Makefile

# Requires:
# - make (to run this)
# - openssh (for easyrsa and expiry checks)
# - aws cli (to push CRL certificate)

ifndef VERBOSE
.SILENT:
endif

DEFAULT_CERT_EXPIRE := 730
DEFAULT_CLIENT_CERT_EXPIRE := 730
DEFAULT_CRL_DAYS := 730

# Shell helper: read a single-value file under pki/, prompting and creating it
# if missing. Prompt goes to stderr; value goes to stdout (so callers can use
# VAR=$(ensure_pki_value pki/foo "Prompt" "optional-default") ).
define ENSURE_PKI_VALUE
ensure_pki_value() { \
	file="$$1"; prompt="$$2"; default="$$3"; \
	if [ ! -f "$$file" ]; then \
		if [ -n "$$default" ]; then \
			printf '%s [%s]: ' "$$prompt" "$$default" >&2; \
			read -r v; \
			v="$${v:-$$default}"; \
		else \
			v=""; \
			while [ -z "$$v" ]; do \
				printf '%s: ' "$$prompt" >&2; \
				read -r v || break; \
			done; \
		fi; \
		printf '%s\n' "$$v" > "$$file"; \
	fi; \
	cat "$$file"; \
};
endef

# Display a pki single-value file, or "(missing)" if it does not exist.
# Used by debug-server to keep status checks passive (no prompting).
define SHOW_PKI_VALUE
show_pki_value() { \
	file="$$1"; \
	if [ -f "$$file" ]; then cat "$$file"; else printf '(missing)'; fi; \
};
endef

define USAGE
make debug-server [profile=AWSPROFILE]
  Check the status of the current VPN configuration. Without `profile`, only inspects local files. With `profile`, also queries the live Client VPN endpoint: prints its Status.Code/Message and active connection count; exports the endpoint's CRL and shows its Next Update with drift vs local pki/crl.pem (catches "regenerated locally but never pushed"); reconciles its ServerCertificateArn / ClientRootCertificateChain ARN against pki/cert_arn / pki/client_cert_arn (prompts default N before writing); and queries ACM for each ARN to show Status/NotBefore/NotAfter and flag drift between ACM's NotAfter and the local pki/issued/$$VPN_NAME.crt (catches "renewed locally but never pushed"). Use this once after upgrading from a single-ARN PKI to backfill pki/client_cert_arn.
make check-reassociate profile=AWSPROFILE
  Pre-flight summary of what `make reassociate` would entail (subnets, routes that would need re-adding, security groups, active connections that would be dropped). Read-only. See `make reassociate` for when this is needed.
make reassociate profile=AWSPROFILE [proceed=1]
  EMERGENCY ONLY. Use only if the previous server cert has already expired and clients are getting cert-expired errors after `push-cert`. Disassociates every target network and re-associates the same subnets, re-applying security groups and re-adding manually-created routes; this forces the endpoint to re-pull its ACM cert immediately. Drops all active connections and makes the endpoint unavailable for ~5–10 min. Without `proceed=1` this is a dry-run.
  If you renew BEFORE expiry, AWS takes ~24h to propagate but the old (still-valid) cert keeps users connected through that window — no need to reassociate. Run `make check-reassociate` first.
make current
  Shows the current connection
make available
  Lists the available connections to restore
make new-server name=NAME [cert_expire=DAYS] [client_cert_expire=DAYS] [crl_days=DAYS]
  Initializes a new client VPN certificate
  name: A readable name for the endpoint. Will be used as the common name for the certificate. Is saved to pki/vpn_name. [.a-z_-] e.g. vpn.buy.nsw.gov.au
  cert_expire: Server cert validity in days. Saved to pki/cert_expire. Default $(DEFAULT_CERT_EXPIRE).
  client_cert_expire: Client cert validity in days. Saved to pki/client_cert_expire. Default $(DEFAULT_CLIENT_CERT_EXPIRE).
