X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=74211784f79e62c3a492fadae04d608a6c241069;hb=a87d7ea7795f3c1cff42e91e4c58dfa36878c3a3;hp=baecdf1cf30b5ee5539b8829db9e4cd4aa7e9705;hpb=dacf50e689875098352985acadc8210d845b358d;p=vpn-setup diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index baecdf1..7421178 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -36,9 +36,13 @@ usage: ${0##*/} VPN_SERVER_HOST can't generate. -c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST. +-f Force. Proceed even if cert already exists. -n CONFIG_NAME default is client --s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path - on client, if client is not localhost. +-o SERVER_CONFIG_NAME Default is CONFIG_NAME +-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is + not localhost, the script is copied to it. The default + script used to be /etc/openvpn/update-resolv-conf, but now + that systemd-resolved is becoming popular, there is no default. Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able @@ -63,24 +67,29 @@ EOF shell="bash -c" name=client -custom_script=false -script=/etc/openvpn/update-resolv-conf client_host=$CLIENT_HOST +force=false -temp=$(getopt -l help hb:c:n:s: "$@") || usage 1 +temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -b) common_name="$2"; shift 2 ;; -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;; + -f) force=true; shift ;; -n) name="$2"; shift 2 ;; - -s) custom_script=true; script="$2"; shift 2 ;; + -o) server_name="$2"; shift 2 ;; + -s) script="$2"; shift 2 ;; -h|--help) usage ;; --) shift; break ;; *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; esac done +if [[ ! $server_name ]]; then + server_name="$name" +fi + if [[ ! $common_name ]]; then if [[ $client_host ]]; then common_name=$client_host @@ -94,25 +103,8 @@ host=$1 ####### end command line parsing and checking ############## -# bash or else we get motd spam. note sleep 2, sleep 1 failed. -$shell '[[ -e /etc/openvpn ]] || apt install openvpn' -if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \ - | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then - echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: - ssh root@$host cat /tmp/vpn-mk-client-cert.log - exit 1 -fi - -port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) - f=/etc/openvpn/client/$name.crt -if ! $shell "test -s $f"; then - # if common name is not unique, you get empty file. and if we didn't silence - # build-key, you'd see an error "TXT_DB error number 2" - echo "$0: error: $f is empty or otherwise bad. is this common name unique?" - exit 1 -fi $shell "dd of=/etc/openvpn/client/$name.conf" </dev/null >$cert_to_test ||: +fi +if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then + echo "$0: cert already exists. exiting early" + exit 0 +fi + + +# bash or else we get motd spam. note sleep 2, sleep 1 failed. +$shell '[[ -e /etc/openvpn ]] || apt install openvpn' +if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \ + | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then + echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: + ssh root@$host cat /tmp/vpn-mk-client-cert.log + echo EOF for root@$host:/tmp/vpn-mk-client-cert.log + exit 1 +fi + +port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) + + +if ! $shell "test -s $f"; then + # if common name is not unique, you get empty file. and if we didn't silence + # build-key, you'd see an error "TXT_DB error number 2" + echo "$0: error: $f is empty or otherwise bad. is this common name unique?" + exit 1 +fi