Using Mail Service to notify of upcoming OpenVPN expirations

bloater99 · 19 June 2024 16:56

Is it possible to use the Mail Service to notify when an OpenVPN user’s config is about to expire? Otherwise, I tend to find out when the user complains that they can no longer connect, or if I randomly glance at the OpenVPN section under Services.

bonnietwin · 19 June 2024 17:26

No that is not possible with the code as it currently stands.

bloater99 · 19 June 2024 21:50

Thank you. In a perfect world, this would be the ideal use for the Mail Service. To remind the admin of upcoming expirations so they can get them renewed without loss of connectivity for the VPN user.

Speaking of which, what is the reason that Openvpn user certs can’t be extended? It seems that when one expires, the only option is to delete the cert and create a new one.

odongarma · 20 June 2024 12:56

I think it’s possible, because i have the running for years.

Greetz

bonnietwin · 20 June 2024 13:38

That would be an ideal option to use however quickly reviewing the script in the documentation i think you must have modified it as that version is based on the use of the sendemail addon which was removed from IPFire about 3 years ago.

So the script would need to be modified to work with the dma mail client that is part of the core IPFire in place of sendemail, or using the postfix addon as an alternative.

I have also noticed that the link to @ummeegge gitlab site for the script is no longer valid. It looks like the script is no longer stored in gitlab.

odongarma · 20 June 2024 14:46

That’s right. I edited thre script to use the “sendEmail” addon and removed the whole gpg stuff.

I works live a Charme.

The script can easily be change to use a different MTA

Greetz

bonnietwin · 20 June 2024 14:49

How are you using the sendemail addon.

It is no longer available in IPFIre for 3 years.

odongarma · 20 June 2024 15:56

My installation is way older than 3 year

I think a grabbed a copy of sendEmail and put it under /usr/local/bin, hard to remember.

Works for years

ummeegge · 27 June 2024 12:14

Hi all,
with help of community posts (thanks to them) and some used snippets from there i did a first try to make the old script usable with a configured DMA. As in some posts mentioned, you need a configured mail account like described in here → www.ipfire.org - Mail Service . Fire at least one “Testmail” to check if it works.

#!/bin/bash -

# ovpn_cert_expiration_check.sh
#
# $author: ummeegge ipfire org ; $date: 20.10.2017 - 15:24:08
# Modified: $author: ummeegge ipfire org ; $date: 26.06.2024 - 19:43:12
# Script has been adapted to work with an alread configured DMA
# which is part of IPFire´s core system --> 
# https://www.ipfire.org/docs/configuration/system/mail_service 
#########################################################################
# This script checks OpenVPNs index.txt for how much time is left
# until/ and or since a client certificate will/has been expired.
# Certificats with OpenSSL maximum (999999) are excluded.
# Time should be configured by the individual needs,
# but is currently configured to 5 days.
#
# Days before can be defined in the "ALERT=5" variable.
# An own Email account should be present for this since the Email account.
#
# Script provides Email encryption via GPG but is currently commented in the main part.
#
# Script can be placed e.g. into /etc/fcron.daily .
#     All paths has been set absolute so the fcron environment should find all binaries.
#
# With the new changes, there is the need for a configured DMA via WUI since the last modification.
# In here --> https://www.ipfire.org/docs/configuration/system/mail_service you find the wiki for this.
# At least one "Testmail" should be sended via WUI.
#

## Paths, directories and files
INDEX="/var/ipfire/ovpn/certs/index.txt"
WORKDIR="/tmp/ovpn_cert_alert"
CERTLIST="${WORKDIR}/certlist"
COUNTERLIST="${WORKDIR}/counterlist"
MERGED="${WORKDIR}/merged"
MAIL="${WORKDIR}/mailalert"
MAILCRYPTED="${WORKDIR}/mailalert.asc"
# Needed binary locations
SENDMAIL="/usr/sbin/sendmail"
GPG="/usr/bin/gpg"

# Email text
DATELIST="List of OpenVPN certificate expiration dates from $(hostname) - $(date)"
DATELISTA="Already revoked certificates and such with OpenSSL maximum are not listed in here."
DATELISTB="You will deliver mails also for '0 days left' '- values are gone since expiration' certificates. If they are presant you should clean them up."

