From patchwork Wed Feb 22 12:25:33 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 6605
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PMFjx6kT2z3x1v
	for <patchwork@web04.haj.ipfire.org>; Wed, 22 Feb 2023 12:25:41 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4PMFjv3gMHz3kg;
	Wed, 22 Feb 2023 12:25:39 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PMFjv0Wtpz301h;
	Wed, 22 Feb 2023 12:25:39 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PMFjs4lQFz2xR7
 for <development@lists.ipfire.org>; Wed, 22 Feb 2023 12:25:37 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail01.ipfire.org (Postfix) with ESMTPS id 4PMFjs09j8zkG;
 Wed, 22 Feb 2023 12:25:37 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
 id 4PMFjr59zlzVc6h; Wed, 22 Feb 2023 12:25:36 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/2] OpenVPN: Show indication when OpenVPN certificates expire
Date: Wed, 22 Feb 2023 12:25:33 +0000
Message-Id: <20230222122534.259972-1-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This will help with #11742 - OpenVPN: No method to replace expired
certificates.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
---
 doc/language_issues.en    |  2 ++
 doc/language_issues.es    |  2 ++
 doc/language_issues.fr    |  2 ++
 doc/language_issues.it    |  2 ++
 doc/language_issues.nl    |  2 ++
 doc/language_issues.pl    |  2 ++
 doc/language_issues.ru    |  2 ++
 doc/language_issues.tr    |  2 ++
 doc/language_missings     | 14 +++++++++++
 html/cgi-bin/ovpnmain.cgi | 51 +++++++++++++++++++++++++--------------
 langs/de/cgi-bin/de.pl    |  2 ++
 langs/en/cgi-bin/en.pl    |  2 ++
 12 files changed, 67 insertions(+), 18 deletions(-)

diff --git a/doc/language_issues.en b/doc/language_issues.en
index c29e3bed6..474921415 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1413,6 +1413,8 @@ WARNING: untranslated string: only digits allowed in max retries field = Only di
 WARNING: untranslated string: only digits allowed in the idle timeout = Only digits allowed in the idle timeout.
 WARNING: untranslated string: open connections = Open Connections
 WARNING: untranslated string: openssl produced an error = OpenSSL produced an error
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: openvpn client = OpenVPN client
 WARNING: untranslated string: openvpn default = Default
 WARNING: untranslated string: openvpn destination port used = The destination port is already used by another OpenVPN server.
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 0bd390d5d..91240dbe6 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -980,6 +980,8 @@ WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilitie
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: no data = unknown string
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: route config changed = unknown string
 WARNING: untranslated string: routing config added = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 56d69d86e..f70cda819 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -946,6 +946,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: retbleed = Retbleed
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 9999f947c..cfde3f8e4 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1174,6 +1174,8 @@ WARNING: untranslated string: one month = One Month
 WARNING: untranslated string: one week = One Week
 WARNING: untranslated string: one year = One Year
 WARNING: untranslated string: open connections = Open Connections
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: otp qrcode = OTP QRCode
 WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 14a7b420e..738d7c706 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1197,6 +1197,8 @@ WARNING: untranslated string: one month = One Month
 WARNING: untranslated string: one week = One Week
 WARNING: untranslated string: one year = One Year
 WARNING: untranslated string: open connections = Open Connections
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: otp qrcode = OTP QRCode
 WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index a53a208d9..ab21f1381 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1355,6 +1355,8 @@ WARNING: untranslated string: one month = One Month
 WARNING: untranslated string: one week = One Week
 WARNING: untranslated string: one year = One Year
 WARNING: untranslated string: open connections = Open Connections
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: openvpn default = Default
 WARNING: untranslated string: openvpn destination port used = The destination port is already used by another OpenVPN server.
 WARNING: untranslated string: openvpn fragment allowed with udp = Using fragment is only allowed when using the UDP protocol.
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index c5dc1aa61..6b2622f26 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1353,6 +1353,8 @@ WARNING: untranslated string: one month = One Month
 WARNING: untranslated string: one week = One Week
 WARNING: untranslated string: one year = One Year
 WARNING: untranslated string: open connections = Open Connections
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: openvpn default = Default
 WARNING: untranslated string: openvpn destination port used = The destination port is already used by another OpenVPN server.
 WARNING: untranslated string: openvpn fragment allowed with udp = Using fragment is only allowed when using the UDP protocol.
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 552082a96..6b86ebc7e 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1091,6 +1091,8 @@ WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: not affected = Not Affected
 WARNING: untranslated string: not validating = Not validating
 WARNING: untranslated string: open connections = Open Connections
+WARNING: untranslated string: openvpn cert expires soon = Expires Soon
+WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: otp qrcode = OTP QRCode
 WARNING: untranslated string: ovpn connection name = Connection Name
diff --git a/doc/language_missings b/doc/language_missings
index 65d38b422..934c5a60c 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -105,6 +105,8 @@
 < dns servers
 < hardware vulnerabilities
 < invalid ip or hostname
+< openvpn cert expires soon
+< openvpn cert has expired
 < service boot setting unavailable
 < transport mode does not support vti
 < wlanap
@@ -127,6 +129,8 @@
 < retbleed
 < service boot setting unavailable
 < show dh
+< openvpn cert expires soon
+< openvpn cert has expired
 < upload fcdsl.o
 ############################################################################
 # Checking cgi-bin translations for language: it                           #
@@ -470,6 +474,8 @@
 < one week
 < one year
 < open connections
+< openvpn cert expires soon
+< openvpn cert has expired
 < optional
 < otp qrcode
 < outgoing compression in bytes per second
@@ -997,6 +1003,8 @@
 < one week
 < one year
 < open connections
+< openvpn cert expires soon
+< openvpn cert has expired
 < optional
 < otp qrcode
 < outgoing compression in bytes per second
@@ -1829,6 +1837,8 @@
 < one week
 < one year
 < open connections
+< openvpn cert expires soon
+< openvpn cert has expired
 < openvpn default
 < openvpn destination port used
 < openvpn disabled
@@ -2812,6 +2822,8 @@
 < one week
 < one year
 < open connections
+< openvpn cert expires soon
+< openvpn cert has expired
 < openvpn default
 < openvpn destination port used
 < openvpn disabled
@@ -3316,6 +3328,8 @@
 < not validating
 < okay
 < open connections
+< openvpn cert expires soon
+< openvpn cert has expired
 < optional
 < otp qrcode
 < ovpn connection name
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 42a7354fc..87bda4f1e 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -33,6 +33,7 @@ use File::Temp qw/ tempfile tempdir /;
 use strict;
 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
 use Sort::Naturally;
+use Date::Parse;
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
@@ -5352,31 +5353,45 @@ END
 END
 		}
 	if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
-	if ($id % 2) {
-		print "<tr>";
-		$col="bgcolor='$color{'color20'}'";
-	} else {
-		print "<tr>";
-		$col="bgcolor='$color{'color22'}'";
-	}
-	print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
-	print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
-	#if ($confighash{$key}[4] eq 'cert') {
-	    #print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
-	#} else {
-	    #print "<td align='left'>&nbsp;</td>";
-	#}
-	my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
-	my $cavalid;
 
