Implemented that a Certificate Revocation List is generated during installation after generation of other Public Key Infrastructure. Enabled this CRL in the server config. The added benefit of this is that whenever the user now revokes a client, the change is instant. Whereas before, the first time a client was revoked, the OpenVPN server had to be restarted to enabled the then-newly-generated CRL. This change also makes the file /etc/pivpn/REVOKE_STATUS obsolete.

Documentation: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke
2025-01-19 19:09:46 +00:00 · 2017-09-22 02:46:52 -05:00 · 2017-09-22 02:46:52 -05:00 · 30920115b3
commit 30920115b3
parent c7f82d0116
3 changed files with 6 additions and 21 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -884,6 +884,11 @@ EOF
    # Generate static HMAC key to defend against DDoS
    ${SUDOE} openvpn --genkey --secret pki/ta.key

+    # Generate an empty Certificate Revocation List
+    ${SUDOE} ./easyrsa gen-crl
+    cp pki/crl.pem /etc/openvpn/crl.pem
+    chown nobody:nogroup /etc/openvpn/crl.pem
+
    # Write config file for server using the template .txt file
    $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf

@ -992,10 +997,6 @@ confOVPN() {
    $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
    $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM

-    # Set status that no certs have been revoked
-    echo 0 > /tmp/REVOKE_STATUS
-    $SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
-
    $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt

    if [[ ${useUpdateVars} == false ]]; then
--- a/scripts/removeOVPN.sh
+++ b/scripts/removeOVPN.sh
@ -105,22 +105,6 @@ fi

 cd /etc/openvpn/easy-rsa || exit

-if [ "${REVOKE_STATUS}" == 0 ]; then
-    echo 1 > /etc/pivpn/REVOKE_STATUS
-    printf "\nThis seems to be the first time you have revoked a cert.\n"
-    printf "First we need to initialize the Certificate Revocation List.\n"
-    printf "Then add the CRL to your server config and restart openvpn.\n"
-    ./easyrsa gen-crl
-    cp pki/crl.pem /etc/openvpn/crl.pem
-    chown nobody:nogroup /etc/openvpn/crl.pem
-    sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
-    if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
-        service openvpn restart
-    else
-        systemctl restart openvpn.service
-    fi
-fi
-
 for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
    printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
    ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
--- a/server_config.txt
+++ b/server_config.txt
@ -34,7 +34,7 @@ user nobody
 group nogroup
 persist-key
 persist-tun
-#crl-verify /etc/openvpn/crl.pem
+crl-verify /etc/openvpn/crl.pem
 status /var/log/openvpn-status.log 20
 status-version 3
 log /var/log/openvpn.log