X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-mk-client-cert;h=f4e5762d78c52024dfad15245960599140c813a6;hp=ec68484274dfe85bef00136fc6bbada7220180c4;hb=HEAD;hpb=2da6add81afb25c139de43264815ee6c8018e88c diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index ec68484..7bad544 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -1,5 +1,12 @@ #!/bin/bash -# Copyright (C) 2016 Ian Kelling +# I, Ian Kelling, follow the GNU license recommendations at +# https://www.gnu.org/licenses/license-recommendations.en.html. They +# recommend that small programs, < 300 lines, be licensed under the +# Apache License 2.0. This file contains or is part of one or more small +# programs. If a small program grows beyond 300 lines, I plan to switch +# its license to GPL. + +# Copyright 2024 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,12 +20,14 @@ # See the License for the specific language governing permissions and # limitations under the License. + set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" -readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" +readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")" +this_dir="${this_file%/*}" usage() { @@ -39,11 +48,14 @@ usage: ${0##*/} VPN_SERVER_HOST -f Force. Proceed even if cert already exists. -n CONFIG_NAME default is client -o SERVER_CONFIG_NAME Default is CONFIG_NAME +-r Install certs to the current directory instead of /etc/openvpn/client -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is not localhost, the script is copied to it. The default script used to be /etc/openvpn/update-resolv-conf, but now that systemd-resolved is becoming popular, there is no default. +Environment variable: SSH_CONFIG_FILE_OVERRIDE + Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is @@ -69,16 +81,21 @@ shell="bash -c" name=client client_host=$CLIENT_HOST force=false +rel=false +if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then + ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE" +fi -temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1 +temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -b) common_name="$2"; shift 2 ;; - -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;; + -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;; -f) force=true; shift ;; -n) name="$2"; shift 2 ;; -o) server_name="$2"; shift 2 ;; + -r) rel=true; shift ;; -s) script="$2"; shift 2 ;; -h|--help) usage ;; --) shift; break ;; @@ -86,6 +103,12 @@ while true; do esac done +if [[ $client_host ]] && $rel; then + echo "$0: error client_host and -r specified. use one or the other" + exit 1 +fi + + if [[ ! $server_name ]]; then server_name="$name" fi @@ -104,40 +127,35 @@ host=$1 ####### end command line parsing and checking ############## -f=/etc/openvpn/client/$name.crt - -cert_to_test=$f -if [[ $client_host ]]; then - cert_to_test=$(mktemp) - ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||: -fi -if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then - echo "$0: cert already exists. exiting early" - exit 0 +if $rel; then + f=$name.crt + keydir=. +else + f=/etc/openvpn/client/$name.crt + keydir=/etc/openvpn/client fi -# bash or else we get motd spam. note sleep 2, sleep 1 failed. -$shell '[[ -e /etc/openvpn ]] || apt install openvpn' -if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \ - | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then - echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: - ssh root@$host cat /tmp/vpn-mk-client-cert.log - echo EOF for root@$host:/tmp/vpn-mk-client-cert.log - exit 1 +if ! $force; then + cert_to_test=$f + if [[ $client_host ]]; then + cert_to_test=$(mktemp) + ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||: + fi + if openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then + if [[ $client_host ]]; then + prefix="$shell" + fi + if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then + echo "$0: cert already exists. exiting early" + exit 0 + fi + fi fi -port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) +port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) - -if ! $shell "test -s $f"; then - # if common name is not unique, you get empty file. and if we didn't silence - # build-key, you'd see an error "TXT_DB error number 2" - echo "$0: error: $f is empty or otherwise bad. is this common name unique?" - exit 1 -fi - -$shell "dd of=/etc/openvpn/client/$name.conf" <