Skip to content

OpenSSL can generate timestamps in index.txt with 4 digits for the year… #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

OpenSSL can generate timestamps in index.txt with 4 digits for the year… #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fd2b1e2
OpenSSL can generate timestamps in index.txt with 4 digits for the ye…
bavis-m Jul 4, 2024
191edf0
Fixes to client generation and cert revoke scripts to work with our c…
Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions build/assets/genclient.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,10 @@ cd $EASY_RSA
# Generate certificates
if [[ -z $CERT_PASS ]]; then
echo 'Without password...'
./easyrsa --batch --req-cn="$CERT_NAME" --days="$EASYRSA_CERT_EXPIRE" --req-email="$EASYRSA_REQ_EMAIL" gen-req "$CERT_NAME" nopass subject="/C=$EASYRSA_REQ_COUNTRY/ST=$EASYRSA_REQ_PROVINCE/L=\"$EASYRSA_REQ_CITY\"/O=\"$EASYRSA_REQ_ORG\"/OU=\"$EASYRSA_REQ_OU\""
./easyrsa --batch --req-cn="$CERT_NAME" --days="$EASYRSA_CERT_EXPIRE" --req-email="$EASYRSA_REQ_EMAIL" gen-req "$CERT_NAME" nopass

# this is not passed on the command line, it's set form variables
# subject="/C=$EASYRSA_REQ_COUNTRY/ST=$EASYRSA_REQ_PROVINCE/L=\"$EASYRSA_REQ_CITY\"/O=\"$EASYRSA_REQ_ORG\"/OU=\"$EASYRSA_REQ_OU\""
else
echo 'With password...'
# See https://stackoverflow.com/questions/4294689/how-to-generate-an-openssl-key-using-a-passphrase-from-the-command-line
Expand All @@ -64,7 +67,13 @@ tail -1 $EASY_RSA/pki/index.txt
CA="$(cat $EASY_RSA/pki/ca.crt )"
CERT="$(awk '/-----BEGIN CERTIFICATE-----/{flag=1;next}/-----END CERTIFICATE-----/{flag=0}flag' ./pki/issued/${CERT_NAME}.crt | tr -d '\0')"
KEY="$(cat $EASY_RSA/pki/private/${CERT_NAME}.key)"
TLS_AUTH="$(cat $EASY_RSA/pki/ta.key)"
TLS_AUTH=""
if [ -s $EASY_RSA/pki/ta.key ]; then
TLS_AUTH="
<tls-auth>
$(cat $EASY_RSA/pki/ta.key)
</tls-auth>"
fi

echo 'Fixing permissions for pki/issued...'
chmod +r $EASY_RSA/pki/issued
Expand All @@ -79,10 +88,7 @@ $CERT
</cert>
<key>
$KEY
</key>
<tls-auth>
$TLS_AUTH
</tls-auth>
</key>$TLS_AUTH
" > "$OVPN_FILE_PATH"

echo -e "OpenVPN Client configuration successfully generated!\nCheckout openvpn-server/clients/$CERT_NAME.ovpn"
Expand Down Expand Up @@ -113,4 +119,4 @@ if [[ ! -z $TFA_NAME ]] && [[ $TFA_NAME != "none" ]]; then
else
echo 'No 2FA specified. exiting'

fi
fi
18 changes: 12 additions & 6 deletions build/assets/revoke.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,17 @@ CERT_NAME=$1
CERT_SERIAL=$2
EASY_RSA=$(grep -E "^EasyRsaPath\s*=" ../openvpn-ui/conf/app.conf | cut -d= -f2 | tr -d '"' | tr -d '[:space:]')
OPENVPN_DIR=$(grep -E "^OpenVpnPath\s*=" ../openvpn-ui/conf/app.conf | cut -d= -f2 | tr -d '"' | tr -d '[:space:]')
echo 'EasyRSA path: $EASY_RSA OVPN path: $OPENVPN_DIR'
echo "EasyRSA path: $EASY_RSA OVPN path: $OPENVPN_DIR"
INDEX=$EASY_RSA/pki/index.txt
PERSHIY=`cat $INDEX | grep "/CN=$CERT_NAME/" | head -1 | awk '{ print $3}'`
OVPN_FILE_PATH="$OPENVPN_DIR/clients/$CERT_NAME.ovpn"

