- Set renewal period to 3 years before expiry so that users not inconvenienced
too much.
- Renew server certificate if possible.
- There are openvpn server setups where the expiry of the server certificate has
been set to 2 years due to a bug in our code. Triggering a setup call will renew
these certificates without effecting any clients. Even during the bug, CA certs
were still be valid for 10 years. So, they are unaffected.
- When downloading profile, if client certificate is renewable, renew
before providing profile for download. Old certificates will still be valid
until their expiry.
Tests:
- Without the patches, install openvpn app. Server certificate will be created
with a validity of 2 years. Download the client profile. Apply patches, setup
will be rerun. OpenVPN will be restarted. Server certificate will be renewed and
show 10 years expiry. Old client profile will continue to connect successfully.
It will have expiry of 2 years. Download the client profile again. It will an
expiry of 10 years and will successfully to the server.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't overwrite the entire PKI directory or CA certificates.
- Don't re-enable app during setup.
Tests:
- Install app with patches. Rerun setup. It succeeds. Server certificate is not
changed.
- Disable app. Re-run setup. App is not re-enabled. OpenVPN is not running.
- Enable app. Re-run setup. OpenVPN is restarted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- A configuration file seems to be the preferred approach for invoke easy-rsa
since version 3.
- Drop unused configuration keys KEY_CONFIG, KEY_DIR and EASYRSA_REQ_NAME. These
are no longer referred to in the easy-rsa script.
- Remove configuration key EASYRSA_OPENSSL as the value 'openssl' is already the
default.
- Use pathlib.Path to simplify some code.
Tests:
- Re-run setup and notice the ca.cert file has not changed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- After moving to easy-rsa 3.x, the expiry configuration key changed and
original intention of setting the expiry to 10 years was not working. Update the
key to set the expiry properly.
Tests:
- Install the app freshly and verify the server and client have 'Valid Not
After' date set 10 years in future.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2370.
- In Debian testing (trixie), easy-rsa version is 3.1.5 (up from 3.1.0). In this
version trying to sign a certificate request when the final certificate is
already present leads to an error which fails openvpn app installation.
- In versions 3.1.0 (Debian bookworm/stable) and above, build-server-full also
generates a signing request and then signs the request. So, there is no need to
run them separately.
Tests:
- Uninstall openvpn test that /etc/openvpn directory has been removed. Install
openvpn download client profile and connect using 'sudo openvpn --config
tester.ovpn'. The connection will be successful.
- Files /etc/openvpn/freedombox-keys/pki/issues/{server,tester}.ovpn show
signature values.
- Repeat test for Debian testing and stable/bookworm.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Remove /etc/openvpn when the app is uninstalled
* Tests:
1. Uninstall app and manually check if /etc/openvpn gets removed
2. Sucessfully install app
3. Functional tests: passed
4. In case we choose to purge packages in the future: I checked purging openvpn and it will not
remove /etc/openvpn.
Signed-off-by: nbenedek <contact@nbenedek.me>
[sunil: Update docstrings]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- RSA to ECC migration was introduced in October 2020 is available to
Buster (via backports) and to Bullseye users. Dropping the code will make it
easy to test regular maintenance code updates.
- A two step setup process of first installing and then setting up the
certificates is no longer necessary. (New installs already don't use this). The
certificate generation process does not take hours but minutes. We also have a
good progress indication during install+setup process.
Tests:
- Functional tests pass.
- Initial setup completes successfully and does not take very long time.
- Profiles can be downloaded successfully and imported.
- A client an use them to connect.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests pass.
- Initial setup completes successfully and does not take very long time.
- Profiles can be downloaded successfully and imported.
- A client an use them to connect.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
