Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-09-2010, 06:02 AM
|
#1
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Rep:
|
automate script for VPN keys
I'm trying to automate a script so that VPN keys can be sent out automatically.
The problem is that when I invoke the script, I have to keep pressing return for each of the OpenVPN key creation arguments.
When the nail command is fired, I also have to press Ctrl D to send the email.
Is there a way to program round this in bash?
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd
|
Last edited by qwertyjjj; 01-10-2010 at 04:49 AM.
|
|
|
01-10-2010, 04:49 AM
|
#2
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Is there a way to respond to promopts from within a bash script?
|
|
|
01-10-2010, 04:54 AM
|
#3
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hello,
Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Code:
yourscript < answerfile
Or look into expect and autoexpect.
Kind regards,
Eric
|
|
|
01-10-2010, 05:15 AM
|
#4
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hello,
Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Code:
yourscript < answerfile
Or look into expect and autoexpect.
Kind regards,
Eric
|
Sounds good. I created an auto script with autoexpect but was just thinking, the bash script above has 2 separate parts.
This: ./build-key $usern requires input
and this: nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd requires input.
Do I add a script after each separate command?
So,
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < myRESPONSES1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < myRESPONSES2.exp
|
Auto expect records the responses all as one file, yet maybe I should split it into 2?
|
|
|
01-10-2010, 05:18 AM
|
#5
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
Logically I would say that yes, you'll have to have two answer files. So split the generated file in two and see how it goes.
Kind regards,
Eric
Last edited by EricTRA; 01-10-2010 at 05:20 AM.
|
|
|
01-10-2010, 05:30 AM
|
#6
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Ok, my script now looks like this:
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < /usr/local/sbin/myscripts/vpn_responses1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key client.ovpn
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < /usr/local/sbin/myscripts/vpn_responses2.exp
|
Almost there but it seems autoexpect doesn't record the entries correctly:
Quote:
[root@server88-xxx-xxx-198 myscripts]# /usr/local/sbin/myscripts/send_vpn_keys.sh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Generating a 1024 bit RSA private key
.............................................++++++
...............++++++
writing new private key to 'aaa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:State or Province Name (full name) [LND]:Locality Name (eg, city) [LONDON]:Organization Name (eg, company) [aaa]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [aaa]:Email Address [aaa@aaa.co.uk]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:string is too long, it needs to be less than 20 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'GB'
stateOrProvinceName :T61STRING:'set force_conservative 0 ;# set to 1 to force conservative mode even if'
localityName :T61STRING:'^I^I^I ;# script wasn't run conservatively originally'
organizationName :T61STRING:'if {$force_conservative} {'
organizationalUnitName:T61STRING:'^Iset send_slow {1 .1}'
commonName :T61STRING:'^Iproc send {ignore arg} {'
emailAddress :IA5STRING:'^I^Isleep .1'
Certificate is to be certified until Jan 8 10:29:03 2020 GMT (3650 days)
Sign the certificate? [y/n]:CERTIFICATE WILL NOT BE CERTIFIED
updating: ca.crt (deflated 38%)
updating: ca.key (deflated 22%)
updating: aaa.crt (stored 0%)
updating: aaa.csr (deflated 26%)
updating: aaa.key (deflated 22%)
updating: client.ovpn (deflated 54%)
[root@server88-xxx-xxx-198 myscripts]#
|
This is the expect file:
Quote:
#!/usr/bin/expect -f
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
set timeout -1
#spawn ./build-key aaa
match_max 100000
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) \[GB\]:"
send -- "\r"
expect -exact "\r
State or Province Name (full name) \[LND\]:"
send -- "\r"
expect -exact "\r
Locality Name (eg, city) \[LONDON\]:"
send -- "\r"
expect -exact "\r
Organization Name (eg, company) \[aaa\]:"
send -- "\r"
expect -exact "\r
Organizational Unit Name (eg, section) \[\]:"
send -- "\r"
expect -exact "\r
Common Name (eg, your name or your server's hostname) \[aaa\]:"
send -- "\r"
expect -exact "\r
Email Address \[aaa@aaa.co.uk\]:"
send -- "\r"
expect -exact "\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password \[\]:"
send -- "\r"
expect -exact "\r
An optional company name \[\]:"
send -- "\r"
expect -exact "\r
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf\r
Check that the request matches the signature\r
Signature ok\r
The Subject's Distinguished Name is as follows\r
countryName :PRINTABLE:'GB'\r
stateOrProvinceName :PRINTABLE:'LND'\r
localityName :PRINTABLE:'LONDON'\r
organizationName :PRINTABLE:'aaa'\r
commonName :PRINTABLE:'aaa'\r
emailAddress :IA5STRING:'aaa@aaa.co.uk'\r
Certificate is to be certified until Jan 8 10:21:56 2020 GMT (3650 days)\r
Sign the certificate? \[y/n\]:"
send -- "y\r"
expect -exact "y\r
\r
\r
1 out of 1 certificate requests certified, commit? \[y/n\]"
send -- "y\r"
expect eof
|
Last edited by qwertyjjj; 01-10-2010 at 05:55 AM.
|
|
|
01-10-2010, 05:41 AM
|
#7
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run to avoid all those questions being asked and thus simplifying the process.
Kind regards,
Eric
|
|
|
01-10-2010, 05:45 AM
|
#8
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hi,
Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run to avoid all those questions being asked and thus simplifying the process.
Kind regards,
Eric
|
No, the keys are generated fine when run manually but something in the auto responses file isn't sending the input correctly and am not sure what.
The key creation is part of the OpenVPN suite.
Responses file added as above.
|
|
|
01-10-2010, 06:05 AM
|
#9
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.
Kind regards,
Eric
|
|
|
01-10-2010, 06:51 AM
|
#10
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hi,
Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.
Kind regards,
Eric
|
Could it be something to do with this:
Quote:
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
|
Can I skip these parts and just go straight to the expect parts with actual prompts?
|
|
|
01-10-2010, 06:55 AM
|
#11
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.
Kind regards,
Eric
|
|
|
01-10-2010, 12:07 PM
|
#12
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hi,
You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.
Kind regards,
Eric
|
I'm looking into using openssl to create the certificates rather than ./build-ca as it requires too much input and autoexpect isn't working for this method.
On a separate note is there a way to manually write files on the fly?
I need to create a new client.ovpn for each customer/certificate.
Each .ovpn file has a section for:
certname.crt
certname.key
I need to rewrite these each time a new certificate is generated and then save the file, then email it.
|
|
|
01-10-2010, 12:14 PM
|
#13
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?
Kind regards,
Eric
|
|
|
01-10-2010, 12:53 PM
|
#14
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hi,
If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?
Kind regards,
Eric
|
The file looks like this
Quote:
client
dev tun
proto tcp
remote 88.xxx.xxx.xx9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert adminuser.crt
key adminuser.key
ns-cert-type server
comp-lzo
verb 4
|
Each time I create a new certificate in my script using $usern, I also need to change the parts in bold above. Instead of adminuser it would be whatever the username is in $usern
|
|
|
01-10-2010, 01:05 PM
|
#15
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
You could use sed to substitute those references by whatever you want.
Code:
sed -i 's/regex/replacement/' yourfile.ovpn
Kind regards,
Eric
|
|
|
All times are GMT -5. The time now is 02:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|