aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.md22
-rwxr-xr-xdmvpn-crl-update18
2 files changed, 34 insertions, 6 deletions
diff --git a/README.md b/README.md
index 97c8c62..3a46116 100644
--- a/README.md
+++ b/README.md
@@ -100,14 +100,28 @@ private key, and the root certificate. The password is embedded in the file
name. The file should be renamed when using out-of-band delivery for the
password.
-## Setting Up CRL Distribution Point
+## Setting Up a CRL Distribution Point
-In this example, the CA host serves also as the CRL distribution point. It is
-assumed that `crl.example.com` resolves to the IP address of that host.
+In this example, the CA host serves also as the master CRL distribution point.
+In addition, there may be other distribution points which periodically mirror
+the CRL from the CA host. It is assumed that `ca.example.com` resolves to the
+CA host and `crl.example.com` resolves to the IP addreses of all distribution
+points.
-Execute the following commands on the CA host to set up CRL distribution:
+Install the CRL distribution point package on the target host (CA host or
+mirror):
<pre>apk add dmvpn-crl-dp
+</pre>
+
+If setting up a mirror, configure the master distribution point by creating a
+file named `/etc/dmvpn-crl-dp.conf` with the following contents:
+<pre>MASTER_CRL_URL=http://ca.example.com/dmvpn-ca.crl
+</pre>
+
+Activate CRL distribution by executing the following commands:
+
+<pre>
dmvpn-crl-update
rc-update add lighttpd
rc-service lighttpd start
diff --git a/dmvpn-crl-update b/dmvpn-crl-update
index 270b904..4f9965f 100755
--- a/dmvpn-crl-update
+++ b/dmvpn-crl-update
@@ -1,11 +1,25 @@
#!/bin/sh
# Cron job for CRL retrieval for distribution
-# Copyright (c) 2018 Kaarle Ritvanen
+# Copyright (c) 2018-2019 Kaarle Ritvanen
# See LICENSE file for license details
CONF_FILE=/etc/dmvpn-crl-dp.conf
[ -e $CONF_FILE ] && . $CONF_FILE
+NEW_CRL=$(mktemp /tmp/dmvpn-crl.XXXXXX)
+
+if [ "$MASTER_CRL_URL" ]; then
+ wget -q -O $NEW_CRL "$MASTER_CRL_URL"
+else
+ ${REMOTE_HOST:+ssh $REMOTE_HOST} dmvpn-ca crl export > $NEW_CRL
+fi
+
+if [ $? -gt 0 ]; then
+ rm $NEW_CRL
+ exit 1
+fi
+
+chmod 644 $NEW_CRL
cd /var/www/localhost/htdocs
-${REMOTE_HOST:+ssh $REMOTE_HOST} dmvpn-ca crl export > "${CRL_PATH:-dmvpn-ca.crl}"
+mv $NEW_CRL "${CRL_PATH:-dmvpn-ca.crl}"