Gruntwork
Certificates remain in terraform-aws-openvpn s3 backup after running openvpn-admin revoke #128
-
|
A customer asked:
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Revoking the certificate from the openvpn server does not also remove it from the s3 backup. When a cert is revoked, the backup should contain both the previously issued cert, and the CRL (certificate revoke list) indicating that cert is revoked. When the server is replaced, the certs should get loaded along with the CRL. The CRL gets stored in the openvpn directory, which is backed up by https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/backup-openvpn-pki/bin/backup-openvpn-pki#L43, and loaded by init-openvpn here: https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/init-openvpn/bin/init-openvpn#L96 (note that the CRL is stored as crl.pem) |
Beta Was this translation helpful? Give feedback.
-
|
Credit for this solution goes to @rhoboat |
Beta Was this translation helpful? Give feedback.
Revoking the certificate from the openvpn server does not also remove it from the s3 backup.
When a cert is revoked, the backup should contain both the previously issued cert, and the CRL (certificate revoke list) indicating that cert is revoked.
When the server is replaced, the certs should get loaded along with the CRL.
The CRL gets stored in the openvpn directory, which is backed up by https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/backup-openvpn-pki/bin/backup-openvpn-pki#L43, and loaded by init-openvpn here: https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/init-openvpn/bin/init-openvpn#L96 (note that the CRL is stored as crl.pem)