From 319b9f29d339a8b82291f329c18dbc06c17a4f90 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 29 Dec 2025 12:13:11 +0100 Subject: [PATCH] fix: keep cert files on revocation for client listing In fingerprint mode, when revoking a client, keep the certificate files so that revoked clients appear in `client list` output. The client is considered revoked if their fingerprint is not in server.conf. When creating a new client with a revoked name, clean up the old cert files before generating new ones. --- openvpn-install.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0d3b9cd..c793d85 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -3968,6 +3968,14 @@ function newClient() { exit 1 fi + # In fingerprint mode, clean up any revoked cert files so we can reuse the name + if [[ $AUTH_MODE == "fingerprint" ]]; then + if [[ -f "pki/issued/$CLIENT.crt" ]] || [[ -f "pki/private/$CLIENT.key" ]]; then + log_info "Removing old revoked certificate files for $CLIENT..." + rm -f "pki/issued/$CLIENT.crt" "pki/private/$CLIENT.key" "pki/reqs/$CLIENT.req" + fi + fi + log_info "Generating client certificate..." export EASYRSA_CERT_EXPIRE=$CLIENT_CERT_DURATION_DAYS @@ -4060,20 +4068,13 @@ function revokeClient() { regenerateCRL run_cmd "Backing up index" cp /etc/openvpn/server/easy-rsa/pki/index.txt{,.bk} else - # Fingerprint mode: remove fingerprint from server.conf and delete cert files + # Fingerprint mode: remove fingerprint from server.conf + # Keep cert files so revoked clients appear in client list log_info "Removing client fingerprint from server configuration..." # Remove comment line and fingerprint line below it from server.conf sed -i "/^# $CLIENT\$/{N;d;}" /etc/openvpn/server/server.conf - # Remove client certificate and key - rm -f "pki/issued/$CLIENT.crt" "pki/private/$CLIENT.key" - - # Mark as revoked in index.txt if it exists (for client listing) - if [[ -f pki/index.txt ]]; then - sed -i "s|^V\(.*\)/CN=$CLIENT\$|R\1/CN=$CLIENT|" pki/index.txt - fi - # Reload OpenVPN to apply fingerprint removal log_info "Reloading OpenVPN to apply fingerprint removal..." if systemctl is-active --quiet openvpn-server@server; then