Hi,
On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote:
Hello Michael, some thoughts causing two quested points
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2";
I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident.
So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly. Another possibility might be a weekly check so we can use the fcron directories ?
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561... 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
It's the "bootrun" argument there.
Should we catch any errors of the openssl command?
OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.
Have here two possibilities.
in error case: Feb 3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory
Don't put the path in. Calling "openssl" should be fine.
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong.
or 2)
in error case: Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed
if successful: Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated
if else query echo´s a defined message so search string like failed or updated can also be logged ?
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Cool.
Let me know if I can be of any more help.
Best, -Michael
Greetings,
Erik