Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

Hi,

On Tue, 2018-02-06 at 10:24 +0100, ummeegge wrote:
> Hello,
> 
> > > In case machines are off while the script performs his weekly check (no
> > > 24/7er) the next check will be made one/two week(s) later which might be a
> > > long time if you do not know where the problem is.
> > > I would do make there possibly a daily check and would also set the UPDATE
> > > to
> > > a week or 5 days instead of the current 2 before expiration date so more
> > > days
> > > can be grabbed even the check should be a fast one.
> > 
> > Cron will take care of this. It will automatically perform the cron jobs a
> > little while after the system has been booted and when the cron jobs should
> > have
> > been executed while it was shut down.
> > 
> > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561
> > f4a2
> > 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
> > 
> > It's the "bootrun" argument there.
> 
> Thanks for clarification haven´t had that in mind. Will deliver the updater
> then to 'frcon.weekly'. Will also set the update before expiration interval to
> 10 days before, 8 might be also OK for a weekly cronjob but possibly better to
> have 2 days + ?!

I think daily is better. That makes things more predictable and it does not hurt
to renew every 14 days to never get close to the expiration date.

> 
> > > if successful:
> > > Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
> > > /var/ipfire/ovpn/openssl/ovpn.cnf
> > > 
> > > which equals to the OpenSSL command output ( 2>&1 | logger ). 
> > 
> > Do we need to log the output of OpenSSL? A line that says something like
> > "Could
> > not update the OpenVPN CA CRL" should do, shouldn't it? People should run
> > the
> > script themselves then and see what is going wrong.
> 
> No i don´t think so, lines in messages looks even better then. Did that now
> like you suggested.
> 
> > > Otherwise all other quested changes has been made and are ready so far,
> > > might
> > > be nice to push the remaining CGI changes soon i think :-) .
> > 
> > Cool.
> > 
> > Let me know if I can be of any more help.
> 
> Great thanks for your offer and your help. If there is no veto for the above
> changes i will deliver the patch today in the evening.
> 
> Have also fetched the actual openssl-11 branch with all needed changes, thanks
> for keeping this up to date :-) .
> 
> All the best,
> 
> Erik
> 

-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]