Managing VPN certificates
<![CDATA[
User can create their own VPN certificates on the account management
web page.
VPN authentication is based on the user credential and a certificate
protected by a password.
The certificate is valid for one year.
To revoke a certificate, connect to ufo and issue:
sudo -u httpd /var/db/http/rsa.scripts/rsa_wrapper2.pl revoke <user name>
The script rsa_wrapper2.pl can be used to create, show, show the
expiration date of, revoke a certificate or renew the CRL (Certificate
Revocation List).
The CRL has a validity of 6 months and is nore renewed unless a user
is revoked. A crontab job will renew the CRL on the 3rd of every four
months, a 2:57. This shouls solve the error about CRL expired.
Note that rsa_wrapper2.pl should be used and not rsa_wrapper.pl. It
calls the script easyrsa.real.test that has been modified to work
around a bug in OpenSSL.
I have tried with the native OpenSSL (1.1.10) installed with FreeBSD
13 and with OpenSSL 3.2.0-dev and the bug is still there. I *think* it
is the bug about EPREM that is detailed in "TTY_get() in
crypto/ui/ui_openssl.c open_console() can also return er..."
<https://github.com/openssl/openssl/commit/082394839ea32386abc7ee33aaa9da864287064c>
To workaround the bug, I have modified earrsa.real to pass the CA
passphrase with:
echo "passphrase" | openssl ... -passin stdin
instead of
openssl ... -passin pass:passphrase
Note that the passphrase is hardcoded in the script.
Note that the workaround is VERY crude.
Note about the bug: it would only show when the web page is created by
Joomla:
Joomla3->php wrapper->Perl script ->Perl script ->Bourne shell script->openssl
php ->php ->connect-ifrane->rsa_wrappeer2.pl->easyrsa.real.test ->openssl
and not when the page was created only by a Perl CGI script:
Perl script->Perl script ->Bourne shell script->openssl
connect ->rsa_wrapper.pl->easyrsa.real ->openssl
I could not make a smaller example.
]]>