Certificate revocation fix (#719)

2025-06-06 15:13:56 +02:00 · 2017-11-13 00:09:57 +02:00 · 2017-11-13 00:09:57 +02:00 · f18c1a0d67
commit f18c1a0d67
parent b64f682bae
2 changed files with 20 additions and 6 deletions
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -14,4 +14,4 @@
  service: name=netfilter-persistent state=restarted
 - name: rereadcrls
-  shell: ipsec rereadcrls
+  shell: ipsec rereadcrls; ipsec purgecrls
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@ -150,6 +150,7 @@
      -passin pass:"{{ easyrsa_CA_password }}"
      -revoke certs/{{ item }}.crt
      -out crl/{{ item }}.crt
    register: gencrl
    args:
      chdir: configs/{{ IP_subject_alt_name }}/pki/
      creates: crl/{{ item }}.crt
@ -157,14 +158,27 @@
    when: item not in users
    with_items: "{{ valid_certs.stdout_lines }}"
  - name: Genereate new CRL file
    shell: >
      {{ openssl_bin }} ca -gencrl
      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
      -passin pass:"{{ easyrsa_CA_password }}"
      -out crl/algo.root.pem
    when:
      - gencrl is defined
      - gencrl.changed
    args:
      chdir: configs/{{ IP_subject_alt_name }}/pki/
      executable: bash
  delegate_to: localhost
  become: no
- name: Copy the revoked certificates to the vpn server
+- name: Copy the CRL to the vpn server
  copy:
-    src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
+    src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem
-    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
+    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
-  when: item not in users
+  when:
-  with_items: "{{ valid_certs.stdout_lines }}"
+    - gencrl is defined
    - gencrl.changed
  notify:
    - rereadcrls