On Mon, Oct 5, 2015 at 2:15 PM, Dreetjeh D <dreet...@hotmail.com> wrote: > > > > I'd add some debug statements to the script, e.g. add on the second > line. > > echo "[$0] [$1] [$2] [$3] [$4]" > Result: > ***************************** > > Mon Oct 5 19:23:14 2015 us=499434 192.168.11.32:1194 ++ Certificate has > EKU (str) TLS Web Client Authentication, expects TLS Web Client > Authentication > Mon Oct 5 19:23:14 2015 us=499500 192.168.11.32:1194 VERIFY EKU OK > *** > [/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh] > [/volume1/@appstore/VPNCenter/scripts/userlist.txt] [0] [C=NL, ST=GLD, > O=MMD, OU=OVPN-NAS, CN=admin, emailAddress=dreet...@hotmail.com] [] > ***^^^^^^^^^^ >
Your script tries to extract the common name using a regexp ".*/CN=\([^/][^/]*\)" which expects the input to be "... /CN=admin/..." which is not the case. An outdated script, perhaps? To extract the name "admin" from that input, try this regexp instead: ".* CN=\([^,]*\)" That is, replace the grep line in the script by grep -q "^`expr match "$3" ".* CN=\([^,]*\)"`$" "$1" && exit 0 I am assuming your userlist.txt file contains a list of common names, one per line. Extracting the common name from the subject string presented in an undocumented format looks quite flaky. There has to be a better way of doing tls-verify. This line shows up extra, so I would think the admin cert arrived. > *** > Mon Oct 5 19:23:14 2015 us=511255 192.168.11.32:1194 WARNING: Failed > running command (--tls-verify script): external program exited with error > status: 1 > Mon Oct 5 19:23:14 2015 us=511360 192.168.11.32:1194 VERIFY SCRIPT ERROR: > depth=0, C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, emailAddress= > dreet...@hotmail.com > Mon Oct 5 19:23:14 2015 us=511681 192.168.11.32:1194 TLS_ERROR: BIO read > tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178) > ****************************** > > > > Also, what happens if you run the script manually > > with the same parameters as specified via OpenVPN ? > You mean start from the CLI? > > It`s becoming quit a journey :) > This is easy to do. Just cd to the script directory and run $ ./ovpnCNcheck.sh userlist.txt 0 "C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, emailAddress=dreet...@hotmail.com" (the above is all in one line) and check the exit code as $ echo $? You should get 0 for success, 1 for failure. Selva > > > Thanks for trying to help this novice. > André > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
