diff --git a/build/assets/genclient.sh b/build/assets/genclient.sh
index 98df1626..5e04c076 100755
--- a/build/assets/genclient.sh
+++ b/build/assets/genclient.sh
@@ -38,7 +38,10 @@ cd $EASY_RSA
# Generate certificates
if [[ -z $CERT_PASS ]]; then
echo 'Without password...'
- ./easyrsa --batch --req-cn="$CERT_NAME" --days="$EASYRSA_CERT_EXPIRE" --req-email="$EASYRSA_REQ_EMAIL" gen-req "$CERT_NAME" nopass subject="/C=$EASYRSA_REQ_COUNTRY/ST=$EASYRSA_REQ_PROVINCE/L=\"$EASYRSA_REQ_CITY\"/O=\"$EASYRSA_REQ_ORG\"/OU=\"$EASYRSA_REQ_OU\""
+ ./easyrsa --batch --req-cn="$CERT_NAME" --days="$EASYRSA_CERT_EXPIRE" --req-email="$EASYRSA_REQ_EMAIL" gen-req "$CERT_NAME" nopass
+
+ # this is not passed on the command line, it's set form variables
+ # subject="/C=$EASYRSA_REQ_COUNTRY/ST=$EASYRSA_REQ_PROVINCE/L=\"$EASYRSA_REQ_CITY\"/O=\"$EASYRSA_REQ_ORG\"/OU=\"$EASYRSA_REQ_OU\""
else
echo 'With password...'
# See https://stackoverflow.com/questions/4294689/how-to-generate-an-openssl-key-using-a-passphrase-from-the-command-line
@@ -64,7 +67,13 @@ tail -1 $EASY_RSA/pki/index.txt
CA="$(cat $EASY_RSA/pki/ca.crt )"
CERT="$(awk '/-----BEGIN CERTIFICATE-----/{flag=1;next}/-----END CERTIFICATE-----/{flag=0}flag' ./pki/issued/${CERT_NAME}.crt | tr -d '\0')"
KEY="$(cat $EASY_RSA/pki/private/${CERT_NAME}.key)"
-TLS_AUTH="$(cat $EASY_RSA/pki/ta.key)"
+TLS_AUTH=""
+if [ -s $EASY_RSA/pki/ta.key ]; then
+ TLS_AUTH="
+
+$(cat $EASY_RSA/pki/ta.key)
+"
+fi
echo 'Fixing permissions for pki/issued...'
chmod +r $EASY_RSA/pki/issued
@@ -79,10 +88,7 @@ $CERT
$KEY
-
-
-$TLS_AUTH
-
+$TLS_AUTH
" > "$OVPN_FILE_PATH"
echo -e "OpenVPN Client configuration successfully generated!\nCheckout openvpn-server/clients/$CERT_NAME.ovpn"
@@ -113,4 +119,4 @@ if [[ ! -z $TFA_NAME ]] && [[ $TFA_NAME != "none" ]]; then
else
echo 'No 2FA specified. exiting'
-fi
\ No newline at end of file
+fi
diff --git a/build/assets/revoke.sh b/build/assets/revoke.sh
index 78571a47..0bb99224 100755
--- a/build/assets/revoke.sh
+++ b/build/assets/revoke.sh
@@ -8,11 +8,17 @@ CERT_NAME=$1
CERT_SERIAL=$2
EASY_RSA=$(grep -E "^EasyRsaPath\s*=" ../openvpn-ui/conf/app.conf | cut -d= -f2 | tr -d '"' | tr -d '[:space:]')
OPENVPN_DIR=$(grep -E "^OpenVpnPath\s*=" ../openvpn-ui/conf/app.conf | cut -d= -f2 | tr -d '"' | tr -d '[:space:]')
-echo 'EasyRSA path: $EASY_RSA OVPN path: $OPENVPN_DIR'
+echo "EasyRSA path: $EASY_RSA OVPN path: $OPENVPN_DIR"
INDEX=$EASY_RSA/pki/index.txt
PERSHIY=`cat $INDEX | grep "/CN=$CERT_NAME/" | head -1 | awk '{ print $3}'`
OVPN_FILE_PATH="$OPENVPN_DIR/clients/$CERT_NAME.ovpn"
+COLUMN_REGEX='[^\t]*\t'
+SERIAL_REGEX_PREFIX="${COLUMN_REGEX}${COLUMN_REGEX}${COLUMN_REGEX}"
+
+# find the /CN=name part and everything after that, and just replace it with the /CN=name part only
+STRIP_DETAILS_SED='s/\/CN=\(\w\+\).*/\/CN=\1/'
+
export EASYRSA_BATCH=1 # see https://superuser.com/questions/1331293/easy-rsa-v3-execute-build-ca-and-gen-req-silently
# Check if the user has two certificates in index.txt
@@ -22,7 +28,7 @@ if [[ $(cat $INDEX | grep -c "/CN=$CERT_NAME/") -eq 2 ]]; then
echo "Revoking renewed certificate..."
