From 59644d953de4ff3b7b746745e1473b04a528965a Mon Sep 17 00:00:00 2001
From: Nicolas Duchon <nicolas.duchon@gmail.com>
Date: Tue, 2 May 2017 17:17:01 +0200
Subject: [PATCH] Replace hardlinking of crl.pem with a copy

easyrsa gen-crl does not modify the crl.pem in place but rather remove the old file and create a new one, which means any hardlink to it will get broken again at each invocation of easyrsa gen-crl.

If hardlink to this file is not going to work anyway and we still need it to be readable by OpenVPN, we're better off copying it and chmod-ing it every time a new one is detected on container start, using the conditional expression file1 -nt file2.
---
 bin/ovpn_run | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/bin/ovpn_run b/bin/ovpn_run
index 0b2996c..9e9f3d5 100755
--- a/bin/ovpn_run
+++ b/bin/ovpn_run
@@ -74,13 +74,14 @@ if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
 	setupIptablesAndRouting
 fi
 
-# Use a hacky hardlink as the CRL Needs to be readable by the user/group
+# Use a copy of crl.pem as the CRL Needs to be readable by the user/group
 # OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
-if [ -r "$EASYRSA_PKI/crl.pem" ]; then
-    if [ ! -r "$OPENVPN/crl.pem" ]; then
-        ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
-        chmod 644 "$OPENVPN/crl.pem"
-    fi
+if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
+    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
+    chmod 644 "$OPENVPN/crl.pem"
+fi
+
+if [ -r "$OPENVPN/crl.pem" ]; then
     addArg "--crl-verify" "$OPENVPN/crl.pem"
 fi