Revoke a valid certificate #7
Comments
|
Is the screenshot you sent me from another fork of the original openvpn-web-ui project? If so, which fork? I like this approach for revocation. |
|
This is not a fork, it's just a bit of my imagination and a couple of actions in the web browser inspector :)) 😎 |
|
I've implemented a certificate revocation and removal capability in OpenVPNAdmin. Give it a try when you have a chance. I'll include a suggested Docker compose below, as you won't be able to pull it using the Github method. Make sure you supply the required environment variables at the bottom of your Portainer Stack as well.
version: '3'
services:
gui:
image: bnhf/pivpn-tap-web-ui:beta
container_name: openvpn-gui-tap
environment:
- OPENVPN_ADMIN_USERNAME=admin
- OPENVPN_ADMIN_PASSWORD=b3secure
- COUNTRY=${COUNTRY}
- PROVINCE=${PROVINCE}
- CITY=${CITY}
- ORG=${ORG}
- EMAIL=${EMAIL}
- OU=${OU}
- PIVPN_SERVER=${PIVPN_SERVER}
- PIVPN_CONF=${PIVPN_CONF}
- TZ=${TZ}
ports:
- "8080:8080/tcp"
restart: always
volumes:
- /etc/openvpn:/etc/openvpn
- ./openvpn-data/db:/opt/openvpn-gui-tap/db |
|
I've made a couple of changes already you won't see in the Beta. The missing value for "Common Name" aka "CN" has been fixed. Also, I decided to change the button color for downloading revoked certificates from green to red, to more accurately reflect their state. I'm still trying to figure out a way to get the main page to update "automagically" when a client disconnects, but OpenVPN itself seems to be slow to recognize that event and assumes the client is trying to reconnect. That'll probably end up being a future upgrade. Also, I have the home page set to auto refresh every 20 seconds, which at least keeps the time more current. |
|
Hi! Great job! Now I make all the changes to the Docker container itself and then make a backup copy of these files to the host. I just updated the pivpn-tap-web-ui binary and the file certificates.html from your new beta container and this will work for me! I also changed the page a bit certificates.html for myself, I attach a screenshot. But there is one problem, when the certificate is revoked, then for some reason the crl.pem certificate revocation list is not updated because of this, the client can connect again, even after restarting the OpenVPN service.
When revoking, the file is first updated along the path Regarding the monitoring of clients on the main page, I also want to insert a js script for automatic page updates every 30 seconds. Is there a way to make the clients' connections display in real time??? It would be nice! |
|
Looks like I missed a step, which is to generate an updated crl.pem -- do you agree? Also, I believe with the latest version of easy-rsa that file should be generated in, and remain in, /etc/openvpn/easy-rsa/pki. So the server.conf |
|
Yes, I agree, you probably missed the step that creates the crl.pem file in Can you add the code so that the crl.pem file is also copied to the I will also open another thread to discuss another issue, which is related to issuing a certificate and specifying an access password. Through the script, I have 2 options to create a certificate, without specifying a password when connecting and with a connection password. The web interface does not have such a function. I will create a new task so that we can solve this issue with you. |
|
I'm fairly confident this issue has been sorted out -- so I've merged the code such that beta and latest are now the same. I'm glad this project is working out for you as it is. However, I do want to re-emphasize that this small project is designed for use with OpenVPN server installations using the PiVPN script. I won't be making any changes or additions, unless they conform to what PiVPN does for their installation standards. As it happens, PiVPN looks to be installing crl.pem in both /etc/openvpn/easy-rsa/pki and /etc/openvpn -- likely for some backward compatibility. So, the current revocation routine is revoking via easyrsa, generating a new /etc/openvpn/easy-rsa/pki/crl.pem file and duplicating it in /etc/openvpn. |
@bnhf
Friend, I know that this option has not been implemented yet, and this is part of your plans. Tell me, do you have an approximate timeline for the implementation of this function? I would like to switch completely to working with the web interface and refuse to work with the script for issuing and revoking certificates. Now I have configured the productive to work with OpenVPN of my scripts, everything works fine.
I have technical experience and a bit of development experience, maybe I could help with something? In the screenshot I showed this functionality. As far as I understand, you need to make the same section as for issuing the certificate, and screw in the certificate revocation script there, in the same way as for issuing the certificate.
The text was updated successfully, but these errors were encountered: