X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=client-cert-helper;h=6589c40b15f1f243a18d0b724afb18b7384b57b6;hp=f5b35ac43b53d35a2054802bcbcf2058ef8a539f;hb=HEAD;hpb=dbea144f7249f9c244e748ac972fd86a54ee2086

diff --git a/client-cert-helper b/client-cert-helper
index f5b35ac..4da41eb 100755
--- a/client-cert-helper
+++ b/client-cert-helper
@@ -1,4 +1,25 @@
 #!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 set -eE -o pipefail
 
 # Outputs the keyfiles to stdout as tar.gz
@@ -6,27 +27,43 @@ set -eE -o pipefail
 rm -f /tmp/vpn-mk-client-cert.log
 exec 2>/tmp/vpn-mk-client-cert.log
 
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+date >&2
+set -x
+
 name=$1
 common_name=$2
 
-echo common_name=$common_name >&2
-
 server_dir=/etc/openvpn
 if [[ -e /etc/openvpn/server ]]; then
   server_dir=/etc/openvpn/server
 fi
 
-cafile=$server_dir/ca.crt
+cafile=$server_dir/ca-$name.crt
 
-new=true
-keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
-if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
+### begin section roughly copied from vpn-server-setup
+rsadir=/etc/openvpn/easy-rsa-$name
+new=true # newer easy-rsa version
+keyfiles=(
+  $rsadir/pki/private/$common_name.key
+  $rsadir/pki/issued/$common_name.crt
+)
+if [[ -e /etc/openvpn/easy-rsa-$name/build-ca ]]; then
   new=false
-  keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
+  keyfiles=(
+    $rsadir/keys/$common_name.key
+    $rsadir/keys/$common_name.crt
+  )
 fi
+### end section roughly copied from vpn-server-setup
 
 if [[ ! -e $cafile ]]; then
-  echo: error no cafile found at $cafile >/tmp/errors
+  echo error: no cafile found at $cafile >&2
   exit 1
 fi
 
@@ -40,7 +77,7 @@ done
 
 
 if ! $exists; then
-  cd /etc/openvpn/easy-rsa
+  cd /etc/openvpn/easy-rsa-$name
   if $new; then
     ./easyrsa build-client-full $common_name nopass >/dev/null
   else
@@ -51,10 +88,10 @@ if ! $exists; then
 fi
 
 d=$(mktemp -d)
-cp $cafile $d/$name-ca.crt
-cp ${keyfiles[@]} $d
-
-cp $server_dir/ta.key $d/$name-ta.key
+cp $server_dir/ta-$name.key $cafile $d
+for f in ${keyfiles[@]}; do
+  cp $f $d/$name.${f##*.}
+done
 
 tar cz -C $d .
 rm -rf $d