  crl_days: CRL validity in days. Saved to pki/crl_days. Default $(DEFAULT_CRL_DAYS).
make renew-server
  Renews an existing client VPN certificate
make push-cert profile=AWSPROFILE [proceed=1]
  Imports/updates BOTH ACM certs that the mutual-auth Client VPN endpoint references. The same payload (server cert + key + CA chain) is uploaded to both ARNs: AWS uses the leaf for server identity at the server cert ARN, and the CA chain for client validation at the client cert ARN. Saved as pki/cert_arn and pki/client_cert_arn. On first run both ACM certs are created; subsequent runs update them in place. If pki/cert_arn is set but pki/client_cert_arn is not (legacy PKI), push-cert refuses and tells you to run `make debug-server profile=…` first to backfill. If `proceed=1` is not included, this only describes what would be uploaded.
make archive
  Backs up the current configuration up to a zip file named NAME.DATE.zip and removes its pki directory
make restore name=NAME [date=YYYYMMDD] [proceed=1]
  Restores an archive for that VPN to pki. If `proceed=1` is not included, this only lists the archive that would be restored.
make debug-client [name=NAME]
  Check the status of one or all client VPN configurations
make new-client name=NAME
  Creates a client certificate for connecting to the VPN
  name: Typically the name of the developer. [.a-z_-] e.g. blair, blair_mckenzie
make renew-client name=NAME
  Renews a client certificate
  name: The name of the client certificate
make renew-clients
  Renews all existing client certificates for the current VPN.
make generate-crl
  Regenerates the certificate revocation list certificate
make push-crl profile=AWSPROFILE [proceed=1]
  Regenerates the certificate revocation list certificate
make cat-crl
  Outputs the current CRL certificate
make purge-client name=NAME [proceed=1]
  Removes the files relevant to a client. If `proceed=1` is not included, this only lists the files that would be removed.
  name: The name of the client certificate
make purge-server [proceed=1]
  Removes the pki directory. If `proceed=1` is not included, this only lists the number of files that would be removed.
make purge-backups [proceed=1]
  Removes backups. If `proceed=1` is not included, this only lists the number of files that would be removed.
endef
export USAGE

default:
	@echo "$$USAGE"

debug-server:
	cd easyrsa3;\
	$(SHOW_PKI_VALUE) \
	if [ -t 1 ]; then RED=$$(printf '\033[0;31m'); GREEN=$$(printf '\033[0;32m'); RST=$$(printf '\033[0m'); else RED=""; GREEN=""; RST=""; fi;\
	red()      { printf '%s%s%s' "$$RED"   "$$1" "$$RST"; };\
	green()    { printf '%s%s%s' "$$GREEN" "$$1" "$$RST"; };\
	fileval()  { v=$$(show_pki_value "$$1"); if [ "$$v" = "(missing)" ]; then red "$$v"; else green "$$v"; fi; };\
	dateval()  { ep=$$(date -d "$$1" +%s 2>/dev/null); if [ -z "$$ep" ]; then printf '%s' "$$1"; else nw=$$(date +%s); wk=$$((nw + 604800)); if [ "$$ep" -lt "$$wk" ]; then red "$$1"; else green "$$1"; fi; fi; };\
