VPN server certificate renewal fixes #139

usableprivacy · Aug 3, 2019 · cef725b · cef725b
1 parent 67c638a
commit cef725b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
@@ -136,6 +136,9 @@
     - restart openvpn
     - restart openvpn-su
 
+- name: deploy Server Certificate renewal cronjob
+  template: src=server-cert-renewal.sh dest=/etc/cron.weekly/openvpn-server-cert owner=root group=root mode=0755
+
 - name: deleting unused files
   file: path={{item}} state=absent
   with_items:

diff --git a/roles/vpn/templates/server-cert-renewal.sh b/roles/vpn/templates/server-cert-renewal.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+days=60
+
+#Test if certificate expires in the next 60 days
+/usr/bin/openssl x509 -checkend $(($days * 24 * 3600)) -in /etc/openvpn/ca/serverCert.pem
+
+if [ $? -eq 1 ]
+then
+  openssl ca -in /etc/openvpn/ca/serverReq.pem -days 730 -batch -out /etc/openvpn/ca/serverCert.pem -notext -cert /etc/openvpn/ca/caCert.pem -keyfile /etc/openvpn/ca/caKey.pem
+  service openvpn-su restart
+fi