feat(api): ovpntunnel, retrieve all cert info#1502
Conversation
The UI will display expiration date for all involved certificates.
There was a problem hiding this comment.
Pull request overview
This PR enhances the OpenVPN tunnel API to retrieve expiration dates for all certificates involved in tunnel configurations (CA, server, and client certificates), addressing the need to display certificate expiration information in the UI.
Changes:
- Replaced the single-certificate expiration function with a comprehensive certificate parser that extracts CN and expiration dates from PEM files containing multiple certificates
- Updated the
list-tunnelsAPI to include certificate information for both server and client tunnels - Updated documentation with examples showing the new certificates field structure
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/ns-api/files/ns.ovpntunnel | Replaced get_cert_expiry_ts() with get_certificates_from_pem() to extract multiple certificates with their CNs and expiration timestamps; integrated the new function into both client and server tunnel listings |
| packages/ns-api/README.md | Added documentation examples showing the new certificates field structure with CN-keyed expiration timestamps for server tunnels |
Comments suppressed due to low confidence (1)
packages/ns-api/README.md:970
- The documentation example doesn't include the 'certificates' field for clients even though the code at line 388 in ns.ovpntunnel adds this field when vpn.get('cert') is available. Consider adding an example showing what the certificates field looks like for a client tunnel, similar to how it's shown for servers.
"clients": [
{
"ns_name": "clientsubent",
"id": "ns_1234",
"topology": "subnet",
"enabled": true,
"port": "1200",
"remote_host": "185.96.130.33",
"remote_network": []
},
{
"ns_name": "c1",
"id": "ns_333",
"topology": "p2p",
"enabled": true,
"port": "1122",
"remote_host": "1.2.3.4",
"remote_network": [
"10.0.1.0/24"
]
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| certificates = {} | ||
| if vpn.get('cert'): | ||
| certificates = get_certificates_from_pem(vpn.get('cert')) | ||
| #/etc/openvpn/ns_tun2/pki/issued/client.crt |
There was a problem hiding this comment.
This inline comment appears to be example text rather than an actual comment explaining the code. Consider either removing it or reformatting it as a proper explanatory comment.
| #/etc/openvpn/ns_tun2/pki/issued/client.crt | |
| # Example client certificate path: /etc/openvpn/ns_tun2/pki/issued/client.crt |
| if line.startswith("subject="): | ||
| subject_line = line | ||
| if "CN=" in subject_line: | ||
| cn = subject_line.split("CN=")[1].split(",")[0] |
There was a problem hiding this comment.
The CN extraction logic splits on 'CN=' and ',' which is fragile. If the CN value itself contains a comma, this will truncate the name incorrectly. Since you're using RFC2253 format (which escapes commas in CN values), consider using a more robust parsing approach that handles escaped characters properly.
1 participant
The UI will display expiration date for all involved certificates.
Improves #1481
UI changes: NethServer/nethsecurity-ui#690