Hi, On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote: > Hello Michael, > some thoughts causing two quested points > > > > > > +# Convert seconds to days > > > > +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; > > > > +# Update of the CRL in days before CRL expiring date > > > > +UPDATE="2"; > > > > > > I think we should update every 14 days if the usual expiry time is 30. > > > Therefore we will never get too close by accident. > > > > So i would need then an frcontab entry and another location for the script > > since the fcron directories provides only daily, weekly and monthly. > > Another possibility might be a weekly check so we can use the fcron > > directories ? > > In case machines are off while the script performs his weekly check (no > 24/7er) the next check will be made one/two week(s) later which might be a > long time if you do not know where the problem is. > I would do make there possibly a daily check and would also set the UPDATE to > a week or 5 days instead of the current 2 before expiration date so more days > can be grabbed even the check should be a fast one. Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down. https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561f4a2 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13 It's the "bootrun" argument there. > > > > > Should we catch any errors of the openssl command? > > > > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an > > OpenSSL command output in messages if the CRL has been renewed. > > Have here two possibilities. > > 1) > in error case: > Feb 3 17:56:03 ipfire-server crl_updater[18986]: > /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file > or directory Don't put the path in. Calling "openssl" should be fine. > if successful: > Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from > /var/ipfire/ovpn/openssl/ovpn.cnf > > which equals to the OpenSSL command output ( 2>&1 | logger ). Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong. > > or 2) > > in error case: > Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - > CRL update failed > > if successful: > Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - > CRL has been updated > > if else query echo´s a defined message so search string like failed or updated > can also be logged ? > > > Otherwise all other quested changes has been made and are ready so far, might > be nice to push the remaining CGI changes soon i think :-) . Cool. Let me know if I can be of any more help. Best, -Michael > > Greetings, > > Erik