#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
set -eE -o pipefail
# Outputs the keyfiles to stdout as tar.gz
rm -f /tmp/vpn-mk-client-cert.log
exec 2>/tmp/vpn-mk-client-cert.log
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+date >&2
+set -x
+
name=$1
common_name=$2
-echo common_name=$common_name >&2
-
server_dir=/etc/openvpn
if [[ -e /etc/openvpn/server ]]; then
server_dir=/etc/openvpn/server
### begin section roughly copied from vpn-server-setup
rsadir=/etc/openvpn/easy-rsa-$name
-new=true
+new=true # newer easy-rsa version
keyfiles=(
$rsadir/pki/private/$common_name.key
$rsadir/pki/issued/$common_name.crt
### end section roughly copied from vpn-server-setup
if [[ ! -e $cafile ]]; then
- echo: error no cafile found at $cafile >/tmp/errors
+ echo error: no cafile found at $cafile >&2
exit 1
fi