Certificate revocation fix (#719)

7 years ago · f18c1a0d67
parent b64f682bae
commit f18c1a0d67
2 changed files with 20 additions and 6 deletions
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -14,4 +14,4 @@
  service: name=netfilter-persistent state=restarted

 - name: rereadcrls
-  shell: ipsec rereadcrls
+  shell: ipsec rereadcrls; ipsec purgecrls
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@ -150,6 +150,7 @@
      -passin pass:"{{ easyrsa_CA_password }}"
      -revoke certs/{{ item }}.crt
      -out crl/{{ item }}.crt
+    register: gencrl
    args:
      chdir: configs/{{ IP_subject_alt_name }}/pki/
      creates: crl/{{ item }}.crt
@ -157,14 +158,27 @@
    when: item not in users
    with_items: "{{ valid_certs.stdout_lines }}"

+  - name: Genereate new CRL file
+    shell: >
+      {{ openssl_bin }} ca -gencrl
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -out crl/algo.root.pem
+    when:
+      - gencrl is defined
+      - gencrl.changed
+    args:
+      chdir: configs/{{ IP_subject_alt_name }}/pki/
+      executable: bash
  delegate_to: localhost
  become: no

- name: Copy the revoked certificates to the vpn server
+- name: Copy the CRL to the vpn server
  copy:
-    src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
-    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
-  when: item not in users
-  with_items: "{{ valid_certs.stdout_lines }}"
+    src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem
+    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
+  when:
+    - gencrl is defined
+    - gencrl.changed
  notify:
    - rereadcrls