COLUMN_REGEX='[^\t]*\t'
SERIAL_REGEX_PREFIX="${COLUMN_REGEX}${COLUMN_REGEX}${COLUMN_REGEX}"

# find the /CN=name part and everything after that, and just replace it with the /CN=name part only
STRIP_DETAILS_SED='s/\/CN=\(\w\+\).*/\/CN=\1/'

export EASYRSA_BATCH=1 # see https://superuser.com/questions/1331293/easy-rsa-v3-execute-build-ca-and-gen-req-silently

# Check if the user has two certificates in index.txt
Expand All @@ -22,7 +28,7 @@ if [[ $(cat $INDEX | grep -c "/CN=$CERT_NAME/") -eq 2 ]]; then
echo "Revoking renewed certificate..."

# removing the end of the line starting from /name=$NAME for the line that matches the $serial pattern
sed -i'.bak' "/$CERT_SERIAL/s/\/name=$CERT_NAME.*//" $INDEX
sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/ ${STRIP_DETAILS_SED}" $INDEX
echo "index.txt patched"
cd $EASY_RSA

Expand All @@ -33,7 +39,7 @@ if [[ $(cat $INDEX | grep -c "/CN=$CERT_NAME/") -eq 2 ]]; then
echo -e "Old certificate revoked! \nRemoving old cert from the DB"

# Removing old cert from the DB
sed -i'.bak' "/${CERT_SERIAL}/d" $INDEX
sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/d" $INDEX
echo "Old cert with serial $CERT_SERIAL removed from the DB"

# removing *.ovpn file because it has old certificate
Expand Down Expand Up @@ -69,7 +75,7 @@ $TLS_AUTH
mv $EASY_RSA/pki/renewed/issued/$CERT_NAME.crt $EASY_RSA/pki/issued/$CERT_NAME.crt
rm -f $EASY_RSA/pki/inline/$CERT_NAME.inline
# Removing old cert from the DB
sed -i'.bak' "/${CERT_SERIAL}/d" $INDEX
sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/d" $INDEX
# Create new Create certificate revocation list (CRL)
echo -e "New Certificate revoked!\nCreate new certificate revocation list (CRL)..."
./easyrsa gen-crl
Expand All @@ -78,7 +84,7 @@ $TLS_AUTH
else
echo "Revoking certificate..."
# removing the end of the line starting from /name=$NAME for the line that matches the $serial pattern
sed -i'.bak' "/$CERT_SERIAL/s/\/name=$CERT_NAME.*//" $INDEX
sed -i'.bak' "/${SERIAL_REGEX_PREFIX}$CERT_SERIAL/ ${STRIP_DETAILS_SED}" $INDEX
cd $EASY_RSA
# Revoke certificate
./easyrsa revoke "$CERT_NAME"
Expand All @@ -89,7 +95,7 @@ else
# restoring the index.txt, new /name in index.txt (adding name and ip to the last line)
#sed -i'.bak' "$ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
# adding name, ip and 2fa-name to the same CERT serial
sed -i'.bak' "/${CERT_SERIAL}/ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
sed -i'.bak' "/${SERIAL_REGEX_PREFIX}${CERT_SERIAL}/ s/$/\/name=${CERT_NAME}\/LocalIP=${CERT_IP}\/2FAName=${TFA_NAME}/" $EASY_RSA/pki/index.txt
fi

echo -e 'Done!\nIf you want to disconnect the user please restart the service using docker-compose restart openvpn.'
13 changes: 11 additions & 2 deletions lib/certificates.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,19 @@ func ReadCerts(path string) ([]*Cert, error) {
fmt.Errorf("incorrect number of lines in line: \n%s\n. Expected %d, found %d",
line, 6, len(fields))
}
expT, _ := time.Parse("060102150405Z", fields[1])
layout := "060102150405Z"
if len(fields[1]) == len(layout) + 2 {
layout = "20060102150405Z"
}
expT, _ := time.Parse(layout, fields[1])
expTA := time.Now().AddDate(0, 0, 30).After(expT) // If cer will expire in 30 days, raise this flag
//logs.Debug("ExpirationT: %v, IsExpiring: %v", expT, expTA) // logging
revT, _ := time.Parse("060102150405Z", fields[2])

layout = "060102150405Z"
if len(fields[1]) == len(layout) + 2 {
layout = "20060102150405Z"
}
revT, _ := time.Parse(layout, fields[2])
c := &Cert{
EntryType: fields[0],
Expiration: fields[1],
Expand Down