Replace hardlinking of crl.pem with a copy
easyrsa gen-crl does not modify the crl.pem in place but rather remove the old file and create a new one, which means any hardlink to it will get broken again at each invocation of easyrsa gen-crl. If hardlink to this file is not going to work anyway and we still need it to be readable by OpenVPN, we're better off copying it and chmod-ing it every time a new one is detected on container start, using the conditional expression file1 -nt file2.
This commit is contained in:
Nicolas Duchon
parent
dcf3791d54
commit
59644d953d
13
bin/ovpn_run
13
bin/ovpn_run
@ -74,13 +74,14 @@ if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
|
|||||||
setupIptablesAndRouting
|
setupIptablesAndRouting
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Use a hacky hardlink as the CRL Needs to be readable by the user/group
|
# Use a copy of crl.pem as the CRL Needs to be readable by the user/group
|
||||||
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
|
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
|
||||||
if [ -r "$EASYRSA_PKI/crl.pem" ]; then
|
if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
|
||||||
if [ ! -r "$OPENVPN/crl.pem" ]; then
|
cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
||||||
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
chmod 644 "$OPENVPN/crl.pem"
|
||||||
chmod 644 "$OPENVPN/crl.pem"
|
fi
|
||||||
fi
|
|
||||||
|
if [ -r "$OPENVPN/crl.pem" ]; then
|
||||||
addArg "--crl-verify" "$OPENVPN/crl.pem"
|
addArg "--crl-verify" "$OPENVPN/crl.pem"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user