Browse Source

fix check of the expiry date for the CA server certificate when there are multiple certs in same file

HgO 10 months ago
parent
commit
db334425cc
1 changed files with 14 additions and 3 deletions
  1. 14 3
      conf/ynh-vpnclient

+ 14 - 3
conf/ynh-vpnclient

@@ -103,9 +103,20 @@ check_config() {
     critical "You need a CA server (you can add it through the web admin)"
   fi
 
-  if ! openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -checkend 0 >/dev/null; then
-    ca_server_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -enddate | cut -d '=' -f 2)
-    critical "The CA server expired on $ca_server_cert_expired_date"
+  latest_ca_server_cert_expiry_timestamp=0
+  while ca_server_cert_expiry_date=$(openssl x509 -noout -enddate 2>/dev/null); do
+    ca_server_cert_expiry_date=$(cut -f 2 -d '=' <<< "$ca_server_cert_expiry_date")
+    ca_server_cert_expiry_timestamp=$(date +'%s' -d "$ca_server_cert_expiry_date")
+
+    if [[ "$ca_server_cert_expiry_timestamp" -ge "$latest_ca_server_cert_expiry_timestamp" ]]; then
+      latest_ca_server_cert_expiry_timestamp="$ca_server_cert_expiry_timestamp"
+      latest_ca_server_cert_expiry_date="$ca_server_cert_expiry_date"
+    fi
+  done < /etc/openvpn/keys/ca-server.crt
+
+  today_timestamp=$(date +'%s')
+  if [[ "$latest_ca_server_cert_expiry_timestamp" -ge "$today_timestamp" ]]; then
+    critical "The CA server expired on $latest_ca_server_cert_expiry_date"
   fi
 
   if [[ ! -e /etc/openvpn/keys/user.crt || ! -e /etc/openvpn/keys/user.key ]]; then