Revoke a valid certificate

[karabelnikov]

@bnhf

Friend, I know that this option has not been implemented yet, and this is part of your plans. Tell me, do you have an approximate timeline for the implementation of this function? I would like to switch completely to working with the web interface and refuse to work with the script for issuing and revoking certificates. Now I have configured the productive to work with OpenVPN of my scripts, everything works fine.

I have technical experience and a bit of development experience, maybe I could help with something? In the screenshot I showed this functionality. As far as I understand, you need to make the same section as for issuing the certificate, and screw in the certificate revocation script there, in the same way as for issuing the certificate.

[bnhf]

@karabelnikov

Is the screenshot you sent me from another fork of the original openvpn-web-ui project? If so, which fork? I like this approach for revocation.

[karabelnikov]

@bnhf

This is not a fork, it's just a bit of my imagination and a couple of actions in the web browser inspector :)) 😎 In fact, it's not difficult to implement, you need to add the same html block as for issuing the certificate, make a script for verification and bind it to the action of the revocation button with the variable "name" in the field. And it will work.

[bnhf]

@karabelnikov

I've implemented a certificate revocation and removal capability in OpenVPNAdmin. Give it a try when you have a chance. I'll include a suggested Docker compose below, as you won't be able to pull it using the Github method. Make sure you supply the required environment variables at the bottom of your Portainer Stack as well.

version: '3'
services:
  gui:
    image: bnhf/pivpn-tap-web-ui:beta
    container_name: openvpn-gui-tap
    environment:
      - OPENVPN_ADMIN_USERNAME=admin
      - OPENVPN_ADMIN_PASSWORD=b3secure
      - COUNTRY=${COUNTRY}
      - PROVINCE=${PROVINCE}
      - CITY=${CITY}
      - ORG=${ORG}
      - EMAIL=${EMAIL}
      - OU=${OU}
      - PIVPN_SERVER=${PIVPN_SERVER}
      - PIVPN_CONF=${PIVPN_CONF}
      - TZ=${TZ}
    ports:
      - "8080:8080/tcp"
    restart: always
    volumes:
      - /etc/openvpn:/etc/openvpn
      - ./openvpn-data/db:/opt/openvpn-gui-tap/db

[bnhf]

@karabelnikov

I've made a couple of changes already you won't see in the Beta. The missing value for "Common Name" aka "CN" has been fixed. Also, I decided to change the button color for downloading revoked certificates from green to red, to more accurately reflect their state.

I'm still trying to figure out a way to get the main page to update "automagically" when a client disconnects, but OpenVPN itself seems to be slow to recognize that event and assumes the client is trying to reconnect. That'll probably end up being a future upgrade. Also, I have the home page set to auto refresh every 20 seconds, which at least keeps the time more current.

[karabelnikov]

@bnhf

Hi! Great job! During this time, I made some cosmetic edits to the html pages and my css file in the Docker container. Then I made a copy of the openvpn-gui-tap folder from the container to my host machine. I also changed the file templates for myself .tpl for server and clients.

Now I make all the changes to the Docker container itself and then make a backup copy of these files to the host. I just updated the pivpn-tap-web-ui binary and the file certificates.html from your new beta container and this will work for me! I also changed the page a bit certificates.html for myself, I attach a screenshot. But there is one problem, when the certificate is revoked, then for some reason the crl.pem certificate revocation list is not updated because of this, the client can connect again, even after restarting the OpenVPN service.

When revoking, the file is first updated along the path /etc/openvpn/easy-rsa/pki/crl.pem, and then the crl.pem file must be copied to the /etc/openvpn folder for the OpenVPN service to read it. But for some reason, after the review via the web interface, the crl.pem file is not updated anywhere. Can you check it yourself? After the recall, the client is connected exactly.

Regarding the monitoring of clients on the main page, I also want to insert a js script for automatic page updates every 30 seconds. Is there a way to make the clients' connections display in real time??? It would be nice!

[bnhf]

@karabelnikov

Looks like I missed a step, which is to generate an updated crl.pem -- do you agree? Also, I believe with the latest version of easy-rsa that file should be generated in, and remain in, /etc/openvpn/easy-rsa/pki. So the server.conf crl-verify directive will need to be changed to have that new path in the template.

[karabelnikov]

@bnhf

Yes, I agree, you probably missed the step that creates the crl.pem file in /etc/openvpn/easy-rsa/pki Friend, I repeat, I use a script https://github.com/angristan/openvpn-install for auto installation of OpenVPN. This script copies the files ca.crt, ca.key, server_nameXXX.crt, server_nameXXX.key and ta.key to the /etc/openvpn folder for the convenience of the script. But reading these files is only available from under root. So that it does not violate the security policy. It doesn't matter, in fact, where the files were located, access to them only by root.

Can you add the code so that the crl.pem file is also copied to the /etc/openvpn folder??? This will ensure compatibility with my installation. I would be very grateful to you. Waiting for an update :))

I will also open another thread to discuss another issue, which is related to issuing a certificate and specifying an access password. Through the script, I have 2 options to create a certificate, without specifying a password when connecting and with a connection password. The web interface does not have such a function. I will create a new task so that we can solve this issue with you. Thanks!

[bnhf]

@karabelnikov

I'm fairly confident this issue has been sorted out -- so I've merged the code such that beta and latest are now the same.

I'm glad this project is working out for you as it is. However, I do want to re-emphasize that this small project is designed for use with OpenVPN server installations using the PiVPN script. I won't be making any changes or additions, unless they conform to what PiVPN does for their installation standards.

As it happens, PiVPN looks to be installing crl.pem in both /etc/openvpn/easy-rsa/pki and /etc/openvpn -- likely for some backward compatibility. So, the current revocation routine is revoking via easyrsa, generating a new /etc/openvpn/easy-rsa/pki/crl.pem file and duplicating it in /etc/openvpn.