CRL updater: Update script for OpenVPN CRL

  Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update two days before it expires.
    Script is placed under fcron.daily for daily checks.
    OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
 lfs/openvpn                     |  4 ++++
 2 files changed, 57 insertions(+)
 create mode 100644 config/ovpn/ovpn_crl_updater.sh
  

Hi,

thanks for working on this.

On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
> Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
>     Script checks the next update field from the CRL and executes an update two days before it expires.
>     Script is placed under fcron.daily for daily checks.
>     OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
> 
> Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
> ---
>  config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
>  lfs/openvpn                     |  4 ++++
>  2 files changed, 57 insertions(+)
>  create mode 100644 config/ovpn/ovpn_crl_updater.sh
> 
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash

The file needs a GPL header here or what ever license you choose this
will be.

> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
> +#     which prevents the expiration of OpenVPNs CRL.
> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
> +#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
> +#     See for more infos:
> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant, 
> +#     this script provides a cronjob which checks daily if an update of the CRL is needed.
> +#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
> +#     before the CRL expiration, an openssl command will be executed to renew the CRL.
> +#     The renewing of the CRL will be logged into /var/log/messages.
> +# 
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +###############################################################################################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> +	exit 0;
> +fi
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn";
> +CRL="${OVPN}/crls/cacrl.pem";
> +CAKEY="${OVPN}/ca/cakey.pem";
> +CACERT="${OVPN}/ca/cacert.pem";
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";

You may use some empty lines here to make the coder easier to read.

> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";

Complicated command. Can we break this down a little bit? Code doesn't
necessarily run faster when everything is just one line, but it will be
way easier to understand.

> +# Day in seconds to calculate
> +DAYINSEC="86400";

No ; needed here and everywhere else...

It's shell, not C.

> +# Convert seconds to days
> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="2";

I think we should update every 14 days if the usual expiry time is 30.
Therefore we will never get too close by accident.

> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
> +	logger -t openssl "OpenVPN CRL has been renewed";
> +fi

You don't need the quotes around the integer comparison.

Should we catch any errors of the openssl command?

I think the logging tag should rather be openvpn instead of openssl.

> +
> +exit 0
> +
> +# EOF
> diff --git a/lfs/openvpn b/lfs/openvpn
> index a925f78..1e1ddc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	# Add crl updater
> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh

Can we rename the script to openvpn-crl-updater?
>  
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)

Apart from that this looks good. Just minor stuff.

Best,
-Michael
  

Hi Michael,
thanks for your feedback.

Am 02.02.2018 um 11:51 schrieb Michael Tremer:

> Hi,
> 
> thanks for working on this.
> 
> On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
>> Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
>>    Script checks the next update field from the CRL and executes an update two days before it expires.
>>    Script is placed under fcron.daily for daily checks.
>>    OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
>> 
>> Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
>> ---
>> config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
>> lfs/openvpn                     |  4 ++++
>> 2 files changed, 57 insertions(+)
>> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>> 
>> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
>> new file mode 100644
>> index 0000000..309edc2
>> --- /dev/null
>> +++ b/config/ovpn/ovpn_crl_updater.sh
>> @@ -0,0 +1,53 @@
>> +#!/bin/bash
> 
> The file needs a GPL header here or what ever license you choose this
> will be.

OK, I think i would use then GPL 3 like IPFire.

> 
>> +
>> +#
>> +# Script Name: ovpn_crl_updater.sh
>> +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
>> +#     which prevents the expiration of OpenVPNs CRL.
>> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
>> +#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
>> +#     See for more infos:
>> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
>> +#
>> +# Run Information: If OpenVPNs CRL is presant, 
>> +#     this script provides a cronjob which checks daily if an update of the CRL is needed.
>> +#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
>> +#     before the CRL expiration, an openssl command will be executed to renew the CRL.
>> +#     The renewing of the CRL will be logged into /var/log/messages.
>> +# 
>> +# Author: Erik Kapfer
>> +#
>> +# Date: 17.01.2018
>> +#
>> +###############################################################################################
>> +
>> +# Check if OpenVPN is active or if the CRL is presant
>> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
>> +	exit 0;
>> +fi
>> +
>> +## Paths
>> +OVPN="/var/ipfire/ovpn";
>> +CRL="${OVPN}/crls/cacrl.pem";
>> +CAKEY="${OVPN}/ca/cakey.pem";
>> +CACERT="${OVPN}/ca/cacert.pem";
>> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
> 
> You may use some empty lines here to make the coder easier to read.

Done.

> 
>> +## Values
>> +# CRL check for the the 'Next Update:' in seconds
>> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> 
> Complicated command. Can we break this down a little bit? Code doesn't
> necessarily run faster when everything is just one line, but it will be
> way easier to understand.

Done.

> 
>> +# Day in seconds to calculate
>> +DAYINSEC="86400";
> 
> No ; needed here and everywhere else...
> 
> It's shell, not C.

OK :-) done 

> 
>> +# Convert seconds to days
>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>> +# Update of the CRL in days before CRL expiring date
>> +UPDATE="2";
> 
> I think we should update every 14 days if the usual expiry time is 30.
> Therefore we will never get too close by accident.

So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly.
Another possibility might  be a weekly check so we can use the fcron directories ?

> 
>> +# Check if OpenVPNs CRL needs to be renewed
>> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
>> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
>> +	logger -t openssl "OpenVPN CRL has been renewed";
>> +fi
> 
> You don't need the quotes around the integer comparison.

Done

> 
> Should we catch any errors of the openssl command?

OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.

> 
> I think the logging tag should rather be openvpn instead of openssl.

Done.

> 
>> +
>> +exit 0
>> +
>> +# EOF
>> diff --git a/lfs/openvpn b/lfs/openvpn
>> index a925f78..1e1ddc2 100644
>> --- a/lfs/openvpn
>> +++ b/lfs/openvpn
>> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>> 	chown root:root /usr/lib/openvpn/verify
>> 	chmod 755 /usr/lib/openvpn/verify
>> +	# Add crl updater
>> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
>> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
>> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> 
> Can we rename the script to openvpn-crl-updater?

Done.

>> 
>> 	@rm -rf $(DIR_APP)
>> 	@$(POSTBUILD)
> 
> Apart from that this looks good. Just minor stuff.

Great that you looked over it.

> 
> Best,
> -Michael

Greetings,

Erik
  

Hello Michael,
some thoughts causing two quested points


>>> +# Convert seconds to days
>>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>>> +# Update of the CRL in days before CRL expiring date
>>> +UPDATE="2";
>> 
>> I think we should update every 14 days if the usual expiry time is 30.
>> Therefore we will never get too close by accident.
> 
> So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly.
> Another possibility might  be a weekly check so we can use the fcron directories ?

In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is.
I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.


>> Should we catch any errors of the openssl command?
> 
> OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.

Have here two possibilities. 

1)
in error case:
Feb  3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory

if successful:
Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf

which equals to the OpenSSL command output ( 2>&1 | logger ). 

or 2)

in error case:
Feb  2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed

if successful:
Feb  2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated

if else query echo´s a defined message so search string like failed or updated can also be logged ?


Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .

Greetings,

Erik
  

Hi,

On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote:
> Hello Michael,
> some thoughts causing two quested points
> 
> 
> > > > +# Convert seconds to days
> > > > +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> > > > +# Update of the CRL in days before CRL expiring date
> > > > +UPDATE="2";
> > > 
> > > I think we should update every 14 days if the usual expiry time is 30.
> > > Therefore we will never get too close by accident.
> > 
> > So i would need then an frcontab entry and another location for the script
> > since the fcron directories provides only daily, weekly and monthly.
> > Another possibility might  be a weekly check so we can use the fcron
> > directories ?
> 
> In case machines are off while the script performs his weekly check (no
> 24/7er) the next check will be made one/two week(s) later which might be a
> long time if you do not know where the problem is.
> I would do make there possibly a daily check and would also set the UPDATE to
> a week or 5 days instead of the current 2 before expiration date so more days
> can be grabbed even the check should be a fast one.

Cron will take care of this. It will automatically perform the cron jobs a
little while after the system has been booted and when the cron jobs should have
been executed while it was shut down.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561f4a2
43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13

It's the "bootrun" argument there.

> 
> 
> > > Should we catch any errors of the openssl command?
> > 
> > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an
> > OpenSSL command output in messages if the CRL has been renewed.
> 
> Have here two possibilities. 
> 
> 1)
> in error case:
> Feb  3 17:56:03 ipfire-server crl_updater[18986]:
> /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file
> or directory

Don't put the path in. Calling "openssl" should be fine.

> if successful:
> Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
> /var/ipfire/ovpn/openssl/ovpn.cnf
> 
> which equals to the OpenSSL command output ( 2>&1 | logger ). 

