Add CRL verification
diff --git a/containers/xos/Dockerfile.devel b/containers/xos/Dockerfile.devel
index f21a694..461b4b4 100644
--- a/containers/xos/Dockerfile.devel
+++ b/containers/xos/Dockerfile.devel
@@ -98,8 +98,8 @@
RUN chmod 777 /opt/openvpn
RUN git clone https://github.com/OpenVPN/easy-rsa.git /opt/openvpn
RUN git -C /opt/openvpn pull origin master
-RUN echo "set_var EASYRSA /opt/openvpn/easyrsa3" | tee /opt/openvpn/easyrsa3/vars
RUN /opt/openvpn/easyrsa3/easyrsa --batch init-pki
RUN /opt/openvpn/easyrsa3/easyrsa --batch --req-cn=XOS build-ca nopass
RUN /opt/openvpn/easyrsa3/easyrsa --batch gen-dh
+RUN /opt/openvpn/easyrsa3/easyrsa --batch gen-crl
RUN chmod 777 /opt/openvpn/easyrsa3/pki/dh.pem
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
index 2ab32c3..2642828 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
@@ -35,6 +35,9 @@
- name: get ca crt
copy: src=/opt/openvpn/easyrsa3/pki/ca.crt dest=/opt/openvpn/ca.crt
+ - name: get crl
+ copy: src=/opt/openvpn/easyrsa3/pki/crl.pem desk=/opt/openvpn/crl.pem
+
- name: get dh
copy: src=/opt/openvpn/easyrsa3/pki/dh.pem dest=/opt/openvpn/dh.pem
@@ -61,6 +64,7 @@
cert /opt/openvpn/server-{{ tenant_id }}/server.crt
key /opt/openvpn/server-{{ tenant_id }}/server.key
dh /opt/openvpn/dh.pem
+ crl-verify /opt/openvpn/crl.pem
server {{ server_network }} {{ vpn_subnet }}
ifconfig-pool-persist /opt/openvpn/server-{{ tenant_id }}/ipp.txt
comp-lzo