## Check for needed dependencies
# sendEmail check
if [ ! -e "${SENDMAIL}" ]; then
   /bin/echo -e "Can´t find needed sendEmail binary. Please install it via Pakfire first."
   exit 1
fi
# index.txt check
if [ -s "${FILE}" ]; then
   /bin/echo -e "The certificate index is empty or not presant, please add first clients."
   exit 1
fi
# Check for workdir otherwise create it
if [ -e "${WORKDIR}" ]; then
	/bin/rm -rf ${WORKDIR}
	/bin/mkdir ${WORKDIR}
else
	/bin/mkdir ${WORKDIR}
fi


############################### ADD HERE YOUR INDIVIDUAL DATA ##########################################################
# ----- How much days should be left until an alert should be fired -----
#
ALERT="5"
#
#
MESSAGE="From $(date)"
SUBJECT="From $(date) OVPN expiring date has been reached"
MSG="$HOSTNAME OVPN clients certificate expiration warning!!!"
#PUBKEYID="4B86913E"

# DMA configuration file path
MAILCONFIG="/var/ipfire/dma/mail.conf"

if [ -f ${MAILCONFIG} ]; then
	FROM=$(awk -F'=' '/SENDER/ { print $2 }' ${MAILCONFIG})
	TO=$(awk -F'=' '/RECIPIENT/ { print $2 }' ${MAILCONFIG})
else
	exit 1
fi

#
########################################################################################################################

#################################################### Main part #########################################################
## Searcher
certs_date=$(/usr/bin/awk '/^V/ {print $2}' ${INDEX} | cut -c1-6 | grep -E '^1|^2')

## Time values
NOW=$(date +%s)
# 24 hours in seconds
DAY="86400"

## Mail preparation
# Copy CNs from index.txt to counter list.
# Without already revoked certificates but also no host certificate
grep '^V' ${INDEX} | /bin/sed 1d | grep -o 'CN=.*' > ${CERTLIST}

## Calculation
for i in ${certs_date}; do
	# Convert index.txt time to UNIX time
	UNTIL=$(date -d "${i}" +%s)
	# Calculate differences
	DIFF=$(( ${UNTIL} - ${NOW} ))
	# Convert UNIX time to days
	REST=$(( ${DIFF} / ${DAY} ))
	# Text with integrated result
	if [[ "${REST}" -lt 0 ]]; then
		echo "${REST} days are gone since expiration for the user with the common name  - "
	else
		echo "${REST}  days are left until expiration for the user with the common name  - "
	fi
done >> ${COUNTERLIST}

# Merge lists withanother
/usr/bin/paste {$COUNTERLIST,$CERTLIST} > ${MERGED}

# Check for alert and prepare mail
/usr/bin/awk -v var="$ALERT" '$1<=var' ${MERGED} | sed 's/^-//g' > ${MAIL}

# Check if alert should be fired
if [ $(/bin/ls -l ${MAIL} | /usr/bin/awk '{print $5}') -ne 0 ]; then
	/bin/sed -i -e "1s/^/$(printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -;)\n\n/" \
	-e "1s/^/${DATELIST}\n/" \
	-e "1s/^/$(printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -;)\n/" ${MAIL}
	# Next line can be deleted if Email as been set up. Line is only for testing pruposes
	/bin/echo "Will fire an alert... "
	/bin/echo -e "\n\n${DATELISTA}\n" >> ${MAIL}
	/bin/echo -e "${DATELISTB}\n" >> ${MAIL}
	# Send alert via DMA encrypted with GPG if GPG line and configuration is active.
	# To activate it after installation, uncomment the following lines
	#${GPG} --encrypt -a --recipient "${PUBKEYID}" "${MAIL}"
	# Prepare and send Email via DMA
	(
		echo From: $FROM
		echo To: $TO
		echo Subject: "$MSG"
		echo ""
		echo $MSG
		echo ""
		# Only for unencrypted messages
		cat ${MAIL}
		# if encryption via GPG is in usage comment the above line
		# and uncomment the following
		#cat ${MAILCRYPTED}
	) | sudo -u nobody $SENDMAIL -t -f $FROM
	# Log to messages if alert has been fired
	/usr/bin/logger -t OpenVPN-cert-check "Warning: One or more OpenVPN certificates has been expired. Email alert has been send... ";
fi

# Clean up workdir
/bin/rm -rf ${WORKDIR}

exit 0

# EOF

Even it is now an old one, may it is useful.

Best,

Erik