Do we need to log the output of OpenSSL? A line that says something like "Could
not update the OpenVPN CA CRL" should do, shouldn't it? People should run the
script themselves then and see what is going wrong.

> 
> or 2)
> 
> in error case:
> Feb  2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -
> CRL update failed
> 
> if successful:
> Feb  2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -
> CRL has been updated
> 
> if else query echo´s a defined message so search string like failed or updated
> can also be logged ?
> 
> 
> Otherwise all other quested changes has been made and are ready so far, might
> be nice to push the remaining CGI changes soon i think :-) .

Cool.

Let me know if I can be of any more help.

Best,
-Michael

> 
> Greetings,
> 
> Erik
  

Hello,

>> In case machines are off while the script performs his weekly check (no
>> 24/7er) the next check will be made one/two week(s) later which might be a
>> long time if you do not know where the problem is.
>> I would do make there possibly a daily check and would also set the UPDATE to
>> a week or 5 days instead of the current 2 before expiration date so more days
>> can be grabbed even the check should be a fast one.
> 
> Cron will take care of this. It will automatically perform the cron jobs a
> little while after the system has been booted and when the cron jobs should have
> been executed while it was shut down.
> 
> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561f4a2
> 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
> 
> It's the "bootrun" argument there.

Thanks for clarification haven´t had that in mind. Will deliver the updater then to 'frcon.weekly'. Will also set the update before expiration interval to 10 days before, 8 might be also OK for a weekly cronjob but possibly better to have 2 days + ?!

>> if successful:
>> Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
>> /var/ipfire/ovpn/openssl/ovpn.cnf
>> 
>> which equals to the OpenSSL command output ( 2>&1 | logger ). 
> 
> Do we need to log the output of OpenSSL? A line that says something like "Could
> not update the OpenVPN CA CRL" should do, shouldn't it? People should run the
> script themselves then and see what is going wrong.

No i don´t think so, lines in messages looks even better then. Did that now like you suggested.

>> Otherwise all other quested changes has been made and are ready so far, might
>> be nice to push the remaining CGI changes soon i think :-) .
> 
> Cool.
> 
> Let me know if I can be of any more help.

Great thanks for your offer and your help. If there is no veto for the above changes i will deliver the patch today in the evening.

Have also fetched the actual openssl-11 branch with all needed changes, thanks for keeping this up to date :-) .

All the best,

Erik
  

Hi,

On Tue, 2018-02-06 at 10:24 +0100, ummeegge wrote:
> Hello,
> 
> > > In case machines are off while the script performs his weekly check (no
> > > 24/7er) the next check will be made one/two week(s) later which might be a
> > > long time if you do not know where the problem is.
> > > I would do make there possibly a daily check and would also set the UPDATE
> > > to
> > > a week or 5 days instead of the current 2 before expiration date so more
> > > days
> > > can be grabbed even the check should be a fast one.
> > 
> > Cron will take care of this. It will automatically perform the cron jobs a
> > little while after the system has been booted and when the cron jobs should
> > have
> > been executed while it was shut down.
> > 
> > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561
> > f4a2
> > 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
> > 
> > It's the "bootrun" argument there.
> 
> Thanks for clarification haven´t had that in mind. Will deliver the updater
> then to 'frcon.weekly'. Will also set the update before expiration interval to
> 10 days before, 8 might be also OK for a weekly cronjob but possibly better to
> have 2 days + ?!

I think daily is better. That makes things more predictable and it does not hurt
to renew every 14 days to never get close to the expiration date.

> 
> > > if successful:
> > > Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
> > > /var/ipfire/ovpn/openssl/ovpn.cnf
> > > 
> > > which equals to the OpenSSL command output ( 2>&1 | logger ). 
> > 
> > Do we need to log the output of OpenSSL? A line that says something like
> > "Could
> > not update the OpenVPN CA CRL" should do, shouldn't it? People should run
> > the
> > script themselves then and see what is going wrong.
> 
> No i don´t think so, lines in messages looks even better then. Did that now
> like you suggested.
> 
> > > Otherwise all other quested changes has been made and are ready so far,
> > > might
> > > be nice to push the remaining CGI changes soon i think :-) .
> > 
> > Cool.
> > 
> > Let me know if I can be of any more help.
> 
> Great thanks for your offer and your help. If there is no veto for the above
> changes i will deliver the patch today in the evening.
> 
> Have also fetched the actual openssl-11 branch with all needed changes, thanks
> for keeping this up to date :-) .
> 
> All the best,
> 
> Erik
> 

-Michael