of shellpki script in README file when installing it
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
||||
## [22.12.2] 2022-12-13
|
||||
|
||||
### Changed
|
||||
|
||||
* Defaults default_crl_days to 2 years instead of 1
|
||||
|
||||
### Fixed
|
||||
|
||||
* Fix ${CRL} and ${CA_DIR} rights so that CRL file can be read by openvpn
|
||||
|
||||
## [22.12.1] 2022-12-02
|
||||
|
||||
### Fixed
|
||||
|
||||
* cert-expirations.sh: check CARP state only when checking ca and certs expirations
|
||||
* Fix path variables in cert-expirations.sh
|
||||
|
||||
## [22.12] 2022-12-01
|
||||
|
||||
### Added
|
||||
|
|
|
@ -16,7 +16,7 @@ be copied to [ansible-roles/openvpn](https://gitea.evolix.org/evolix/ansible-rol
|
|||
useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
|
||||
mkdir /etc/shellpki
|
||||
install -m 0640 openssl.cnf /etc/shellpki/
|
||||
install -m 0755 shellpki /usr/local/sbin/shellpki
|
||||
install -m 0750 shellpki /usr/local/sbin/shellpki
|
||||
chown -R shellpki: /etc/shellpki
|
||||
~~~
|
||||
|
||||
|
@ -31,7 +31,7 @@ chown -R shellpki: /etc/shellpki
|
|||
useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
|
||||
mkdir /etc/shellpki
|
||||
install -m 0640 openssl.cnf /etc/shellpki/
|
||||
install -m 0755 shellpki /usr/local/sbin/shellpki
|
||||
install -m 0750 shellpki /usr/local/sbin/shellpki
|
||||
chown -R _shellpki:_shellpki /etc/shellpki
|
||||
~~~
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
VERSION="22.12"
|
||||
VERSION="22.12.1"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
|
@ -23,6 +23,16 @@ Usage: ${0} [--version]
|
|||
END
|
||||
}
|
||||
|
||||
check_carp_state() {
|
||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
||||
|
||||
if [ "$carp" = "backup" ]; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_ca_expiration() {
|
||||
echo "CA certificate:"
|
||||
openssl x509 -enddate -noout -in ${cacert_path} \
|
||||
|
@ -79,17 +89,8 @@ check_certs_expiration() {
|
|||
|
||||
main() {
|
||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
||||
|
||||
if [ "$carp" = "backup" ]; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
|
||||
index_path="/etc/openvpn/ssl/ca/index.txt"
|
||||
cacert_path="/etc/shellpki/cacert.pem"
|
||||
index_path="/etc/shellpki/index.txt"
|
||||
somedays="3456000" # 40 days currently
|
||||
expired_certs=""
|
||||
expiring_soon_certs=""
|
||||
|
@ -107,6 +108,7 @@ main() {
|
|||
;;
|
||||
|
||||
"")
|
||||
check_carp_state
|
||||
echo "Warning : all times are in UTC !"
|
||||
echo ""
|
||||
check_ca_expiration
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# VERSION="22.04"
|
||||
# VERSION="22.12.2"
|
||||
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
@ -14,7 +14,7 @@ crl = $dir/crl.pem
|
|||
private_key = $dir/cakey.key
|
||||
RANDFILE = $dir/.rand
|
||||
default_days = 365
|
||||
default_crl_days= 365
|
||||
default_crl_days= 730
|
||||
default_md = sha256
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
|
10
shellpki
10
shellpki
|
@ -5,7 +5,7 @@
|
|||
|
||||
set -u
|
||||
|
||||
VERSION="22.12"
|
||||
VERSION="22.12.2"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
|
@ -224,7 +224,7 @@ replace_existing_or_abort() {
|
|||
init() {
|
||||
umask 0177
|
||||
|
||||
[ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
|
||||
[ -d "${CA_DIR}" ] || mkdir -m 0751 "${CA_DIR}"
|
||||
[ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
|
||||
[ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
|
||||
[ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr"
|
||||
|
@ -1103,9 +1103,11 @@ main() {
|
|||
|
||||
# fix right
|
||||
chown -R "${PKI_USER}":"${PKI_USER}" "${CA_DIR}"
|
||||
chmod 750 "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
|
||||
chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}" "${CRL}"
|
||||
chmod 750 "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
|
||||
chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}"
|
||||
chmod 640 "${CA_CERT}"
|
||||
chmod 604 "${CRL}"
|
||||
chmod 751 "${CA_DIR}"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
Loading…
Reference in a new issue