Phase 3 (of 3?): pivpn modifications for easy-rsa3

This updates pivpn revoke

scripts/removeOVPN.sh

@@ -4,9 +4,9 @@
 INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
 PLAT=$(cat /etc/pivpn/DET_PLATFORM)
-INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
+INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
 
-if [ ! -f "$INDEX" ]; then
+if [ ! -f "${INDEX}" ]; then
         printf "The file: %s was not found\n" "$INDEX"
         exit 1
 fi
@@ -18,7 +18,7 @@ i=0
 while read -r line || [ -n "$line" ]; do
     STATUS=$(echo "$line" | awk '{print $1}')
     if [[ "$STATUS" = "V" ]]; then
-        NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
+        NAME=$(echo "$line" | sed -e 's:.*/CN=::')
         CERTS[$i]=$NAME
         if [ "$i" != 0 ]; then
             # Prevent printing "server" certificate
@@ -26,13 +26,13 @@ while read -r line || [ -n "$line" ]; do
         fi
         let i=i+1
     fi
-done <$INDEX
+done <${INDEX}
 printf "\n"
 
 echo "::: Please enter the Name of the client to be revoked from the list above:"
 read -r NAME
 
-if [[ -z "$NAME" ]]; then
+if [[ -z "${NAME}" ]]; then
     echo "::: You can not leave this blank!"
     exit 1
 fi
@@ -43,24 +43,21 @@ for((x=1;x<=i;++x)); do
     fi
 done
 
-if [ -z "$VALID" ]; then
+if [ -z "${VALID}" ]; then
     printf "::: You didn't enter a valid cert name!\n"
     exit 1
 fi
 
 cd /etc/openvpn/easy-rsa || exit
-source /etc/openvpn/easy-rsa/vars
 
-./revoke-full "$NAME"
+if [ "${REVOKE_STATUS}" == 0 ]; then
-echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
-rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
-cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
-echo "::: Completed!"
-
-if [ "$REVOKE_STATUS" == 0 ]; then
         echo 1 > /etc/pivpn/REVOKE_STATUS
         printf "\nThis seems to be the first time you have revoked a cert.\n"
-        printf "We are adding the CRL to the server.conf and restarting openvpn.\n"
+    printf "First we need to initialize the Certificate Revocation List.\n"
+        printf "Then add the CRL to your server config and restart openvpn.\n"
+    ./easyrsa gen-crl
+    cp pki/crl.pem /etc/openvpn/crl.pem
+    chown nobody:nogroup /etc/openvpn/crl.pem
         sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
         if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
             service openvpn restart
@@ -68,3 +65,13 @@ if [ "$REVOKE_STATUS" == 0 ]; then
             systemctl restart openvpn.service
         fi
 fi
+
+./easyrsa --batch revoke "${NAME}"
+printf "\n::: Certificate revoked, and CRL file updated.\n"
+printf "::: Removing certs and client configuration for this profile.\n"
+rm -rf "pki/reqs/${NAME}.req"
+rm -rf "pki/private/${NAME}.key"
+rm -rf "pki/issued/${NAME}.crt"
+rm -rf "/home/$INSTALL_USER/ovpns/${NAME}.ovpn"
+cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
+printf "::: Completed!\n"

server_config.txt

@@ -34,7 +34,7 @@ user nobody
 group nogroup
 persist-key
 persist-tun
-#crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
+#crl-verify /etc/openvpn/crl.pem
 status /var/log/openvpn-status.log 20
 log /var/log/openvpn.log
 verb 1