automate script for VPN keys

qwertyjjj · 01-09-2010, 05:02 AM

I'm trying to automate a script so that VPN keys can be sent out automatically.
The problem is that when I invoke the script, I have to keep pressing return for each of the OpenVPN key creation arguments.
When the nail command is fired, I also have to press Ctrl D to send the email.
Is there a way to program round this in bash?

Quote:

#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd

qwertyjjj · 01-10-2010, 03:49 AM

Is there a way to respond to promopts from within a bash script?

EricTRA · 01-10-2010, 03:54 AM

Hello,

Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:

Code:

yourscript < answerfile

Or look into expect and autoexpect.

Kind regards,

Eric

qwertyjjj · 01-10-2010, 04:15 AM

Quote:

Originally Posted by EricTRA

Hello,

Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:

Code:

yourscript < answerfile

Or look into expect and autoexpect.

Kind regards,

Eric

Sounds good. I created an auto script with autoexpect but was just thinking, the bash script above has 2 separate parts.
This: ./build-key $usern requires input
and this: nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd requires input.

Do I add a script after each separate command?
So,

Quote:

#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < myRESPONSES1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < myRESPONSES2.exp

Auto expect records the responses all as one file, yet maybe I should split it into 2?

EricTRA · 01-10-2010, 04:18 AM

Hi,

Logically I would say that yes, you'll have to have two answer files. So split the generated file in two and see how it goes.

Kind regards,

Eric

qwertyjjj · 01-10-2010, 04:30 AM

Ok, my script now looks like this:

Quote:

#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < /usr/local/sbin/myscripts/vpn_responses1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key client.ovpn
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < /usr/local/sbin/myscripts/vpn_responses2.exp

Almost there but it seems autoexpect doesn't record the entries correctly:

Quote:

[root@server88-xxx-xxx-198 myscripts]# /usr/local/sbin/myscripts/send_vpn_keys.sh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Generating a 1024 bit RSA private key
.............................................++++++
...............++++++
writing new private key to 'aaa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:State or Province Name (full name) [LND]:Locality Name (eg, city) [LONDON]:Organization Name (eg, company) [aaa]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [aaa]:Email Address [aaa@aaa.co.uk]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:string is too long, it needs to be less than 20 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'GB'
stateOrProvinceName :T61STRING:'set force_conservative 0 ;# set to 1 to force conservative mode even if'
localityName :T61STRING:'^I^I^I ;# script wasn't run conservatively originally'
organizationName :T61STRING:'if {$force_conservative} {'
organizationalUnitName:T61STRING:'^Iset send_slow {1 .1}'
commonName :T61STRING:'^Iproc send {ignore arg} {'
emailAddress :IA5STRING:'^I^Isleep .1'
Certificate is to be certified until Jan 8 10:29:03 2020 GMT (3650 days)
Sign the certificate? [y/n]:CERTIFICATE WILL NOT BE CERTIFIED
updating: ca.crt (deflated 38%)
updating: ca.key (deflated 22%)
updating: aaa.crt (stored 0%)
updating: aaa.csr (deflated 26%)
updating: aaa.key (deflated 22%)
updating: client.ovpn (deflated 54%)
[root@server88-xxx-xxx-198 myscripts]#

This is the expect file:

Quote:

#!/usr/bin/expect -f
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}

set timeout -1

#spawn ./build-key aaa
match_max 100000
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) \[GB\]:"
send -- "\r"
expect -exact "\r
State or Province Name (full name) \[LND\]:"
send -- "\r"
expect -exact "\r
Locality Name (eg, city) \[LONDON\]:"
send -- "\r"
expect -exact "\r
Organization Name (eg, company) \[aaa\]:"
send -- "\r"
expect -exact "\r
Organizational Unit Name (eg, section) \[\]:"
send -- "\r"
expect -exact "\r
Common Name (eg, your name or your server's hostname) \[aaa\]:"
send -- "\r"
expect -exact "\r
Email Address \[aaa@aaa.co.uk\]:"
send -- "\r"
expect -exact "\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password \[\]:"
send -- "\r"
expect -exact "\r
An optional company name \[\]:"
send -- "\r"
expect -exact "\r
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf\r
Check that the request matches the signature\r
Signature ok\r
The Subject's Distinguished Name is as follows\r
countryName :PRINTABLE:'GB'\r
stateOrProvinceName :PRINTABLE:'LND'\r
localityName :PRINTABLE:'LONDON'\r
organizationName :PRINTABLE:'aaa'\r
commonName :PRINTABLE:'aaa'\r
emailAddress :IA5STRING:'aaa@aaa.co.uk'\r
Certificate is to be certified until Jan 8 10:21:56 2020 GMT (3650 days)\r
Sign the certificate? \[y/n\]:"
send -- "y\r"
expect -exact "y\r
\r
\r
1 out of 1 certificate requests certified, commit? \[y/n\]"
send -- "y\r"
expect eof

EricTRA · 01-10-2010, 04:41 AM

Hi,

Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run

Code:

ssh-keygen -q

to avoid all those questions being asked and thus simplifying the process.

Kind regards,

Eric

qwertyjjj · 01-10-2010, 04:45 AM

Quote:

Originally Posted by EricTRA

Hi,

Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run

Code:

ssh-keygen -q

to avoid all those questions being asked and thus simplifying the process.

Kind regards,

Eric

No, the keys are generated fine when run manually but something in the auto responses file isn't sending the input correctly and am not sure what.
The key creation is part of the OpenVPN suite.
Responses file added as above.

EricTRA · 01-10-2010, 05:05 AM

Hi,

Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.

Kind regards,

Eric

qwertyjjj · 01-10-2010, 05:51 AM

Quote:

Originally Posted by EricTRA

Hi,

Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.

Kind regards,

Eric

Could it be something to do with this:

Quote:

expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r

Can I skip these parts and just go straight to the expect parts with actual prompts?

EricTRA · 01-10-2010, 05:55 AM

Hi,

You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.

Kind regards,

Eric

qwertyjjj · 01-10-2010, 11:07 AM

Quote:

Originally Posted by EricTRA

Hi,

You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.

Kind regards,

Eric

I'm looking into using openssl to create the certificates rather than ./build-ca as it requires too much input and autoexpect isn't working for this method.

On a separate note is there a way to manually write files on the fly?
I need to create a new client.ovpn for each customer/certificate.
Each .ovpn file has a section for:
certname.crt
certname.key

I need to rewrite these each time a new certificate is generated and then save the file, then email it.

EricTRA · 01-10-2010, 11:14 AM

Hi,

If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?

Kind regards,

Eric

qwertyjjj · 01-10-2010, 11:53 AM

Quote:

Originally Posted by EricTRA

Hi,

If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?

Kind regards,

Eric

The file looks like this

Quote:

client
dev tun
proto tcp
remote 88.xxx.xxx.xx9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert adminuser.crt
key adminuser.key
ns-cert-type server
comp-lzo
verb 4

Each time I create a new certificate in my script using $usern, I also need to change the parts in bold above. Instead of adminuser it would be whatever the username is in $usern

EricTRA · 01-10-2010, 12:05 PM

Hi,

You could use sed to substitute those references by whatever you want.

Code:

sed -i 's/regex/replacement/' yourfile.ovpn

Kind regards,

Eric