nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add recovery mechanism for certificate renewal failures

Browse Source 
Closes: #572

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-05-18 22:05:47 +01:00
parent 4d5ff71ba3
commit cf32d9f485
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 57 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
easyrsa3/easyrsa
View File

@ -345,6 +345,9 @@ print() { printf "%s\n" "$*" || exit 1; }
# Exit fatally with a message to stderr # Exit fatally with a message to stderr
# present even with EASYRSA_BATCH as these are fatal problems # present even with EASYRSA_BATCH as these are fatal problems
die() { die() {
# If renew failed then restore cert, key and req. Otherwise, issue a warning
# If *restore* fails then at least the file-names are not serial-numbers
[ "$restore_failed_renew" ] && renew_restore_move
print " print "
Easy-RSA error: Easy-RSA error:
@ -1751,10 +1754,14 @@ subjectAltName = $san"
# move renewed files so we can reissue certificate with the same name # move renewed files so we can reissue certificate with the same name
renew_move renew_move
# Set restore on error flag
restore_failed_renew=1
# renew certificate # renew certificate
build_full "$cert_type" "$file_name_base" "$opt_nopass" || die "\ build_full "$cert_type" "$file_name_base" "$opt_nopass" || die "\
Failed to renew certificate: renew command failed." Failed to renew certificate: renew command failed."
# Success messages
[ "$EASYRSA_SILENT" ] || print # Separate Notice below [ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
@ -1767,7 +1774,41 @@ Renew was successful:
return 0 return 0
} # => renew() } # => renew()
# move-renewed # Restore files on failure to renew
renew_restore_move() {
unset -v restore_failed_renew rrm_err
# restore crt, key and req file to PKI folders
if ! mv "$restore_crt_out" "$restore_crt_in"; then
warn "Failed to restore: $restore_crt_out"
rrm_err=1
fi
# only restore the key if we have it
if [ -e "$restore_key_out" ]; then
if ! mv "$restore_key_out" "$restore_key_in"; then
warn "Failed to restore: $restore_key_out"
rrm_err=1
fi
fi
# only restore the req if we have it
if [ -e "$restore_req_out" ]; then
if ! mv "$restore_req_out" "$restore_req_in"; then
warn "Failed to restore: $restore_req_out"
rrm_err=1
fi
fi
# messages
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
if [ "$rrm_err" ]; then
warn "Failed to restore renewed files."
else
notice "Renewed files have been restored."
fi
} # => renew_restore_move()
# renew_move
# moves renewed certificates to the 'renewed' folder # moves renewed certificates to the 'renewed' folder
# allows reissuing certificates with the same name # allows reissuing certificates with the same name
renew_move() { renew_move() {
@ -1782,39 +1823,45 @@ renew_move() {
done done
# move crt, key and req file to renewed folders # move crt, key and req file to renewed folders
restore_crt_in="$crt_in"
restore_crt_out="$crt_out"
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"
# only move the key if we have it # only move the key if we have it
restore_key_in="$key_in"
restore_key_out="$key_out"
if [ -e "$key_in" ]; then if [ -e "$key_in" ]; then
mv "$key_in" "$key_out" || die "Failed to move: $key_in" mv "$key_in" "$key_out" || die "Failed to move: $key_in"
fi fi
# only move the req if we have it # only move the req if we have it
restore_req_in="$req_in"
restore_req_out="$req_out"
if [ -e "$req_in" ]; then if [ -e "$req_in" ]; then
mv "$req_in" "$req_out" || die "Failed to move: $req_in" mv "$req_in" "$req_out" || die "Failed to move: $req_in"
fi fi
# move any pkcs files # remove any pkcs files
for pkcs in p12 p7b p8 p1; do for pkcs in p12 p7b p8 p1; do
if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
# issued # issued
mv "$in_dir/issued/$file_name_base.$pkcs" \ rm "$in_dir/issued/$file_name_base.$pkcs" \
"$out_dir/issued/$file_name_base.$pkcs" \ || die "Failed to remove: $file_name_base.$pkcs"
|| die "Failed to move: $file_name_base.$pkcs"
elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then
# private # private
mv "$in_dir/private/$file_name_base.$pkcs" \ rm "$in_dir/private/$file_name_base.$pkcs" \
"$out_dir/private/$file_name_base.$pkcs" \ || die "Failed to remove: $file_name_base.$pkcs"
|| die "Failed to move: $file_name_base.$pkcs"
else else
: # ok : # ok
fi fi
done done
# remove the duplicate certificate in the certs_by_serial folder # remove the duplicate certificate in the certs_by_serial folder
if [ -e "$duplicate_crt_by_serial" ]; then
rm "$duplicate_crt_by_serial" || warn \ rm "$duplicate_crt_by_serial" || warn \
"Failed to remove the duplicate certificate in the certs_by_serial folder" "Failed to remove the duplicate certificate in the certs_by_serial folder"
fi
# remove credentials file (if exists) # remove credentials file (if exists)
if [ -e "$creds_in" ]; then if [ -e "$creds_in" ]; then
@ -1823,7 +1870,7 @@ renew_move() {
fi fi
return 0 return 0
} # => move_renewed() } # => renew_move()
# revoke-renewed backend # revoke-renewed backend
revoke_renewed() { revoke_renewed() {