diff --git a/revoke_key.sh b/revoke_key.sh index 7d6124a..eecc551 100755 --- a/revoke_key.sh +++ b/revoke_key.sh @@ -7,6 +7,11 @@ _date="$(date +%Y-%m-%d-%H%M)" key_names_reserverd="ta ca server" +# - For checking if revokation was successfull +# - +_CHECK_DIR="$(mktemp -d)" +_RT_CERT="${_CHECK_DIR}/revoke-test.pem" + #--------------------------------------- #----------------------------- # Some functions @@ -17,6 +22,7 @@ clean_up() { # Perform program exit housekeeping rm $log_file + rm -rf $_CHECK_DIR blank_line exit $1 } @@ -61,7 +67,7 @@ fatal(){ echo "" echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" echo "" - echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" + echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m" echo "" clean_up 1 } @@ -96,6 +102,22 @@ echo_skipped() { trap clean_up SIGHUP SIGINT SIGTERM + +# ------------- +# --- Check some prerequisites +# ------------- + +# -Is systemd supported on this system? +# - +systemd_supported=false +systemd=$(which systemd) +systemctl=$(which systemctl) + +if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then + systemd_supported=true +fi + + clear echo "" echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m" @@ -221,6 +243,8 @@ else _CLIENT_CERT="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.crt" _CLIENT_KEY="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.key" fi +_CRL="${OPENVPN_KEY_DIR}/crl.pem" +_CA_CERT="${OPENVPN_KEY_DIR}/ca.crt" for _name in $key_names_reserverd ; do @@ -272,6 +296,16 @@ else fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!" fi + +echononl "Backup cert to revoke for further check. (see below" +cp -a "$_CLIENT_CERT" "$_CHECK_DIR" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then +echo_ok +else +echo_failed + fatal "$(cat $log_file)" +fi + if $EASYRSA_LAYOUT_NEW ; then # --- @@ -345,34 +379,18 @@ else echo -e "\033[32m--\033[m" echo "" - echononl "Change into key directory '$KEY_DIR'.." - cd "$KEY_DIR" > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - fatal "$(cat $log_file)" - fi - - echononl "Set Defaults .." - CRL="crl.pem" - RT="revoke-test.pem" - export KEY_CN="" - export KEY_OU="" - export KEY_NAME="" - echo_ok - - echononl "Remove file '$RT'.." - rm -f "$RT" > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - fatal "$(cat $log_file)" - fi + #echononl "Change into key directory '$KEY_DIR'.." + #cd "$KEY_DIR" > "$log_file" 2>&1 + #if [[ $? -eq 0 ]] ; then + # echo_ok + #else + # echo_failed + # fatal "$(cat $log_file)" + #fi echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .." - $OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1 + #$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1 + $OPENSSL ca -revoke "${_CLIENT_KEY}" -config "$KEY_CONFIG" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else @@ -381,48 +399,67 @@ else fi echononl "Generate a new CRL -- try to be compatible with intermediate PKIs" - $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1 + #$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1 + $OPENSSL ca -gencrl -out "$_CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi - - # --- - # - Check if Revokation was sucessfully. - # --- - echo "" - echo -e "\033[32m--\033[m" - echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.." - echo -e "\033[32m--\033[m" - echo "" - - echononl "Create CA file '$RT' from $CRL to check against.." - if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" 2> "$log_file" - _retval=$? - else - cat ca.crt "$CRL" >"$RT" 2> "$log_file" - _retval=$? - fi - if [[ $_retval -eq 0 ]]; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fatal "Verifying the revocation is not possible!" - fi - - echononl "Verify the revocation.." - $OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1 - if [[ $? -eq 2 ]]; then - echo_ok - info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked." - else - echo_failed - error "$(cat $log_file)" - fi fi + +# --- +# - Check if Revokation was sucessfully. +# --- +echo "" +echo -e "\033[32m--\033[m" +echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.." +echo -e "\033[32m--\033[m" +echo "" + +# - "Create CA file '$_RT_CERT' including (new) $_CRL to check against.. +# - +echononl "Create CA file '$_RT_CERT' to check against.." +cat "$_CA_CERT" "$_CRL" >"$_RT_CERT" 2> "$log_file" +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" + fatal "Verifying the revocation is not possible!" +fi + +[[ -z "$OPENSSL" ]] && OPENSSL="$(which openssl)" + +echononl "Verify the revocation.." +$OPENSSL verify -CAfile "$_RT_CERT" -crl_check "${_CHECK_DIR}/$(basename "$_CLIENT_CERT")" > "$log_file" 2>&1 +if [[ $? -eq 2 ]]; then + echo_ok + info "Key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m successfully revoked." +else + echo_failed + error "$(cat $log_file)" +fi + +# --- +# - Start apache webservice +# --- +echo "" +echononl "\tRestart OpenVPN Service.." +if $systemd_supported ; then + systemctl restart openvpn > $log_file 2>&1 +else + /etc/init.d/openvpn restart > $log_file 2>&1 +fi +if [ "$?" = "0" ]; then + echo_ok +else + echo_failed + error "$(cat $log_file)" + warn "Restarting OpenVPN Service failed!." +fi + + clean_up 0