# removing the end of the line starting from /name=$NAME for the line that matches the $serial pattern
- sed -i'.bak' "/$CERT_SERIAL/s/\/name=$CERT_NAME.*//" $INDEX
+ sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/ ${STRIP_DETAILS_SED}" $INDEX
echo "index.txt patched"
cd $EASY_RSA
@@ -33,7 +39,7 @@ if [[ $(cat $INDEX | grep -c "/CN=$CERT_NAME/") -eq 2 ]]; then
echo -e "Old certificate revoked! \nRemoving old cert from the DB"
# Removing old cert from the DB
- sed -i'.bak' "/${CERT_SERIAL}/d" $INDEX
+ sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/d" $INDEX
echo "Old cert with serial $CERT_SERIAL removed from the DB"
# removing *.ovpn file because it has old certificate
@@ -69,7 +75,7 @@ $TLS_AUTH
mv $EASY_RSA/pki/renewed/issued/$CERT_NAME.crt $EASY_RSA/pki/issued/$CERT_NAME.crt
rm -f $EASY_RSA/pki/inline/$CERT_NAME.inline
# Removing old cert from the DB
- sed -i'.bak' "/${CERT_SERIAL}/d" $INDEX
+ sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/d" $INDEX
# Create new Create certificate revocation list (CRL)
echo -e "New Certificate revoked!\nCreate new certificate revocation list (CRL)..."
./easyrsa gen-crl
@@ -78,7 +84,7 @@ $TLS_AUTH
else
echo "Revoking certificate..."
# removing the end of the line starting from /name=$NAME for the line that matches the $serial pattern
- sed -i'.bak' "/$CERT_SERIAL/s/\/name=$CERT_NAME.*//" $INDEX
+ sed -i'.bak' "/${SERIAL_REGEX_PREFIX}$CERT_SERIAL/ ${STRIP_DETAILS_SED}" $INDEX
cd $EASY_RSA
# Revoke certificate
./easyrsa revoke "$CERT_NAME"
@@ -89,7 +95,7 @@ else
# restoring the index.txt, new /name in index.txt (adding name and ip to the last line)
#sed -i'.bak' "$ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
# adding name, ip and 2fa-name to the same CERT serial
- sed -i'.bak' "/${CERT_SERIAL}/ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
+ sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
fi
echo -e 'Done!\nIf you want to disconnect the user please restart the service using docker-compose restart openvpn.'
diff --git a/lib/certificates.go b/lib/certificates.go
index d3338fea..827b9bf3 100644
--- a/lib/certificates.go
+++ b/lib/certificates.go
@@ -53,10 +53,19 @@ func ReadCerts(path string) ([]*Cert, error) {
fmt.Errorf("incorrect number of lines in line: \n%s\n. Expected %d, found %d",
line, 6, len(fields))
}
- expT, _ := time.Parse("060102150405Z", fields[1])
+ layout := "060102150405Z"
+ if len(fields[1]) == len(layout) + 2 {
+ layout = "20060102150405Z"
+ }
+ expT, _ := time.Parse(layout, fields[1])
expTA := time.Now().AddDate(0, 0, 30).After(expT) // If cer will expire in 30 days, raise this flag
//logs.Debug("ExpirationT: %v, IsExpiring: %v", expT, expTA) // logging
- revT, _ := time.Parse("060102150405Z", fields[2])
+
+ layout = "060102150405Z"
+ if len(fields[1]) == len(layout) + 2 {
+ layout = "20060102150405Z"
+ }
+ revT, _ := time.Parse(layout, fields[2])
c := &Cert{
EntryType: fields[0],
Expiration: fields[1],