X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=59ddda55cc5cc5959d2d68273d85f7ae5d81e415;hb=aa9be22d2798d15580907238cfdbf8f3ffd7364d;hp=78db36ee58ef52e3149897c32926c3cd79c2f41f;hpb=e6b728a634f243aab009758f2f6741c3f313f153;p=vpn-setup

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 78db36e..59ddda5 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -36,10 +36,13 @@ usage: ${0##*/} VPN_SERVER_HOST
                  can't generate.
 
 -c CLIENT_HOST   Default is localhost. Else we ssh to root@CLIENT_HOST.
+-f               Force. Proceed even if cert already exists.
 -n CONFIG_NAME   default is client
 -o SERVER_CONFIG_NAME  Default is CONFIG_NAME
--s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. copied to same path
-                 on client, if client is not localhost.
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. If client host is
+                 not localhost, the script is copied to it. The default
+                 script used to be /etc/openvpn/update-resolv-conf, but now
+                 that systemd-resolved is becoming popular, there is no default.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -64,19 +67,19 @@ EOF
 
 shell="bash -c"
 name=client
-custom_script=false
-script=/etc/openvpn/update-resolv-conf
 client_host=$CLIENT_HOST
+force=false
 
-temp=$(getopt -l help hb:c:n:o:s: "$@") || usage 1
+temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
     -b) common_name="$2"; shift 2 ;;
     -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+    -f) force=true; shift ;;
     -n) name="$2"; shift 2 ;;
     -o) server_name="$2"; shift 2 ;;
-    -s) custom_script=true; script="$2"; shift 2 ;;
+    -s) script="$2"; shift 2 ;;
     -h|--help) usage ;;
     --) shift; break ;;
     *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
@@ -100,6 +103,20 @@ host=$1
 
 ####### end command line parsing and checking ##############
 
+
+f=/etc/openvpn/client/$name.crt
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+  cert_to_test=$(mktemp)
+  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+  echo "$0: cert already exists. exiting early"
+  exit 0
+fi
+
+
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
 $shell '[[ -e /etc/openvpn ]] || apt install openvpn'
 if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
@@ -113,7 +130,6 @@ fi
 port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
 
-f=/etc/openvpn/client/$name.crt
 if ! $shell "test -s $f"; then
   # if common name is not unique, you get empty file. and if we didn't silence
   # build-key, you'd see an error "TXT_DB error number 2"
@@ -158,14 +174,12 @@ EOF
 
 if [[ $script ]]; then
   $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
-# This script will update local dns
-# to what the server sends, if it sends dns.
 script-security 2
 up "$script"
 down "$script"
 EOF
 
-  if [[ $client_host ]] && $custom_script; then
+  if [[ $client_host && $script ]]; then
     $shell "dd of=$script" <$script
     $shell "chmod +x $script"
   fi