From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] CRL updater: Update script for OpenVPN CRL
Date: Tue, 06 Feb 2018 10:24:38 +0100
Message-ID: <34F195E4-7AE9-4DD9-9C5F-9F0B4E9640E4@ipfire.org>
In-Reply-To: <1517877885.21272.62.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1822288111953895267=="
List-Id: <development.lists.ipfire.org>

--===============1822288111953895267==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

>> In case machines are off while the script performs his weekly check (no
>> 24/7er) the next check will be made one/two week(s) later which might be a
>> long time if you do not know where the problem is.
>> I would do make there possibly a daily check and would also set the UPDATE=
 to
>> a week or 5 days instead of the current 2 before expiration date so more d=
ays
>> can be grabbed even the check should be a fast one.
>=20
> Cron will take care of this. It will automatically perform the cron jobs a
> little while after the system has been booted and when the cron jobs should=
 have
> been executed while it was shut down.
>=20
> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/cron/crontab=
;h=3D4561f4a2
> 43239b8b5bd3525c067dc6a70395489c;hb=3DHEAD#l13
>=20
> It's the "bootrun" argument there.

Thanks for clarification haven=C2=B4t had that in mind. Will deliver the upda=
ter then to 'frcon.weekly'. Will also set the update before expiration interv=
al to 10 days before, 8 might be also OK for a weekly cronjob but possibly be=
tter to have 2 days + ?!

>> if successful:
>> Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
>> /var/ipfire/ovpn/openssl/ovpn.cnf
>>=20
>> which equals to the OpenSSL command output ( 2>&1 | logger ).=20
>=20
> Do we need to log the output of OpenSSL? A line that says something like "C=
ould
> not update the OpenVPN CA CRL" should do, shouldn't it? People should run t=
he
> script themselves then and see what is going wrong.

No i don=C2=B4t think so, lines in messages looks even better then. Did that =
now like you suggested.

>> Otherwise all other quested changes has been made and are ready so far, mi=
ght
>> be nice to push the remaining CGI changes soon i think :-) .
>=20
> Cool.
>=20
> Let me know if I can be of any more help.

Great thanks for your offer and your help. If there is no veto for the above =
changes i will deliver the patch today in the evening.

Have also fetched the actual openssl-11 branch with all needed changes, thank=
s for keeping this up to date :-) .

All the best,

Erik


--===============1822288111953895267==--