Replace hardlinking of crl.pem with a copy

easyrsa gen-crl does not modify the crl.pem in place but rather remove the old file and create a new one, which means any hardlink to it will get broken again at each invocation of easyrsa gen-crl.

If hardlink to this file is not going to work anyway and we still need it to be readable by OpenVPN, we're better off copying it and chmod-ing it every time a new one is detected on container start, using the conditional expression file1 -nt file2.
This commit is contained in:
Nicolas Duchon 2017-05-02 17:17:01 +02:00
parent dcf3791d54
commit 59644d953d

View File

@ -74,13 +74,14 @@ if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
setupIptablesAndRouting setupIptablesAndRouting
fi fi
# Use a hacky hardlink as the CRL Needs to be readable by the user/group # Use a copy of crl.pem as the CRL Needs to be readable by the user/group
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found. # OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
if [ -r "$EASYRSA_PKI/crl.pem" ]; then if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
if [ ! -r "$OPENVPN/crl.pem" ]; then cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
chmod 644 "$OPENVPN/crl.pem" chmod 644 "$OPENVPN/crl.pem"
fi fi
if [ -r "$OPENVPN/crl.pem" ]; then
addArg "--crl-verify" "$OPENVPN/crl.pem" addArg "--crl-verify" "$OPENVPN/crl.pem"
fi fi