	date_c()   { ep=$$(date -d "$$1" +%s 2>/dev/null); if [ -z "$$ep" ]; then printf ''; else nw=$$(date +%s); wk=$$((nw + 604800)); if [ "$$ep" -lt "$$wk" ]; then printf '%s' "$$RED"; else printf '%s' "$$GREEN"; fi; fi; };\
	status_c() { case "$$1" in available) printf '%s' "$$GREEN";; "") printf '';; *) printf '%s' "$$RED";; esac; };\
	acm_c()    { case "$$1" in ISSUED) printf '%s' "$$GREEN";; "") printf '';; *) printf '%s' "$$RED";; esac; };\
	drift_c()  { case "$$1" in none) printf '%s' "$$GREEN";; "") printf '';; *) printf '%s' "$$RED";; esac; };\
	if [ ! -d "pki" ]; then\
		echo "./easyrsa3/pki directory does not exist. This must contain a current easyrsa configuration.";\
	else\
		KV='  %-18s  %s\n';\
		echo "=== Local PKI (./easyrsa3/pki) ===";\
		printf "$$KV" "pki directory"      "$$(green Exists)";\
		printf "$$KV" "vpn_id"             "$$(fileval pki/vpn_id)";\
		printf "$$KV" "vpn_region"         "$$(fileval pki/vpn_region)";\
		printf "$$KV" "vpn_name"           "$$(fileval pki/vpn_name)";\
		printf "$$KV" "cert_arn"           "$$(fileval pki/cert_arn)";\
		printf "$$KV" "client_cert_arn"    "$$(fileval pki/client_cert_arn)";\
		printf "$$KV" "cert_expire"        "$$(fileval pki/cert_expire)";\
		printf "$$KV" "client_cert_expire" "$$(fileval pki/client_cert_expire)";\
		printf "$$KV" "crl_days"           "$$(fileval pki/crl_days)";\
		if [ -f "pki/vpn_name" ]; then\
			VPN_NAME=$$(cat pki/vpn_name);\
			if [ -f "pki/issued/$$VPN_NAME.crt" ]; then\
				LOCAL_NOTAFTER=$$(openssl x509 -enddate -noout -in ./pki/issued/$$VPN_NAME.crt | sed 's/^notAfter=//');\
				printf "$$KV" "server cert expiry" "$$(dateval "$$LOCAL_NOTAFTER")";\
			fi;\
		fi;\
		if [ -f "pki/crl.pem" ]; then\
			CRL_NEXT=$$(openssl crl -in ./pki/crl.pem -text | sed -n 's/^.*Next Update: //p');\
			printf "$$KV" "CRL next update" "$$(dateval "$$CRL_NEXT")";\
		fi;\
		if [ "$(profile)" = "" ]; then\
			echo "";\
			echo "(Pass profile=AWSPROFILE to also query the live endpoint and ACM: endpoint status, active connections, ARN reconciliation, ACM cert status / drift.)";\
		elif [ -f pki/vpn_id ] && [ -f pki/vpn_region ]; then\
			VPN_ID=$$(cat pki/vpn_id);\
			VPN_REGION=$$(cat pki/vpn_region);\
			AWS="aws --profile $(profile) --region $$VPN_REGION --output text";\
			echo "";\
			echo "=== Live endpoint (profile=$(profile)) ===";\
			ENDPOINT_INFO=$$($$AWS ec2 describe-client-vpn-endpoints \
				--client-vpn-endpoint-ids $$VPN_ID \
				--query 'ClientVpnEndpoints[0].[ServerCertificateArn,AuthenticationOptions[?Type==`certificate-authentication`].MutualAuthentication.ClientRootCertificateChain | [0],Status.Code,Status.Message]' 2>/dev/null);\
			if [ -z "$$ENDPOINT_INFO" ]; then\
				echo "  Endpoint $$VPN_ID not found in $$VPN_REGION (profile=$(profile)).";\
			else\
				LIVE_SERVER_ARN=$$(printf  '%s\n' "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$1 }');\
