Certificate revocation fix (#719)

trailofbits · Nov 12, 2017 · f18c1a0 · f18c1a0
1 parent b64f682
commit f18c1a0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
@@ -14,4 +14,4 @@
   service: name=netfilter-persistent state=restarted
 
 - name: rereadcrls
-  shell: ipsec rereadcrls
+  shell: ipsec rereadcrls; ipsec purgecrls
diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
@@ -150,21 +150,35 @@
       -passin pass:"{{ easyrsa_CA_password }}"
       -revoke certs/{{ item }}.crt
       -out crl/{{ item }}.crt
+    register: gencrl
     args:
       chdir: configs/{{ IP_subject_alt_name }}/pki/
       creates: crl/{{ item }}.crt
       executable: bash
     when: item not in users
     with_items: "{{ valid_certs.stdout_lines }}"
 
+  - name: Genereate new CRL file
+    shell: >
+      {{ openssl_bin }} ca -gencrl
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
+      -passin pass:"{{ easyrsa_CA_password }}"
+      -out crl/algo.root.pem
+    when:
+      - gencrl is defined
+      - gencrl.changed
+    args:
+      chdir: configs/{{ IP_subject_alt_name }}/pki/
+      executable: bash
   delegate_to: localhost
   become: no
 
-- name: Copy the revoked certificates to the vpn server
+- name: Copy the CRL to the vpn server
   copy:
-    src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
-    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
-  when: item not in users
-  with_items: "{{ valid_certs.stdout_lines }}"
+    src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem
+    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
+  when:
+    - gencrl is defined
+    - gencrl.changed
   notify:
     - rereadcrls