Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2026-03-16 07:38:51 +01:00
Code Issues Projects Releases Wiki Activity

fix: test client connectivity both before and after cert renewal (#1481)

Browse Source 
- Fix fingerprint CI test that started consistently failing after the
EasyRSA 3.2.6 update
- The client config was copied to `/shared/` before server cert renewal
changed the fingerprint, causing a TLS handshake failure race condition
- Instead of just fixing the race, add proper two-phase connectivity
testing: client connects before renewal, server renews certs, client
reconnects with the updated config
This commit is contained in:
Stanislas
2026-03-14 14:42:06 +01:00
committed by GitHub
parent ea440ad4a6
commit 63448d542d
2 changed files with 93 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
test/server-entrypoint.sh
View File

@@ -211,7 +211,7 @@ else
exit 1
fi
# Copy client config to shared volume for the client container
# Copy client config to shared volume for initial connectivity tests
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Client config copied to /shared/client.ovpn"
@@ -356,6 +356,17 @@ fi
echo "=== TLS 1.3 Configuration Verified ==="
# =====================================================
# Wait for initial client tests to complete
# =====================================================
echo ""
echo "=== Waiting for initial client connectivity tests ==="
while [ ! -f /shared/initial-tests-passed ]; do
sleep 2
echo "Waiting for initial tests..."
done
echo "Initial client tests passed, proceeding with renewal tests"
# =====================================================
# Test certificate renewal functionality
# =====================================================
@@ -429,11 +440,6 @@ if [ "$AUTH_MODE" = "pki" ]; then
fi
fi
# Update shared client config with renewed certificate
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Updated client config with renewed certificate"
echo "=== Client Certificate Renewal Tests PASSED ==="
# =====================================================
@@ -538,10 +544,21 @@ done
# Allow routing to stabilize after renewal restart
sleep 3
# Update shared client config after server renewal (fingerprint changed)
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Updated client config with new server fingerprint"
touch /shared/renewal-config-ready
echo "Updated client config with renewed certificates"
# =====================================================
# Wait for post-renewal client connectivity tests
# =====================================================
echo ""
echo "=== Waiting for post-renewal client connectivity tests ==="
while [ ! -f /shared/renewal-tests-passed ]; do
sleep 2
echo "Waiting for renewal tests..."
done
echo "Post-renewal client tests passed"
# =====================================================
# Verify Unbound DNS resolver (started by systemd via install script)
@@ -749,17 +766,6 @@ fi
echo "Allowing routing to stabilize..."
sleep 3
# =====================================================
# Wait for initial client tests to complete
# =====================================================
echo ""
echo "=== Waiting for initial client connectivity tests ==="
while [ ! -f /shared/initial-tests-passed ]; do
sleep 2
echo "Waiting for initial tests..."
done
echo "Initial client tests passed, proceeding with revocation tests"
# =====================================================
# Test certificate revocation functionality
# =====================================================