				LIVE_CLIENT_ARN=$$(printf  '%s\n' "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$2 }');\
				LIVE_STATUS_CODE=$$(printf '%s\n' "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$3 }');\
				LIVE_STATUS_MSG=$$(printf  '%s\n' "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$4 }');\
				LOCAL_SERVER_ARN=$$([ -f pki/cert_arn ] && cat pki/cert_arn || echo "");\
				LOCAL_CLIENT_ARN=$$([ -f pki/client_cert_arn ] && cat pki/client_cert_arn || echo "");\
				STATUS_COL="$$(status_c "$$LIVE_STATUS_CODE")";\
				STATUS_VAL="$$STATUS_COL$$LIVE_STATUS_CODE$$RST";\
				if [ -n "$$LIVE_STATUS_MSG" ] && [ "$$LIVE_STATUS_MSG" != "None" ]; then\
					printf "$$KV" "status" "$$STATUS_VAL ($$LIVE_STATUS_MSG)";\
				else\
					printf "$$KV" "status" "$$STATUS_VAL";\
				fi;\
				printf "$$KV" "server cert ARN" "$$LIVE_SERVER_ARN";\
				printf "$$KV" "client cert ARN" "$$LIVE_CLIENT_ARN";\
				ACTIVE_CONN_COUNT=$$($$AWS ec2 describe-client-vpn-connections \
					--client-vpn-endpoint-id $$VPN_ID \
					--query 'length(Connections[?Status.Code==`active`])' 2>/dev/null);\
				if [ -z "$$ACTIVE_CONN_COUNT" ]; then\
					printf "$$KV" "active connections" "$$(red "(unknown)")";\
				else\
					printf "$$KV" "active connections" "$$ACTIVE_CONN_COUNT";\
				fi;\
				LIVE_CRL_NEXT=$$($$AWS ec2 export-client-vpn-client-certificate-revocation-list \
					--client-vpn-endpoint-id $$VPN_ID \
					--query 'CertificateRevocationList' 2>/dev/null \
					| openssl crl -noout -nextupdate 2>/dev/null \
					| sed 's/^nextUpdate=//');\
				LOCAL_CRL_NEXT="";\
				if [ -f pki/crl.pem ]; then\
					LOCAL_CRL_NEXT=$$(openssl crl -in pki/crl.pem -noout -nextupdate 2>/dev/null | sed 's/^nextUpdate=//');\
				fi;\
				if [ -z "$$LIVE_CRL_NEXT" ]; then\
					printf "$$KV" "CRL next update" "$$(red "(none on endpoint or fetch failed)")";\
				else\
					CRL_DRIFT_TAG="";\
					if [ -n "$$LOCAL_CRL_NEXT" ]; then\
						LOCAL_CRL_EPOCH=$$(date -d "$$LOCAL_CRL_NEXT" +%s 2>/dev/null);\
						LIVE_CRL_EPOCH=$$(date -d "$$LIVE_CRL_NEXT" +%s 2>/dev/null);\
						if [ -n "$$LOCAL_CRL_EPOCH" ] && [ -n "$$LIVE_CRL_EPOCH" ]; then\
							if [ "$$LOCAL_CRL_EPOCH" = "$$LIVE_CRL_EPOCH" ]; then\
								CRL_DRIFT_TAG=" $$(green "(matches local pki/crl.pem)")";\
							elif [ "$$LOCAL_CRL_EPOCH" -gt "$$LIVE_CRL_EPOCH" ]; then\
								CRL_DRIFT_TAG=" $$(red "(local pki/crl.pem newer; push-crl may be needed)")";\
							else\
								CRL_DRIFT_TAG=" $$(red "(endpoint CRL newer than local; unusual)")";\
							fi;\
						fi;\
					fi;\
					printf "$$KV" "CRL next update" "$$(dateval "$$LIVE_CRL_NEXT")$$CRL_DRIFT_TAG";\
				fi;\
				echo "";\
				echo "=== ARN reconciliation ===";\
				reconcile() {\
					file="$$1"; live="$$2"; localv="$$3"; label="$$4";\
					if [ -z "$$live" ] || [ "$$live" = "None" ]; then\
						printf "$$KV" "$$label" "$$(red "endpoint has no ARN (unusual); no action")";\
