diff options
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2019-09-05 13:47:51 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2019-09-05 14:59:34 +0300
commit521797cbe696c99d360a7de93e3f096a6a962a21 (patch)
parent05c3396dd08b75903f2514efc9b1dab2325d2644 (diff)
dmvpn-crl-update: mirror using wgetv1.2.0
2 files changed, 34 insertions, 6 deletions
diff --git a/README.md b/README.md
index 97c8c62..3a46116 100644
--- a/README.md
+++ b/README.md
@@ -100,14 +100,28 @@ private key, and the root certificate. The password is embedded in the file
name. The file should be renamed when using out-of-band delivery for the
-## Setting Up CRL Distribution Point
+## Setting Up a CRL Distribution Point
-In this example, the CA host serves also as the CRL distribution point. It is
-assumed that `crl.example.com` resolves to the IP address of that host.
+In this example, the CA host serves also as the master CRL distribution point.
+In addition, there may be other distribution points which periodically mirror
+the CRL from the CA host. It is assumed that `ca.example.com` resolves to the
+CA host and `crl.example.com` resolves to the IP addreses of all distribution
-Execute the following commands on the CA host to set up CRL distribution:
+Install the CRL distribution point package on the target host (CA host or
<pre>apk add dmvpn-crl-dp
+If setting up a mirror, configure the master distribution point by creating a
+file named `/etc/dmvpn-crl-dp.conf` with the following contents:
+Activate CRL distribution by executing the following commands:
rc-update add lighttpd
rc-service lighttpd start
diff --git a/dmvpn-crl-update b/dmvpn-crl-update
index 270b904..4f9965f 100755
--- a/dmvpn-crl-update
+++ b/dmvpn-crl-update
@@ -1,11 +1,25 @@
# Cron job for CRL retrieval for distribution
-# Copyright (c) 2018 Kaarle Ritvanen
+# Copyright (c) 2018-2019 Kaarle Ritvanen
# See LICENSE file for license details
[ -e $CONF_FILE ] && . $CONF_FILE
+NEW_CRL=$(mktemp /tmp/dmvpn-crl.XXXXXX)
+if [ "$MASTER_CRL_URL" ]; then
+ wget -q -O $NEW_CRL "$MASTER_CRL_URL"
+ ${REMOTE_HOST:+ssh $REMOTE_HOST} dmvpn-ca crl export > $NEW_CRL
+if [ $? -gt 0 ]; then
+ rm $NEW_CRL
+ exit 1
+chmod 644 $NEW_CRL
cd /var/www/localhost/htdocs
-${REMOTE_HOST:+ssh $REMOTE_HOST} dmvpn-ca crl export > "${CRL_PATH:-dmvpn-ca.crl}"
+mv $NEW_CRL "${CRL_PATH:-dmvpn-ca.crl}"