fix: reuse existing OTP config during re-issue of certs
All checks were successful
ZeroDownTime/zdt-openvpn/pipeline/head This commit looks good

This commit is contained in:
Stefan Reimer 2025-01-23 13:11:02 +00:00
parent 10ad744336
commit 3e0ec5fcb0
2 changed files with 8 additions and 3 deletions

View File

@ -32,6 +32,9 @@ cat << EOF | easyrsa build-client-full "$cn" nopass
yes
EOF
# Skip confirmation if not running in interctive mode. Essential for integration tests.
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
# Do not overwrite potential existing config during the re-issue flow
if [ ! -f /etc/openvpn/otp/${cn}.google_authenticator ] ; then
# Skip confirmation if not running in interctive mode. Essential for integration tests.
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q
fi

View File

@ -32,4 +32,6 @@ echo "Revoked $cn"
echo "Updating crl.pem"
easyrsa gen-crl
rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req $OPENVPN/otp/$cn.google_authenticator
rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req
# do not delete OTP to allow reuse after re-issued cert, left overs OTP data wont hurt anyone
# rm -f $OPENVPN/otp/$cn.google_authenticator