From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH 1/2] OpenVPN: Show indication when OpenVPN certificates expire
Date: Sun, 05 Mar 2023 14:41:02 +0000
Message-ID: <8a7bb572-d019-dc06-92e2-3545acf6ce3e@ipfire.org>
In-Reply-To: <20230222122534.259972-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1228823521973437684=="
List-Id: <development.lists.ipfire.org>

--===============1228823521973437684==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

> This will help with #11742 - OpenVPN: No method to replace expired
> certificates.
>=20
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  doc/language_issues.en    |  2 ++
>  doc/language_issues.es    |  2 ++
>  doc/language_issues.fr    |  2 ++
>  doc/language_issues.it    |  2 ++
>  doc/language_issues.nl    |  2 ++
>  doc/language_issues.pl    |  2 ++
>  doc/language_issues.ru    |  2 ++
>  doc/language_issues.tr    |  2 ++
>  doc/language_missings     | 14 +++++++++++
>  html/cgi-bin/ovpnmain.cgi | 51 +++++++++++++++++++++++++--------------
>  langs/de/cgi-bin/de.pl    |  2 ++
>  langs/en/cgi-bin/en.pl    |  2 ++
>  12 files changed, 67 insertions(+), 18 deletions(-)
>=20
> diff --git a/doc/language_issues.en b/doc/language_issues.en
> index c29e3bed6..474921415 100644
> --- a/doc/language_issues.en
> +++ b/doc/language_issues.en
> @@ -1413,6 +1413,8 @@ WARNING: untranslated string: only digits allowed in =
max retries field =3D Only di
>  WARNING: untranslated string: only digits allowed in the idle timeout =3D =
Only digits allowed in the idle timeout.
>  WARNING: untranslated string: open connections =3D Open Connections
>  WARNING: untranslated string: openssl produced an error =3D OpenSSL produc=
ed an error
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: openvpn client =3D OpenVPN client
>  WARNING: untranslated string: openvpn default =3D Default
>  WARNING: untranslated string: openvpn destination port used =3D The destin=
ation port is already used by another OpenVPN server.
> diff --git a/doc/language_issues.es b/doc/language_issues.es
> index 0bd390d5d..91240dbe6 100644
> --- a/doc/language_issues.es
> +++ b/doc/language_issues.es
> @@ -980,6 +980,8 @@ WARNING: untranslated string: hardware vulnerabilities =
=3D Hardware Vulnerabilitie
>  WARNING: untranslated string: info messages =3D unknown string
>  WARNING: untranslated string: invalid ip or hostname =3D Invalid IP Addres=
s or Hostname
>  WARNING: untranslated string: no data =3D unknown string
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: pakfire ago =3D ago.
>  WARNING: untranslated string: route config changed =3D unknown string
>  WARNING: untranslated string: routing config added =3D unknown string
> diff --git a/doc/language_issues.fr b/doc/language_issues.fr
> index 56d69d86e..f70cda819 100644
> --- a/doc/language_issues.fr
> +++ b/doc/language_issues.fr
> @@ -946,6 +946,8 @@ WARNING: untranslated string: guardian logtarget_file =
=3D unknown string
>  WARNING: untranslated string: guardian logtarget_syslog =3D unknown string
>  WARNING: untranslated string: guardian no entries =3D unknown string
>  WARNING: untranslated string: guardian service =3D unknown string
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: pakfire ago =3D ago.
>  WARNING: untranslated string: retbleed =3D Retbleed
>  WARNING: untranslated string: route config changed =3D unknown string
> diff --git a/doc/language_issues.it b/doc/language_issues.it
> index 9999f947c..cfde3f8e4 100644
> --- a/doc/language_issues.it
> +++ b/doc/language_issues.it
> @@ -1174,6 +1174,8 @@ WARNING: untranslated string: one month =3D One Month
>  WARNING: untranslated string: one week =3D One Week
>  WARNING: untranslated string: one year =3D One Year
>  WARNING: untranslated string: open connections =3D Open Connections
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: optional =3D Optional
>  WARNING: untranslated string: otp qrcode =3D OTP QRCode
>  WARNING: untranslated string: outgoing compression in bytes per second =3D=
 Outgoing compression
> diff --git a/doc/language_issues.nl b/doc/language_issues.nl
> index 14a7b420e..738d7c706 100644
> --- a/doc/language_issues.nl
> +++ b/doc/language_issues.nl
> @@ -1197,6 +1197,8 @@ WARNING: untranslated string: one month =3D One Month
>  WARNING: untranslated string: one week =3D One Week
>  WARNING: untranslated string: one year =3D One Year
>  WARNING: untranslated string: open connections =3D Open Connections
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: optional =3D Optional
>  WARNING: untranslated string: otp qrcode =3D OTP QRCode
>  WARNING: untranslated string: outgoing compression in bytes per second =3D=
 Outgoing compression
> diff --git a/doc/language_issues.pl b/doc/language_issues.pl
> index a53a208d9..ab21f1381 100644
> --- a/doc/language_issues.pl
> +++ b/doc/language_issues.pl
> @@ -1355,6 +1355,8 @@ WARNING: untranslated string: one month =3D One Month
>  WARNING: untranslated string: one week =3D One Week
>  WARNING: untranslated string: one year =3D One Year
>  WARNING: untranslated string: open connections =3D Open Connections
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: openvpn default =3D Default
>  WARNING: untranslated string: openvpn destination port used =3D The destin=
ation port is already used by another OpenVPN server.
