Merge pull request kylemanna#418 from darkmattercoder/patch-extended-…

…clientstatus extended client status for EXPIRED or other errors
codepant-codes · Jan 23, 2019 · 47746e1 · 47746e1
2 parents 04df478 + 3771097
commit 47746e1
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 12 deletions.
diff --git a/bin/ovpn_listclients b/bin/ovpn_listclients
@@ -15,6 +15,8 @@ cd "$EASYRSA_PKI"
 
 if [ -e crl.pem ]; then
     cat ca.crt crl.pem > cacheck.pem
+else
+    cat ca.crt > cacheck.pem
 fi
 
 echo "name,begin,end,status"
@@ -26,20 +28,27 @@ for name in issued/*.crt; do
     name=${name%.crt}
     name=${name#issued/}
     if [ "$name" != "$OVPN_CN" ]; then
-    if [ -e crl.pem ]; then
-        if openssl verify -crl_check -CAfile cacheck.pem $path &> /dev/null; then
-	status="VALID"
+        # check for revocation or expiration
+        command="openssl verify -crl_check -CAfile cacheck.pem $path"
+        result=$($command)
+        if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
+            status="VALID"
         else
-	status="REVOKED"
+            result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
+            case $result in
+                10)
+                    status="EXPIRED"
+                    ;;
+                23)
+                    status="REVOKED"
+                    ;;
+                *)
+                    status="INVALID"
+            esac
         fi
-    else
-        status="VALID"
-    fi
-
         echo "$name,$begin,$end,$status"
     fi
 done
 
-if [ -e crl.pem ]; then
-    rm cacheck.pem
-fi
+# Clean
+rm cacheck.pem
diff --git a/docs/clients.md b/docs/clients.md
@@ -11,10 +11,12 @@ Note that some client software might be picky about which configuration format i
 
 ## Client List
 
-See an overview of the configured clients, including revocation status:
+See an overview of the configured clients, including revocation and expiration status:
 
     docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
 
+ The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.
+
 ## Batch Mode
 
 If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.