From patchwork Fri Oct 7 14:50:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 6046 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MkWSf4F1Tz3wfW for ; Fri, 7 Oct 2022 14:50:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MkWSd0ckTz1Ls; Fri, 7 Oct 2022 14:50:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MkWSd0DHyz2yWP; Fri, 7 Oct 2022 14:50:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MkWSb16FRz2x9g for ; Fri, 7 Oct 2022 14:50:23 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MkWSZ2ztpzd9; Fri, 7 Oct 2022 14:50:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1665154222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=vLBxJfvZzg9Euq0rQWlpLvkAwf1712Dv21R7XzR9ejo=; b=x8HNgQud7T5X+Bx0zv3Slfp4nhqkMkk+swzvAbM3y44HS65LhA64pHgcSLLqgsCBgs1hDD 1WFsIDMCTpFNJ4Dw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1665154222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=vLBxJfvZzg9Euq0rQWlpLvkAwf1712Dv21R7XzR9ejo=; b=d2nUu/gb6Y7gMY883b2jf9BcFaRQjFRZ/T0gzLbEcrt4N9fvorr3o8fIWl27mPDCa1FXA8 zpHuMu2pwOWft/rSZXVm3XLR2Ip8PlKo8AUsTh6/JNTeEINxFlRLLWn+QxTaLqppjfO5Pt BvnZAdHiX88WrcuFQV8PSyExGAWMZY4LHcdJNSBr5zEWpuqTTPlhd3pfAhZNhg03v5DhId KDCLi4WFDw0QY6dztVC1qY+uFECaDt3K/kHkjgrwxiYApLrp/Yv2vaRMRfOIsXX4qlwIJK kymznkZ3t3SKXHdXt5ENne5jeQceG90fmNVZafHzeXfDbeeHrgJZGyC+Rhu6Ng== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] backup: Update OpenVPN CRL Date: Fri, 7 Oct 2022 14:50:16 +0000 Message-Id: <20221007145017.4096212-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" After a backup is restored, the CRL might be out of data and client won't be able to connect to the server any more. This will immediately update the CRL should it require an update. Signed-off-by: Michael Tremer --- config/backup/backup.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 54957a814..6fd9e45bb 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -184,6 +184,9 @@ restore_backup() { # move nobeeps if exist [ -e "/var/ipfire/ppp/nobeeps" ] && mv /var/ipfire/ppp/nobeeps /var/ipfire/red/nobeeps + # Update OpenVPN CRL + /etc/fcron.daily/openvpn-crl-updater + return 0 } From patchwork Fri Oct 7 14:50:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 6047 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MkWSh1FmQz3wfW for ; Fri, 7 Oct 2022 14:50:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MkWSd502wz2YJ; Fri, 7 Oct 2022 14:50:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MkWSd0xxnz2ypS; Fri, 7 Oct 2022 14:50:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MkWSb1bqMz2yF8 for ; Fri, 7 Oct 2022 14:50:23 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MkWSZ6vRqz1Ls; Fri, 7 Oct 2022 14:50:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1665154223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AT5NgXLYJZ9J8jpF75SzRqE3lytZUPfUcSLcLol+B4M=; b=cyQZzXMVLsmmSearoyjyssuEXkcWUkZUqIHCxQQk/OmwNMp9zWA7DUSfU3Xdh4QpqfvqaP eQy6A+52PJ/jtFDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1665154223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AT5NgXLYJZ9J8jpF75SzRqE3lytZUPfUcSLcLol+B4M=; b=OTnpgszO+FRktgFaijDr8H4SIzuMun/1ZyiAqyGms0b79Ylu4Xh806Z2dhAHovcMuheTPY mansrk+uv8Pk8CLYxPfQ/LZnJAwtiMrGg6jx41u0UXIkGrqt7DiKAnvgdD5uXtW6ka4WAm fT9QiNym/VC9Oo9itU/OrYZmZIf0d8ty66spdlZ3GPJ+nwCTOUUMOreXObw7wqK3tZ87es boh2idEwr09AtrEL+cXTOHAlmjwWrN/zazhj8IOuyxYkg2nJQQn2CcEyHqUt8DHXJ74DiI 1DpzwQ6ugFsHyO8eR7zGJyvg+Y6BeU2vXDLuseXVcSSqAgSA1OX5nXD2d4JE+w== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] openvpnctrl: Update CRL before starting the client daemon Date: Fri, 7 Oct 2022 14:50:17 +0000 Message-Id: <20221007145017.4096212-2-michael.tremer@ipfire.org> In-Reply-To: <20221007145017.4096212-1-michael.tremer@ipfire.org> References: <20221007145017.4096212-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" If the CRL is outdated for some reason (e.g. a backup restored from ISO where we don't run the migration scripts), this will update it on reboot/restart of the service. Signed-off-by: Michael Tremer --- src/misc-progs/openvpnctrl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index b9e4fd2a6..92b5989e9 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -497,6 +497,8 @@ void startDaemon(void) { fprintf(stderr, "OpenVPN is not enabled on any interface\n"); exit(1); } else { + snprintf(command, STRING_SIZE-1, "/etc/fcron.daily/openvpn-crl-updater"); + executeCommand(command); snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun"); executeCommand(command); snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");