Browse Source

openvpn: crl.pem must be readable by nobody

keep-around/234523b1e5a4d228d7b87b9919664cd968a6791e
Loïc Dachary 5 months ago
parent
commit
234523b1e5
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 21
      playbooks/openvpn/openvpn-client-playbook.yml
  2. 2
      playbooks/openvpn/roles/openvpn/tasks/openvpn.yml
  3. 2
      playbooks/openvpn/roles/openvpn/templates/server.conf.j2

21
playbooks/openvpn/openvpn-client-playbook.yml

@ -42,8 +42,19 @@
register: retire
changed_when: '"Updated" in retire.stdout'
- name: when at least one client was retired systemctl restart openvpn@server
systemd:
name: openvpn@server
state: restarted
when: retire is changed
- when: retire is changed
block:
- name: rebuild and publish CRL
shell: |
set -ex
./easyrsa gen-crl
# crl.pem is loaded when a client starts, as user nobody
cp pki/crl.pem /etc/openvpn/crl.pem ; chmod +r /etc/openvpn/crl.pem
args:
chdir: "{{ openvpn_easy_rsa_root }}/openvpn/easy-rsa"
- name: systemctl restart openvpn@server
systemd:
name: openvpn@server
state: restarted

2
playbooks/openvpn/roles/openvpn/tasks/openvpn.yml

@ -73,6 +73,8 @@
./easyrsa gen-dh
openvpn --genkey --secret ta.key
./easyrsa gen-crl
# crl.pem is loaded when a client starts, as user nobody
cp pki/crl.pem /etc/openvpn/crl.pem ; chmod +r /etc/openvpn/crl.pem
args:
creates: "{{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/private/server.key"
chdir: "{{ openvpn_easy_rsa_root }}/openvpn/easy-rsa"

2
playbooks/openvpn/roles/openvpn/templates/server.conf.j2

@ -5,7 +5,7 @@ ca {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/ca.crt
cert {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/issued/server.crt
key {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/private/server.key # This file should be kept secret
dh {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/dh.pem
crl-verify {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/pki/crl.pem
crl-verify crl.pem
server {{ openvpn_server_ip_range }}
keepalive 10 120
tls-auth {{ openvpn_easy_rsa_root }}/openvpn/easy-rsa/ta.key 0 # This file is secret

Loading…
Cancel
Save