Hi,
On Tue, 2018-02-06 at 10:24 +0100, ummeegge wrote:
Hello,
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561 f4a2 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
It's the "bootrun" argument there.
Thanks for clarification haven´t had that in mind. Will deliver the updater then to 'frcon.weekly'. Will also set the update before expiration interval to 10 days before, 8 might be also OK for a weekly cronjob but possibly better to have 2 days + ?!
I think daily is better. That makes things more predictable and it does not hurt to renew every 14 days to never get close to the expiration date.
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong.
No i don´t think so, lines in messages looks even better then. Did that now like you suggested.
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Cool.
Let me know if I can be of any more help.
Great thanks for your offer and your help. If there is no veto for the above changes i will deliver the patch today in the evening.
Have also fetched the actual openssl-11 branch with all needed changes, thanks for keeping this up to date :-) .
All the best,
Erik
-Michael