탐색 도움말
로그인
rajven
/
openvpn-status-page
의 미러 https://github.com/rajven/openvpn-status-page
1
0
포크 0
파일 이슈 0 위키
트리: 65605af119
브랜치 태그
openvpn-status-...
/
addons
/
cmd
/
revoke_client.sh

revoke_client.sh 2.5 KB
히스토리 Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 
  1. #!/bin/bash
    2. 

  2. 

  3. # Функция для логирования
    4. 

  4. log() {
    5. 

  5.     logger -t "openvpn-revoke" -p user.info "$1"
    6. 

  6.     echo "$1"  # Также выводим в консоль для обратной связи
    7. 

  7. }
    8. 

  8. 

  9. # Проверка прав
    10. 

  10. check_permissions() {
    11. 

  11.     if [[ $EUID -ne 0 ]]; then
    12. 

  12.         log "Error: This script must be run as root" >&2
    13. 

  13.         exit 1
    14. 

  14.     fi
    15. 

  15. }
    16. 

  16. 

  17. if [ $# -ne 3 ]; then
    18. 

  18.     log "Usage: $0 <service_name> <rsa_dir> <username>"
    19. 

  19.     exit 1
    20. 

  20. fi
    21. 

  21. 

  22. check_permissions
    23. 

  23. 

  24. SRV_NAME="${1}"
    25. 

  25. RSA_DIR="${2}"
    26. 

  26. USERNAME="${3}"
    27. 

  27. 

  28. log "Starting certificate revocation for $USERNAME by user $ORIGINAL_USER"
    29. 

  29. 

  30. # Проверяем существование директории RSA
    31. 

  31. if [ ! -d "$RSA_DIR" ]; then
    32. 

  32.     log "Error: RSA directory not found: $RSA_DIR"
    33. 

  33.     exit 1
    34. 

  34. fi
    35. 

  35. 

  36. # Переходим в директорию RSA
    37. 

  37. cd "$RSA_DIR" || exit 1
    38. 

  38. 

  39. # Проверяем наличие easyrsa
    40. 

  40. if [ ! -f "./easyrsa" ]; then
    41. 

  41.     log "Error: easyrsa not found in $RSA_DIR"
    42. 

  42.     exit 1
    43. 

  43. fi
    44. 

  44. 

  45. # Проверяем существование сертификата
    46. 

  46. if [ ! -f "./pki/issued/${USERNAME}.crt" ]; then
    47. 

  47.     log "Error: Certificate for user $USERNAME not found"
    48. 

  48.     exit 1
    49. 

  49. fi
    50. 

  50. 

  51. # Проверяем, не отозван ли уже сертификат
    52. 

  52. if grep -q "/CN=${USERNAME}" ./pki/index.txt | grep -q "R"; then
    53. 

  53.     log "Error: Certificate for $USERNAME is already revoked"
    54. 

  54.     exit 1
    55. 

  55. fi
    56. 

  56. 

  57. # Отзываем сертификат
    58. 

  58. log "Revoking certificate for user: $USERNAME"
    59. 

  59. ./easyrsa --batch revoke "$USERNAME"
    60. 

  60. 

  61. # Проверяем успешность отзыва
    62. 

  62. if [ $? -eq 0 ]; then
    63. 

  63.     log "Successfully revoked certificate for $USERNAME"
    64. 

  64. 

  65.     # Генерируем CRL (Certificate Revocation List)
    66. 

  66.     log "Generating CRL..."
    67. 

  67.     ./easyrsa --batch gen-crl
    68. 

  68. 

  69.     if [ $? -eq 0 ]; then
    70. 

  70.         log "CRL generated successfully"
    71. 

  71. 

  72.         chown nobody:nogroup -R "$RSA_DIR/pki/issued/"
    73. 

  73. 	chown nobody:nogroup -R "$RSA_DIR/pki/crl.pem"
    74. 

  74.         chmod 640 "${RSA_DIR}"/pki/issued/*.crt
    75. 

  75. 

  76.         # Рестартуем сервис
    77. 

  77.         log "Restarting service: $SRV_NAME"
    78. 

  78.         systemctl restart "${SRV_NAME}"
    79. 

  79. 

  80.         if [ $? -eq 0 ]; then
    81. 

  81.             log "Service $SRV_NAME restarted successfully"
    82. 

  82.             log "Certificate revocation completed for $USERNAME"
    83. 

  83.             exit 0
    84. 

  84.         else
    85. 

  85.             log "Error: Failed to restart service $SRV_NAME"
    86. 

  86.             exit 1
    87. 

  87.         fi
    88. 

  88.     else
    89. 

  89.         log "Error: Failed to generate CRL"
    90. 

  90.         exit 1
    91. 

  91.     fi
    92. 

  92. else
    93. 

  93.     log "Error: Failed to revoke certificate for $USERNAME"
    94. 

  94.     exit 1
    95. 

  95. fi
    96.