>  WARNING: untranslated string: openvpn fragment allowed with udp =3D Using =
fragment is only allowed when using the UDP protocol.
> diff --git a/doc/language_issues.ru b/doc/language_issues.ru
> index c5dc1aa61..6b2622f26 100644
> --- a/doc/language_issues.ru
> +++ b/doc/language_issues.ru
> @@ -1353,6 +1353,8 @@ WARNING: untranslated string: one month =3D One Month
>  WARNING: untranslated string: one week =3D One Week
>  WARNING: untranslated string: one year =3D One Year
>  WARNING: untranslated string: open connections =3D Open Connections
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: openvpn default =3D Default
>  WARNING: untranslated string: openvpn destination port used =3D The destin=
ation port is already used by another OpenVPN server.
>  WARNING: untranslated string: openvpn fragment allowed with udp =3D Using =
fragment is only allowed when using the UDP protocol.
> diff --git a/doc/language_issues.tr b/doc/language_issues.tr
> index 552082a96..6b86ebc7e 100644
> --- a/doc/language_issues.tr
> +++ b/doc/language_issues.tr
> @@ -1091,6 +1091,8 @@ WARNING: untranslated string: no entries =3D No entri=
es at the moment.
>  WARNING: untranslated string: not affected =3D Not Affected
>  WARNING: untranslated string: not validating =3D Not validating
>  WARNING: untranslated string: open connections =3D Open Connections
> +WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon
> +WARNING: untranslated string: openvpn cert has expired =3D Expired
>  WARNING: untranslated string: optional =3D Optional
>  WARNING: untranslated string: otp qrcode =3D OTP QRCode
>  WARNING: untranslated string: ovpn connection name =3D Connection Name
> diff --git a/doc/language_missings b/doc/language_missings
> index 65d38b422..934c5a60c 100644
> --- a/doc/language_missings
> +++ b/doc/language_missings
> @@ -105,6 +105,8 @@
>  < dns servers
>  < hardware vulnerabilities
>  < invalid ip or hostname
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < service boot setting unavailable
>  < transport mode does not support vti
>  < wlanap
> @@ -127,6 +129,8 @@
>  < retbleed
>  < service boot setting unavailable
>  < show dh
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < upload fcdsl.o
>  ##########################################################################=
##
>  # Checking cgi-bin translations for language: it                          =
 #
> @@ -470,6 +474,8 @@
>  < one week
>  < one year
>  < open connections
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < optional
>  < otp qrcode
>  < outgoing compression in bytes per second
> @@ -997,6 +1003,8 @@
>  < one week
>  < one year
>  < open connections
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < optional
>  < otp qrcode
>  < outgoing compression in bytes per second
> @@ -1829,6 +1837,8 @@
>  < one week
>  < one year
>  < open connections
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < openvpn default
>  < openvpn destination port used
>  < openvpn disabled
> @@ -2812,6 +2822,8 @@
>  < one week
>  < one year
>  < open connections
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < openvpn default
>  < openvpn destination port used
>  < openvpn disabled
> @@ -3316,6 +3328,8 @@
>  < not validating
>  < okay
>  < open connections
> +< openvpn cert expires soon
> +< openvpn cert has expired
>  < optional
>  < otp qrcode
>  < ovpn connection name
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 42a7354fc..87bda4f1e 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -33,6 +33,7 @@ use File::Temp qw/ tempfile tempdir /;
>  use strict;
>  use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
>  use Sort::Naturally;
> +use Date::Parse;
>  require '/var/ipfire/general-functions.pl';
>  require "${General::swroot}/lang.pl";
