From ea19fbe932bd90e745b124571a29e295d3b9e944 Mon Sep 17 00:00:00 2001
From: "Bauer, Jochen" <jochen.bauer@hydac.com>
Date: Sat, 1 Sep 2018 15:40:38 +0200
Subject: [PATCH 1/2] extended client status for EXPIRED or other errors

---
 bin/ovpn_listclients | 33 ++++++++++++++++++++++-----------
 docs/clients.md      |  4 +++-
 2 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/bin/ovpn_listclients b/bin/ovpn_listclients
index 120ab50..52500e1 100755
--- a/bin/ovpn_listclients
+++ b/bin/ovpn_listclients
@@ -15,6 +15,8 @@ cd "$EASYRSA_PKI"
 
 if [ -e crl.pem ]; then
     cat ca.crt crl.pem > cacheck.pem
+else
+    cat ca.crt > cacheck.pem
 fi
 
 echo "name,begin,end,status"
@@ -26,20 +28,29 @@ for name in issued/*.crt; do
     name=${name%.crt}
     name=${name#issued/}
     if [ "$name" != "$OVPN_CN" ]; then
-    if [ -e crl.pem ]; then
-        if openssl verify -crl_check -CAfile cacheck.pem $path &> /dev/null; then
-	status="VALID"
+        # check for revocation or expiration
+        command="openssl verify -crl_check -CAfile cacheck.pem $path"
+        result=$($command)
+        if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
+            status="VALID"
         else
-	status="REVOKED"
+            result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
+            case $result in
+                10)
+                    status="EXPIRED"
+                    ;;
+                23)
+                    status="REVOKED"
+                    ;;
+                *)
+                    status="INVALID"
+            esac
         fi
-    else
-        status="VALID"
     fi
 
-        echo "$name,$begin,$end,$status"
-    fi
+    echo "$name,$begin,$end,$status"
+
 done
 
-if [ -e crl.pem ]; then
-    rm cacheck.pem
-fi
+# Clean
+rm cacheck.pem
diff --git a/docs/clients.md b/docs/clients.md
index ccbbecb..eac946a 100644
--- a/docs/clients.md
+++ b/docs/clients.md
@@ -11,10 +11,12 @@ Note that some client software might be picky about which configuration format i
 
 ## Client List
 
-See an overview of the configured clients, including revocation status:
+See an overview of the configured clients, including revocation and expiration status:
 
     docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
 
+ The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.
+
 ## Batch Mode
 
 If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.

From 3771097bc979e0276f97fdb0d851a811ca5acf19 Mon Sep 17 00:00:00 2001
From: Jochen Bauer <devel@jochenbauer.net>
Date: Thu, 30 Aug 2018 17:08:04 +0200
Subject: [PATCH 2/2] corrected the output line, was accidentially wrong

---
 bin/ovpn_listclients | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/bin/ovpn_listclients b/bin/ovpn_listclients
index 52500e1..47f4459 100755
--- a/bin/ovpn_listclients
+++ b/bin/ovpn_listclients
@@ -46,10 +46,8 @@ for name in issued/*.crt; do
                     status="INVALID"
             esac
         fi
+        echo "$name,$begin,$end,$status"
     fi
-
-    echo "$name,$begin,$end,$status"
-
 done
 
 # Clean