mirror of
https://github.com/laurivosandi/certidude
synced 2024-09-28 13:01:43 +00:00
Lauri Võsandi
ce93fbb58b
* Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements
20 lines
997 B
Bash
20 lines
997 B
Bash
# Create VPN gateway up/down script for reporting client IP addresses to CA
|
|
cat <<\EOF > /etc/certidude/authority/{{ session.authority.hostname }}/updown
|
|
#!/bin/sh
|
|
|
|
CURL="curl -m 3 -f --key /etc/certidude/authority/{{ session.authority.hostname }}/host_key.pem --cert /etc/certidude/authority/{{ session.authority.hostname }}/host_cert.pem --cacert /etc/certidude/authority/{{ session.authority.hostname }}/ca_cert.pem https://{{ session.authority.hostname }}:8443/api/lease/"
|
|
|
|
case $PLUTO_VERB in
|
|
up-client) $CURL --data-urlencode "outer_address=$PLUTO_PEER" --data-urlencode "inner_address=$PLUTO_PEER_SOURCEIP" --data-urlencode "client=$PLUTO_PEER_ID" ;;
|
|
*) ;;
|
|
esac
|
|
|
|
case $script_type in
|
|
client-connect) $CURL --data-urlencode client=$X509_0_CN --data-urlencode serial=$tls_serial_0 --data-urlencode outer_address=$untrusted_ip --data-urlencode inner_address=$ifconfig_pool_remote_ip ;;
|
|
*) ;;
|
|
esac
|
|
EOF
|
|
|
|
chmod +x /etc/certidude/authority/{{ session.authority.hostname }}/updown
|
|
|