+	# Fetch information about the certificate
+	my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text",
+		"-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
+
+	my $expiryDate = 0;
+
+	# Parse the certificate information
 	foreach my $line (@cavalid) {
 		if ($line =~ /Not After : (.*)[\n]/) {
-			$cavalid    = $1;
-
+			$expiryDate = &Date::Parse::str2time($1);
 			last;
 		}
 	}
 
+	# Calculate the remaining time
+	my $remainingTime = $expiryDate - time();
+
+	# Create some simple booleans to check the status
+	my $hasExpired = ($remainingTime <= 0);
+	my $expiresSoon = ($remainingTime <= 30 * 24 * 3600);
+
+	print "<tr>";
+
+	if ($hasExpired || $expiresSoon) {
+		$col="bgcolor='$color{'color14'}'";
+	} elsif ($id % 2) {
+		$col="bgcolor='$color{'color20'}'";
+	} else {
+		$col="bgcolor='$color{'color22'}'";
+	}
+	print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]";
+	if ($hasExpired) {
+		print " ($Lang::tr{'openvpn cert has expired'})";
+	} elsif ($expiresSoon) {
+		print " ($Lang::tr{'openvpn cert expires soon'})";
+	}
+	print "</td>";
+	print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
 	print "<td align='center' $col>$confighash{$key}[25]</td>";
 	$col1="bgcolor='${Header::colourred}'";
 	my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 5fbab2ff8..a57b62ad8 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1884,6 +1884,8 @@
 'open connections' => 'Offene Verbindungen',
 'open to all' => 'Überschreibe externen Zugang zu ALL',
 'openssl produced an error' => 'OpenSSL hat einen Fehler verursacht',
+'openvpn cert expires soon' => 'Läuft bald ab',
+'openvpn cert has expired' => 'Abgelaufen',
 'openvpn client' => 'OpenVPN-Client',
 'openvpn default' => 'Vorgabe',
 'openvpn destination port used' => 'Der Zielport wird bereits von einer anderen OpenVPN-Server-Instanz genutzt.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 80753b841..4dc9d8577 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1940,6 +1940,8 @@
 'open connections' => 'Open Connections',
 'open to all' => 'Override external access to ALL',
 'openssl produced an error' => 'OpenSSL produced an error',
+'openvpn cert expires soon' => 'Expires Soon',
+'openvpn cert has expired' => 'Expired',
 'openvpn client' => 'OpenVPN client',
 'openvpn default' => 'Default',
 'openvpn destination port used' => 'The destination port is already used by another OpenVPN server.',