extended client status for EXPIRED or other errors
This commit is contained in:
parent
cf136d40df
commit
ea19fbe932
@ -15,6 +15,8 @@ cd "$EASYRSA_PKI"
|
|||||||
|
|
||||||
if [ -e crl.pem ]; then
|
if [ -e crl.pem ]; then
|
||||||
cat ca.crt crl.pem > cacheck.pem
|
cat ca.crt crl.pem > cacheck.pem
|
||||||
|
else
|
||||||
|
cat ca.crt > cacheck.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "name,begin,end,status"
|
echo "name,begin,end,status"
|
||||||
@ -26,20 +28,29 @@ for name in issued/*.crt; do
|
|||||||
name=${name%.crt}
|
name=${name%.crt}
|
||||||
name=${name#issued/}
|
name=${name#issued/}
|
||||||
if [ "$name" != "$OVPN_CN" ]; then
|
if [ "$name" != "$OVPN_CN" ]; then
|
||||||
if [ -e crl.pem ]; then
|
# check for revocation or expiration
|
||||||
if openssl verify -crl_check -CAfile cacheck.pem $path &> /dev/null; then
|
command="openssl verify -crl_check -CAfile cacheck.pem $path"
|
||||||
|
result=$($command)
|
||||||
|
if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
|
||||||
status="VALID"
|
status="VALID"
|
||||||
else
|
else
|
||||||
|
result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
|
||||||
|
case $result in
|
||||||
|
10)
|
||||||
|
status="EXPIRED"
|
||||||
|
;;
|
||||||
|
23)
|
||||||
status="REVOKED"
|
status="REVOKED"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
status="INVALID"
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
status="VALID"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "$name,$begin,$end,$status"
|
echo "$name,$begin,$end,$status"
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -e crl.pem ]; then
|
# Clean
|
||||||
rm cacheck.pem
|
rm cacheck.pem
|
||||||
fi
|
|
||||||
|
@ -11,10 +11,12 @@ Note that some client software might be picky about which configuration format i
|
|||||||
|
|
||||||
## Client List
|
## Client List
|
||||||
|
|
||||||
See an overview of the configured clients, including revocation status:
|
See an overview of the configured clients, including revocation and expiration status:
|
||||||
|
|
||||||
docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
|
docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
|
||||||
|
|
||||||
|
The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.
|
||||||
|
|
||||||
## Batch Mode
|
## Batch Mode
|
||||||
|
|
||||||
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
|
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
|
||||||
|
Loading…
Reference in New Issue
Block a user