>  require "${General::swroot}/header.pl";
> @@ -5352,31 +5353,45 @@ END
>  END
>  		}
>  	if ($confighash{$key}[0] eq 'on') { $gif =3D 'on.gif'; } else { $gif =3D =
'off.gif'; }
> -	if ($id % 2) {
> -		print "<tr>";
> -		$col=3D"bgcolor=3D'$color{'color20'}'";
> -	} else {
> -		print "<tr>";
> -		$col=3D"bgcolor=3D'$color{'color22'}'";
> -	}
> -	print "<td align=3D'center' nowrap=3D'nowrap' $col>$confighash{$key}[1]</=
td>";
> -	print "<td align=3D'center' nowrap=3D'nowrap' $col>" . $Lang::tr{"$config=
hash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
> -	#if ($confighash{$key}[4] eq 'cert') {
> -	    #print "<td align=3D'left' nowrap=3D'nowrap'>$confighash{$key}[2]</td=
>";
> -	#} else {
> -	    #print "<td align=3D'left'>&nbsp;</td>";
> -	#}
> -	my @cavalid =3D &General::system_output("/usr/bin/openssl", "x509", "-tex=
t", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
> -	my $cavalid;
> =20
> +	# Fetch information about the certificate
> +	my @cavalid =3D &General::system_output("/usr/bin/openssl", "x509", "-tex=
t",
> +		"-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
> +
> +	my $expiryDate =3D 0;
> +
> +	# Parse the certificate information
>  	foreach my $line (@cavalid) {
>  		if ($line =3D~ /Not After : (.*)[\n]/) {
> -			$cavalid    =3D $1;
> -
> +			$expiryDate =3D &Date::Parse::str2time($1);
>  			last;
>  		}
>  	}
> =20
> +	# Calculate the remaining time
> +	my $remainingTime =3D $expiryDate - time();
> +
> +	# Create some simple booleans to check the status
> +	my $hasExpired =3D ($remainingTime <=3D 0);
> +	my $expiresSoon =3D ($remainingTime <=3D 30 * 24 * 3600);
> +
> +	print "<tr>";
> +
> +	if ($hasExpired || $expiresSoon) {
> +		$col=3D"bgcolor=3D'$color{'color14'}'";
> +	} elsif ($id % 2) {
> +		$col=3D"bgcolor=3D'$color{'color20'}'";
> +	} else {
> +		$col=3D"bgcolor=3D'$color{'color22'}'";
> +	}
> +	print "<td align=3D'center' nowrap=3D'nowrap' $col>$confighash{$key}[1]";
> +	if ($hasExpired) {
> +		print " ($Lang::tr{'openvpn cert has expired'})";
> +	} elsif ($expiresSoon) {
> +		print " ($Lang::tr{'openvpn cert expires soon'})";
> +	}
> +	print "</td>";
> +	print "<td align=3D'center' nowrap=3D'nowrap' $col>" . $Lang::tr{"$config=
hash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
>  	print "<td align=3D'center' $col>$confighash{$key}[25]</td>";
>  	$col1=3D"bgcolor=3D'${Header::colourred}'";
>  	my $active =3D "<b><font color=3D'#FFFFFF'>$Lang::tr{'capsclosed'}</font>=
</b>";
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 5fbab2ff8..a57b62ad8 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1884,6 +1884,8 @@
>  'open connections' =3D> 'Offene Verbindungen',
>  'open to all' =3D> '=C3=9Cberschreibe externen Zugang zu ALL',
>  'openssl produced an error' =3D> 'OpenSSL hat einen Fehler verursacht',
> +'openvpn cert expires soon' =3D> 'L=C3=A4uft bald ab',
> +'openvpn cert has expired' =3D> 'Abgelaufen',
>  'openvpn client' =3D> 'OpenVPN-Client',
>  'openvpn default' =3D> 'Vorgabe',
>  'openvpn destination port used' =3D> 'Der Zielport wird bereits von einer =
anderen OpenVPN-Server-Instanz genutzt.',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 80753b841..4dc9d8577 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1940,6 +1940,8 @@
>  'open connections' =3D> 'Open Connections',
>  'open to all' =3D> 'Override external access to ALL',
>  'openssl produced an error' =3D> 'OpenSSL produced an error',
> +'openvpn cert expires soon' =3D> 'Expires Soon',
> +'openvpn cert has expired' =3D> 'Expired',
>  'openvpn client' =3D> 'OpenVPN client',
>  'openvpn default' =3D> 'Default',
>  'openvpn destination port used' =3D> 'The destination port is already used=
 by another OpenVPN server.',

--===============1228823521973437684==--