X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=68f0744df680ef33bb031fe2f71a331a80ca36d9;hb=95755ebea37097aa31a5f8a1acbb5cfb5d4bd06a;hp=1aa9b4166aca033059b65b25328c829a68677b15;hpb=1b488c8053cff1f09d025a20dc765a2079417eff;p=vpn-setup diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index 1aa9b41..68f0744 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -25,16 +25,20 @@ usage() { cat <<'EOF' usage: ${0##*/} VPN_SERVER_HOST --b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert - already exists on the server, with the CLIENT_NAME - name, we use the existing one. See comment below if we - ever want to check existing common names. They must be - unique per server, so you can use $(uuidgen) if - needed. You used to be able to create multiple with the - same name, but not connect at the same time, but now, - the generator keeps track, so you can't generate. --c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST +-b COMMON_NAME By default, use $CLIENT_HOST or if it is not given, + $HOSTNAME. If the cert already exists on the server, + with the CLIENT_NAME name, we use the existing one. See + comment below if we ever want to check existing common + names. They must be unique per server, so you can use + $(uuidgen) if needed. You used to be able to create + multiple with the same name, but not connect at the + same time, but now, the generator keeps track, so you + can't generate. + +-c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST. +-f Force. Proceed even if cert already exists. -n CONFIG_NAME default is client +-o SERVER_CONFIG_NAME Default is CONFIG_NAME -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path on client, if client is not localhost. @@ -64,14 +68,17 @@ name=client custom_script=false script=/etc/openvpn/update-resolv-conf client_host=$CLIENT_HOST +force=false -temp=$(getopt -l help hb:c:n:s: "$@") || usage 1 +temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -b) common_name="$2"; shift 2 ;; -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;; + -f) force=true; shift ;; -n) name="$2"; shift 2 ;; + -o) server_name="$2"; shift 2 ;; -s) custom_script=true; script="$2"; shift 2 ;; -h|--help) usage ;; --) shift; break ;; @@ -79,6 +86,10 @@ while true; do esac done +if [[ ! $server_name ]]; then + server_name="$name" +fi + if [[ ! $common_name ]]; then if [[ $client_host ]]; then common_name=$client_host @@ -93,18 +104,32 @@ host=$1 ####### end command line parsing and checking ############## +f=/etc/openvpn/client/$name.crt + +cert_to_test=$f +if [[ $client_host ]]; then + cert_to_test=$(mktemp) + ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||: +fi +if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then + echo "$0: cert already exists. exiting early" + exit 0 +fi + + # bash or else we get motd spam. note sleep 2, sleep 1 failed. -if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \ +$shell '[[ -e /etc/openvpn ]] || apt install openvpn' +if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \ | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: ssh root@$host cat /tmp/vpn-mk-client-cert.log + echo EOF for root@$host:/tmp/vpn-mk-client-cert.log exit 1 fi port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) -f=/etc/openvpn/client/$name.crt if ! $shell "test -s $f"; then # if common name is not unique, you get empty file. and if we didn't silence # build-key, you'd see an error "TXT_DB error number 2"