Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to automate a script so that VPN keys can be sent out automatically.
The problem is that when I invoke the script, I have to keep pressing return for each of the OpenVPN key creation arguments.
When the nail command is fired, I also have to press Ctrl D to send the email.
Is there a way to program round this in bash?
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd
Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Code:
yourscript < answerfile
Or look into expect and autoexpect.
Kind regards,
Eric
Sounds good. I created an auto script with autoexpect but was just thinking, the bash script above has 2 separate parts.
This: ./build-key $usern requires input
and this: nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd requires input.
Do I add a script after each separate command?
So,
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < myRESPONSES1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < myRESPONSES2.exp
Auto expect records the responses all as one file, yet maybe I should split it into 2?
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < /usr/local/sbin/myscripts/vpn_responses1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key client.ovpn
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < /usr/local/sbin/myscripts/vpn_responses2.exp
Almost there but it seems autoexpect doesn't record the entries correctly:
Quote:
[root@server88-xxx-xxx-198 myscripts]# /usr/local/sbin/myscripts/send_vpn_keys.sh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Generating a 1024 bit RSA private key
.............................................++++++
...............++++++
writing new private key to 'aaa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:State or Province Name (full name) [LND]:Locality Name (eg, city) [LONDON]:Organization Name (eg, company) [aaa]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [aaa]:Email Address [aaa@aaa.co.uk]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:string is too long, it needs to be less than 20 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'GB'
stateOrProvinceName :T61STRING:'set force_conservative 0 ;# set to 1 to force conservative mode even if'
localityName :T61STRING:'^I^I^I ;# script wasn't run conservatively originally'
organizationName :T61STRING:'if {$force_conservative} {'
organizationalUnitName:T61STRING:'^Iset send_slow {1 .1}'
commonName :T61STRING:'^Iproc send {ignore arg} {'
emailAddress :IA5STRING:'^I^Isleep .1'
Certificate is to be certified until Jan 8 10:29:03 2020 GMT (3650 days)
Sign the certificate? [y/n]:CERTIFICATE WILL NOT BE CERTIFIED
updating: ca.crt (deflated 38%)
updating: ca.key (deflated 22%)
updating: aaa.crt (stored 0%)
updating: aaa.csr (deflated 26%)
updating: aaa.key (deflated 22%)
updating: client.ovpn (deflated 54%)
[root@server88-xxx-xxx-198 myscripts]#
This is the expect file:
Quote:
#!/usr/bin/expect -f
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
set timeout -1
#spawn ./build-key aaa
match_max 100000
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) \[GB\]:"
send -- "\r"
expect -exact "\r
State or Province Name (full name) \[LND\]:"
send -- "\r"
expect -exact "\r
Locality Name (eg, city) \[LONDON\]:"
send -- "\r"
expect -exact "\r
Organization Name (eg, company) \[aaa\]:"
send -- "\r"
expect -exact "\r
Organizational Unit Name (eg, section) \[\]:"
send -- "\r"
expect -exact "\r
Common Name (eg, your name or your server's hostname) \[aaa\]:"
send -- "\r"
expect -exact "\r
Email Address \[aaa@aaa.co.uk\]:"
send -- "\r"
expect -exact "\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password \[\]:"
send -- "\r"
expect -exact "\r
An optional company name \[\]:"
send -- "\r"
expect -exact "\r
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf\r
Check that the request matches the signature\r
Signature ok\r
The Subject's Distinguished Name is as follows\r
countryName :PRINTABLE:'GB'\r
stateOrProvinceName :PRINTABLE:'LND'\r
localityName :PRINTABLE:'LONDON'\r
organizationName :PRINTABLE:'aaa'\r
commonName :PRINTABLE:'aaa'\r
emailAddress :IA5STRING:'aaa@aaa.co.uk'\r
Certificate is to be certified until Jan 8 10:21:56 2020 GMT (3650 days)\r
Sign the certificate? \[y/n\]:"
send -- "y\r"
expect -exact "y\r
\r
\r
1 out of 1 certificate requests certified, commit? \[y/n\]"
send -- "y\r"
expect eof
Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run
Code:
ssh-keygen -q
to avoid all those questions being asked and thus simplifying the process.
Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run
Code:
ssh-keygen -q
to avoid all those questions being asked and thus simplifying the process.
Kind regards,
Eric
No, the keys are generated fine when run manually but something in the auto responses file isn't sending the input correctly and am not sure what.
The key creation is part of the OpenVPN suite.
Responses file added as above.
Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.
Kind regards,
Eric
Could it be something to do with this:
Quote:
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
Can I skip these parts and just go straight to the expect parts with actual prompts?
You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.
You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.
Kind regards,
Eric
I'm looking into using openssl to create the certificates rather than ./build-ca as it requires too much input and autoexpect isn't working for this method.
On a separate note is there a way to manually write files on the fly?
I need to create a new client.ovpn for each customer/certificate.
Each .ovpn file has a section for:
certname.crt
certname.key
I need to rewrite these each time a new certificate is generated and then save the file, then email it.
If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?
If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?
Kind regards,
Eric
The file looks like this
Quote:
client
dev tun
proto tcp
remote 88.xxx.xxx.xx9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert adminuser.crt
key adminuser.key
ns-cert-type server
comp-lzo
verb 4
Each time I create a new certificate in my script using $usern, I also need to change the parts in bold above. Instead of adminuser it would be whatever the username is in $usern
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.