Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    monitoring certificate & CRL expirations

    OpenVPN
    1
    1
    27
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fleish
      last edited by

      I have scripts in use on non-pfsense systems that monitor for expiring/expired certificates & CRLs so they can be updated before they expire and cause issues. I'm looking to implement the same on pfsense and am finding it a little more troublesome because of how pfsense appears to manage/organize/maintain the files & directory structures. For example, here is what I am seeing on a system where I just updated the CRL as the old one had expired:

      • Each server appears to have it's own parent directory under /var/etc/openvpn (e.g. /var/etc/openvpn/server1)
      • Within each server sub-directory there is a file named "cert" which holds the server's TLS certificate
      • Within each server sub-directory there is also a "ca" sub-directory which appears to hold the CA file as well as the CRL file(s)* which are named in a cryptic manner (e.g. "6ba33f37.0" (ca) 6ba33f37.r0 (old/expired CRL) 6ba33f37.r1 (new/current CRL))

      Does anyone know how to programmatically determine the name(s) of the active files here?

      Does pfsense regularly clean up the CA directory and remove the old/expired CRLs? In the admin UI there is only one CRL entry which I edited to replace the old CRL data with the new one which appears to have caused pfsense to create a new CRL file with the ".r1" extension while leaving the old/expired CRL file in place with the ".r0" extension. I thought maybe a cron job would come along and clean things up, but I checked another pfsense instance and found an old CRL also present there too despite it having been updated ~3 weeks ago.

      Worst case, I suppose I can find the "newest" CRL file and pass that to the CRL expiration checking script for processing. However, I wonder if I will need similar logic for the CA file. While it gets updated much less frequently, when it does will pfsense leave the old one in place with the ".0" extension and write the new one to a file with a ".1" extension (followed by ".2" and incrementing on each update)?

      Given what I currently see/understand I would need to have a wrapper script that finds all the filenames/paths I'm interested in and then passes them to the relevant monitoring script(s) for analysis. Has anyone already done something like/for this and/or does anyone have more information about how pfsense manages these things that might make things easier to accomplish the goal?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.