Phase 3 (of 3?): pivpn modifications for easy-rsa3

This updates pivpn revoke
2024-12-18 19:00:15 +00:00 · 2016-12-06 11:44:07 -05:00 · 2016-12-06 11:44:07 -05:00 · 596e6c8277
commit 596e6c8277
parent 9b8a883119
2 changed files with 23 additions and 16 deletions
--- a/scripts/removeOVPN.sh
+++ b/scripts/removeOVPN.sh
@ -4,9 +4,9 @@
 INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
 PLAT=$(cat /etc/pivpn/DET_PLATFORM)
-INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
+INDEX="/etc/openvpn/easy-rsa/pki/index.txt"

-if [ ! -f "$INDEX" ]; then
+if [ ! -f "${INDEX}" ]; then
        printf "The file: %s was not found\n" "$INDEX"
        exit 1
 fi
@ -18,7 +18,7 @@ i=0
 while read -r line || [ -n "$line" ]; do
    STATUS=$(echo "$line" | awk '{print $1}')
    if [[ "$STATUS" = "V" ]]; then
-        NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
+        NAME=$(echo "$line" | sed -e 's:.*/CN=::')
        CERTS[$i]=$NAME
        if [ "$i" != 0 ]; then
            # Prevent printing "server" certificate
@ -26,13 +26,13 @@ while read -r line || [ -n "$line" ]; do
        fi
        let i=i+1
    fi
-done <$INDEX
+done <${INDEX}
 printf "\n"

 echo "::: Please enter the Name of the client to be revoked from the list above:"
 read -r NAME

-if [[ -z "$NAME" ]]; then
+if [[ -z "${NAME}" ]]; then
    echo "::: You can not leave this blank!"
    exit 1
 fi
@ -43,24 +43,21 @@ for((x=1;x<=i;++x)); do
    fi
 done

-if [ -z "$VALID" ]; then
+if [ -z "${VALID}" ]; then
    printf "::: You didn't enter a valid cert name!\n"
    exit 1
 fi

 cd /etc/openvpn/easy-rsa || exit
-source /etc/openvpn/easy-rsa/vars

-./revoke-full "$NAME"
-echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
-rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
-cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
-echo "::: Completed!"
-
-if [ "$REVOKE_STATUS" == 0 ]; then
+if [ "${REVOKE_STATUS}" == 0 ]; then
        echo 1 > /etc/pivpn/REVOKE_STATUS
        printf "\nThis seems to be the first time you have revoked a cert.\n"
-        printf "We are adding the CRL to the server.conf and restarting openvpn.\n"
+    printf "First we need to initialize the Certificate Revocation List.\n"
+        printf "Then add the CRL to your server config and restart openvpn.\n"
+    ./easyrsa gen-crl
+    cp pki/crl.pem /etc/openvpn/crl.pem
+    chown nobody:nogroup /etc/openvpn/crl.pem
        sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
        if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
            service openvpn restart
@ -68,3 +65,13 @@ if [ "$REVOKE_STATUS" == 0 ]; then
            systemctl restart openvpn.service
        fi
 fi
+
+./easyrsa --batch revoke "${NAME}"
+printf "\n::: Certificate revoked, and CRL file updated.\n"
+printf "::: Removing certs and client configuration for this profile.\n"
+rm -rf "pki/reqs/${NAME}.req"
+rm -rf "pki/private/${NAME}.key"
+rm -rf "pki/issued/${NAME}.crt"
+rm -rf "/home/$INSTALL_USER/ovpns/${NAME}.ovpn"
+cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
+printf "::: Completed!\n"
--- a/server_config.txt
+++ b/server_config.txt
@ -34,7 +34,7 @@ user nobody
 group nogroup
 persist-key
 persist-tun
-#crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
+#crl-verify /etc/openvpn/crl.pem
 status /var/log/openvpn-status.log 20
 log /var/log/openvpn.log
 verb 1