From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] CRL updater: Update script for OpenVPN CRL Date: Tue, 06 Feb 2018 00:44:45 +0000 Message-ID: <1517877885.21272.62.camel@ipfire.org> In-Reply-To: <73B70A3C-9882-4C28-967E-525019450348@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3203785850057545697==" List-Id: --===============3203785850057545697== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote: > Hello Michael, > some thoughts causing two quested points >=20 >=20 > > > > +# Convert seconds to days > > > > +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))"; > > > > +# Update of the CRL in days before CRL expiring date > > > > +UPDATE=3D"2"; > > >=20 > > > I think we should update every 14 days if the usual expiry time is 30. > > > Therefore we will never get too close by accident. > >=20 > > So i would need then an frcontab entry and another location for the script > > since the fcron directories provides only daily, weekly and monthly. > > Another possibility might be a weekly check so we can use the fcron > > directories ? >=20 > In case machines are off while the script performs his weekly check (no > 24/7er) the next check will be made one/two week(s) later which might be a > long time if you do not know where the problem is. > I would do make there possibly a daily check and would also set the UPDATE = to > a week or 5 days instead of the current 2 before expiration date so more da= ys > can be grabbed even the check should be a fast one. Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should h= ave been executed while it was shut down. https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/cron/crontab;h= =3D4561f4a2 43239b8b5bd3525c067dc6a70395489c;hb=3DHEAD#l13 It's the "bootrun" argument there. >=20 >=20 > > > Should we catch any errors of the openssl command? > >=20 > > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get= an > > OpenSSL command output in messages if the CRL has been renewed. >=20 > Have here two possibilities.=20 >=20 > 1) > in error case: > Feb 3 17:56:03 ipfire-server crl_updater[18986]: > /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file > or directory Don't put the path in. Calling "openssl" should be fine. > if successful: > Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from > /var/ipfire/ovpn/openssl/ovpn.cnf >=20 > which equals to the OpenSSL command output ( 2>&1 | logger ).=20 Do we need to log the output of OpenSSL? A line that says something like "Cou= ld not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong. >=20 > or 2) >=20 > in error case: > Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh= - > CRL update failed >=20 > if successful: > Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh= - > CRL has been updated >=20 > if else query echo=C2=B4s a defined message so search string like failed or= updated > can also be logged ? >=20 >=20 > Otherwise all other quested changes has been made and are ready so far, mig= ht > be nice to push the remaining CGI changes soon i think :-) . Cool. Let me know if I can be of any more help. Best, -Michael >=20 > Greetings, >=20 > Erik --===============3203785850057545697== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwNCtuMEFDZ2tRZ0hudy8yK1EKQ1FmOEt3Ly9iVTBGVWpmOHA0 MSs1Mk5rZzEzZmhCakdUSlBPaFRUdmNhaGI0dEl2VUtHNUFPNzJGZzJOcmtmbgpmaU10dzVKT3Z1 QzVwaUtaL2hVRkN0SG5uYWF5Q3RTNVRDSnpVY0VWRjQwRDhaeklxRHQybWRIblRrcHFJcHJ2CkdG d2U0aWZITlpwcmdCQVV1VEl5NCtLTXo5MlJGb2xkZnZMV1o0SzFlRjBDZnFXbHBkWW9mWlUvKzNZ VnBUcS8KQzFWaVRWWHVGam9FajRVVzEzV3lSeVF5RnFDM01ITDhVVXdxU3owSS9KZ2FIYzJ2bHJx aEtyZVdoSm5ZQisyTQpOU2wrVFhQWm1YRmg3TTJyOUcySFNIVEtHTTY1SXhFVFUvZThySDI3TUhJ OGVqcFg0Y3ZyYmx4WS9BSngzckNLCkMxcWtpTlJHRDRFTXBpdHZBMUZOcE9ZUkE3REoxSFRITWVa WGp3ZzBIWFRSUDNQUnFYU2JUSG9CQ2tkVnM2MFgKWXV1Y1BsVjMyVVJDWXlxT3RkYTRIRzdleEgw eEZKUjY4UmdBNThicDVvS0hQSEVrMEVWV09nMjdJSS9UQWRPdQp4RWk4dUJwT05XeENtVk1wc1Q0 REwzSUhWUHhUN1AxQThYZjZISlFYQ0JsYVhvK2w4c0pkR3JlTDI5bVFVR0JzCmc0Tld3SGJFYWps QUx3emhEMUJUSUw3a0ZZdHlaR3hKNkRkTDhlaVFvWXVaSXhBSWd2dWVVR1VHMWE5TFhBQ3cKR1Ja TU1pdVpNVVMzNC82bFYzcm03RHByRklzN0dGeWhBajZOWXo1aTMzSjhiaFMwY1pySGMyWGVwcU1S SDJiOQo2Q0FhZ3NOQ2hIam9zcS9EUDRiYUZBQUdFL0ZOVDJCQ3VjTGhiR0NOOUtvTGY2cFV2REE9 Cj1sbFN0Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3203785850057545697==--