stop using uuid always

[vpn-setup] / vpn-mk-client-cert

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index bd946dd88341a8ba8197f056bf2f26a767bd02ca..f480d02b8e4cf7bbcac1ac400d99253ca41bf381 100755 (executable)
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -13,11 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
 # See the License for the specific language governing permissions and
 # limitations under the License.
 

-# usage: $0 SERVER_HOST [DEST_HOST]
-# ssh to SERVER_HOST, create a cert & client config, put it on
-# DEST_HOST, or localhost by default. Assumes server was setup
-# by the other script in this dir.
-

 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 


@@ -27,51 +22,91 @@ usage() {
     cat <<EOF
 usage: ${0##*/} VPN_SERVER_HOST
 
     cat <<EOF
 usage: ${0##*/} VPN_SERVER_HOST
 

--c CLIENT_HOST   default is localhost
+-b COMMON_NAME   By default, use CONFIG_NAME. If the cert already exists
+                 on the server, with the CLIENT_NAME name, we use the
+                 existing one. See comment below if we ever want to
+                 check existing common names. They must be unique per
+                 server, so you can use $(uuidgen) if needed. You used
+                 to be able to create multiple with the same name, but
+                 not connect at the same time, but now, the generator
+                 keeps track, so you can't generate.
+-c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST

 -n CONFIG_NAME   default is client
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
 -n CONFIG_NAME   default is client
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able

-to ssh to VPN_SERVER_HOST and CLIENT_HOST.
+to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
+localhost, just to sudo this script as root.
+
+
+
+
+Note: Uses GNU getopt options parsing style

 EOF
     exit ${1:-0}
 }
 
 EOF
     exit ${1:-0}
 }
 

+# to get the common name
+# cn=$(s openssl x509 -noout -nameopt multiline -subject \
+    #        -in /etc/openvpn/client/mail.crt | \
+    #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+
+

 shell="bash -c"
 name=client
 
 shell="bash -c"
 name=client
 

-temp=$(getopt -l help hc:n: "$@") || usage 1
+temp=$(getopt -l help hb:c:n: "$@") || usage 1

 eval set -- "$temp"
 while true; do
     case $1 in
 eval set -- "$temp"
 while true; do
     case $1 in

-        -c) shell="ssh $2"; shift 2 ;;
+        -b) common_name="$2"; shift 2 ;;
+        -c) shell="ssh root@$2"; shift 2 ;;

         -n) name="$2"; shift 2 ;;
         -h|--help) usage ;;
         --) shift; break ;;
         *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
     esac
 done
         -n) name="$2"; shift 2 ;;
         -h|--help) usage ;;
         --) shift; break ;;
         *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
     esac
 done

+
+if [[ ! $common_name ]]; then common_name=$name; fi
+

 host=$1
 [[ $host ]] || usage 1
 
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
 host=$1
 [[ $host ]] || usage 1
 
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.

-ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
+ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'

 set -eE -o pipefail
 set -eE -o pipefail

-cd /etc/openvpn/easy-rsa
-source vars >/dev/null

 
 

-# uuidgen because common name must be unique
-{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
+exists=true
+for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
+  if [[ ! -e \$x ]]; then
+     exists=false
+     break
+  fi
+done
+
+if ! \$exists; then
+  cd /etc/openvpn/easy-rsa
+  source vars >/dev/null
+
+  { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
+fi

 
 d=\$(mktemp -d)
 cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
 
 d=\$(mktemp -d)
 cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt

-mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
+cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d

 
 tar cz -C \$d .
 rm -rf \$d
 EOF
 
 
 tar cz -C \$d .
 rm -rf \$d
 EOF
 

-cat > /etc/openvpn/client/$name.conf <<EOF
+f=/etc/openvpn/client/$name.crt
+if [[ ! -s $f ]]; then
+    echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+    exit 1
+fi
+
+$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF

 # From example config, from debian stretch as of 1-2017
 client
 dev tun
 # From example config, from debian stretch as of 1-2017
 client
 dev tun