random generate openvpn cert at first run (#6207)

2025-04-18 17:33:31 +00:00 · 2021-01-24 20:30:53 +08:00 · 2021-01-24 20:30:53 +08:00 · d3d861a729
commit d3d861a729
parent afc97235d2
5 changed files with 230 additions and 33 deletions
--- a/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua
+++ b/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua
@ -98,6 +98,7 @@ end

 function mp.on_after_commit(self)
  os.execute("uci set firewall.openvpn.dest_port=$(uci get openvpn.myvpn.port) && uci commit firewall &&  /etc/init.d/firewall restart")
+  os.execute("/etc/openvpncert.sh > /dev/null")
  os.execute("/etc/init.d/openvpn restart")
 end

--- a/package/lean/luci-app-openvpn-server/root/etc/config/openvpn
+++ b/package/lean/luci-app-openvpn-server/root/etc/config/openvpn
@ -9,7 +9,7 @@ config openvpn 'myvpn'
 	option server '10.8.0.0 255.255.255.0'
 	option comp_lzo 'adaptive'
 	option ca '/etc/openvpn/ca.crt'
-	option dh '/etc/openvpn/dh1024.pem'
+	option dh '/etc/openvpn/dh.pem'
 	option cert '/etc/openvpn/server.crt'
 	option key '/etc/openvpn/server.key'
 	option persist_key '1'
--- a/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars
+++ b/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars
@ -1,19 +1,210 @@
-export EASY_RSA="/etc/easy-rsa"
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
-export KEY_DIR="$EASY_RSA/keys"
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-export KEY_SIZE=1024
-export CA_EXPIRE=3650
-export KEY_EXPIRE=3650
-export KEY_COUNTRY="CN"
-export KEY_PROVINCE="ZJ"
-export KEY_CITY="ZJ"
-export KEY_ORG="ZJ"
-export KEY_EMAIL="ZJ@ZJ.com"
-export KEY_OU="ZJ"
-export KEY_NAME="EasyRSA"
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades don't wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file 'vars' if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the 'vars' file.
+#
+# All of the editable settings are shown commented and start with the command
+# 'set_var' -- this means any set_var command that is uncommented has been
+# modified by the user. If you're happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DON'T EDIT THIS SECTION
+# 
+# Easy-RSA 3.x doesn't source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+	echo "This is no longer necessary and is disallowed. See the section called" >&2
+	echo "'How to use this file' near the top comments for more details." >&2
+	return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+
+set_var EASYRSA	"/etc/easy-rsa"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL	"openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory.  By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+set_var EASYRSA_PKI		"/etc/easy-rsa/pki"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below aren't used.
+#
+# Choices are:
+#   cn_only  - use just a CN value
+#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+#set_var EASYRSA_DN	"cn_only"
+
+# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# These are the default values for fields which will be placed in the
+# certificate.  Don't leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+#set_var EASYRSA_REQ_COUNTRY	"US"
+#set_var EASYRSA_REQ_PROVINCE	"California"
+#set_var EASYRSA_REQ_CITY	"San Francisco"
+#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL	"me@example.net"
+#set_var EASYRSA_REQ_OU		"My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+set_var EASYRSA_KEY_SIZE	2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+
+#set_var EASYRSA_ALGO		rsa
+
+# Define the named curve, used in ec mode only:
+
+#set_var EASYRSA_CURVE		secp384r1
+
+# In how many days should the root CA key expire?
+
+set_var EASYRSA_CA_EXPIRE	3650
+
+# In how many days should certificates expire?
+
+set_var EASYRSA_CERT_EXPIRE	3650
+
+# How many days until the next CRL publish date?  Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW	30
+
+#set_var EASYRSA_CRL_DAYS	180
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature.  If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no".  When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT	"no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command.  The symptom will be
+# some form of a 'command not found' error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you're doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named 'COMMON' is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+#set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+set_var EASYRSA_REQ_CN		"CN"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST		"sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+#set_var EASYRSA_BATCH		""
+
--- a/package/lean/luci-app-openvpn-server/root/etc/openvpn/dh1024.pem
+++ b/package/lean/luci-app-openvpn-server/root/etc/openvpn/dh1024.pem
--- a/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh
+++ b/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh
@ -1,15 +1,20 @@
 #!/bin/sh

-clean-all
-echo -en "\n\n\n\n\n\n\n\n" | build-ca
-build-dh
-build-key-server server
-build-key-pkcs12 client1
-cp /etc/easy-rsa/keys/ca.crt /etc/openvpn/
-cp /etc/easy-rsa/keys/server.crt /etc/openvpn/
-cp /etc/easy-rsa/keys/server.key /etc/openvpn/
-cp /etc/easy-rsa/keys/dh1024.pem /etc/openvpn/
-cp /etc/easy-rsa/keys/client1.crt /etc/openvpn/
-cp /etc/easy-rsa/keys/client1.key /etc/openvpn/
-/etc/init.d/openvpn restart
-echo "OpenVPN Cert renew successfully"
+if [[ ! -f /etc/easy-rsa/pki/ca.crt || "$1" == "renew" ]]; then
+    echo yes|easyrsa init-pki
+    echo CN|easyrsa build-ca nopass
+    easyrsa gen-dh
+    easyrsa build-server-full server nopass
+    easyrsa build-client-full client1 nopass
+
+    cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/
+    cp /etc/easy-rsa/pki/issued/server.crt /etc/openvpn/
+    cp /etc/easy-rsa/pki/private/server.key /etc/openvpn/
+    cp /etc/easy-rsa/pki/dh.pem /etc/openvpn/
+    cp /etc/easy-rsa/pki/issued/client1.crt /etc/openvpn/
+    cp /etc/easy-rsa/pki/private/client1.key /etc/openvpn/
+    /etc/init.d/openvpn restart
+    echo "OpenVPN Cert renew successfully"
+else
+    echo "Use the 'renew' option renew Cert"
+fi