From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] CRL updater: Update script for OpenVPN CRL Date: Sat, 03 Feb 2018 21:20:32 +0100 Message-ID: <73B70A3C-9882-4C28-967E-525019450348@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5111468894576777657==" List-Id: --===============5111468894576777657== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, some thoughts causing two quested points >>> +# Convert seconds to days >>> +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))"; >>> +# Update of the CRL in days before CRL expiring date >>> +UPDATE=3D"2"; >>=20 >> I think we should update every 14 days if the usual expiry time is 30. >> Therefore we will never get too close by accident. >=20 > So i would need then an frcontab entry and another location for the script = since the fcron directories provides only daily, weekly and monthly. > Another possibility might be a weekly check so we can use the fcron direct= ories ? In case machines are off while the script performs his weekly check (no 24/7e= r) the next check will be made one/two week(s) later which might be a long ti= me if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to= a week or 5 days instead of the current 2 before expiration date so more day= s can be grabbed even the check should be a fast one. >> Should we catch any errors of the openssl command? >=20 > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get a= n OpenSSL command output in messages if the CRL has been renewed. Have here two possibilities.=20 1) in error case: Feb 3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_u= pdater.sh: line 56: /usr/bin/opensl: No such file or directory if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /v= ar/ipfire/ovpn/openssl/ovpn.cnf which equals to the OpenSSL command output ( 2>&1 | logger ).=20 or 2) in error case: Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -= CRL update failed if successful: Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -= CRL has been updated if else query echo=C2=B4s a defined message so search string like failed or u= pdated can also be logged ? Otherwise all other quested changes has been made and are ready so far, might= be nice to push the remaining CGI changes soon i think :-) . Greetings, Erik --===============5111468894576777657==--