						return;\
					fi;\
					if [ -z "$$localv" ]; then\
						printf "$$KV" "$$label" "$$(red "easyrsa3/$$file missing")";\
						printf '    Set easyrsa3/%s to %s? [y/N]: ' "$$file" "$$live";\
						read -r ANS;\
						case "$$ANS" in\
							y|Y|yes|YES)\
								printf '%s\n' "$$live" > "$$file";\
								echo "    Wrote easyrsa3/$$file.";;\
							*) echo "    Skipped.";;\
						esac;\
					elif [ "$$localv" = "$$live" ]; then\
						printf "$$KV" "$$label" "$$(green "matches local (easyrsa3/$$file)")";\
					else\
						printf "$$KV" "$$label" "$$(red "local (easyrsa3/$$file) differs")";\
						printf '    local: %s\n' "$$localv";\
						printf '    live:  %s\n' "$$live";\
						printf '    Update easyrsa3/%s to live value? [y/N]: ' "$$file";\
						read -r ANS;\
						case "$$ANS" in\
							y|Y|yes|YES)\
								printf '%s\n' "$$live" > "$$file";\
								echo "    Updated easyrsa3/$$file.";;\
							*) echo "    Skipped.";;\
						esac;\
					fi;\
				};\
				reconcile pki/cert_arn        "$$LIVE_SERVER_ARN" "$$LOCAL_SERVER_ARN" "server cert ARN";\
				reconcile pki/client_cert_arn "$$LIVE_CLIENT_ARN" "$$LOCAL_CLIENT_ARN" "client cert ARN";\
				echo "";\
				echo "=== ACM certificates ===";\
				fetch_acm() {\
					arn="$$1";\
					if [ -z "$$arn" ] || [ "$$arn" = "None" ]; then\
						printf '%s\t%s\t%s\t%s\n' "(no ARN)" "" "" "";\
						return;\
					fi;\
					INFO=$$($$AWS acm describe-certificate --certificate-arn "$$arn" \
						--query 'Certificate.[Status,NotBefore,NotAfter]' 2>/dev/null);\
					if [ -z "$$INFO" ]; then\
						printf '%s\t%s\t%s\t%s\n' "(fetch failed)" "" "" "";\
						return;\
					fi;\
					ACM_STATUS=$$(printf    '%s\n' "$$INFO" | awk -F'\t' '{ print $$1 }');\
					ACM_NOTBEFORE=$$(printf '%s\n' "$$INFO" | awk -F'\t' '{ print $$2 }');\
					ACM_NOTAFTER=$$(printf  '%s\n' "$$INFO" | awk -F'\t' '{ print $$3 }');\
					DRIFT="";\
					if [ -n "$$VPN_NAME" ] && [ -f "pki/issued/$$VPN_NAME.crt" ]; then\
						LOCAL_NA=$$(openssl x509 -enddate -noout -in "pki/issued/$$VPN_NAME.crt" | sed 's/^notAfter=//');\
						LOCAL_EPOCH=$$(date -d "$$LOCAL_NA" +%s 2>/dev/null);\
						ACM_EPOCH=$$(date -d "$$ACM_NOTAFTER" +%s 2>/dev/null);\
						if [ -n "$$LOCAL_EPOCH" ] && [ -n "$$ACM_EPOCH" ]; then\
							if [ "$$LOCAL_EPOCH" = "$$ACM_EPOCH" ]; then\
								DRIFT="none";\
							elif [ "$$LOCAL_EPOCH" -gt "$$ACM_EPOCH" ]; then\
								DRIFT="DIFFERS (local newer)";\
							else\
								DRIFT="DIFFERS (ACM newer)";\
							fi;\
						fi;\
					fi;\
					printf '%s\t%s\t%s\t%s\n' "$$ACM_STATUS" "$$ACM_NOTBEFORE" "$$ACM_NOTAFTER" "$$DRIFT";\
				};\
				SERVER_DATA=$$(fetch_acm "$$LIVE_SERVER_ARN");\
				CLIENT_DATA=$$(fetch_acm "$$LIVE_CLIENT_ARN");\
				S_STATUS=$$(printf    '%s' "$$SERVER_DATA" | awk -F'\t' '{ print $$1 }');\
				S_NOTBEFORE=$$(printf '%s' "$$SERVER_DATA" | awk -F'\t' '{ print $$2 }');\
				S_NOTAFTER=$$(printf  '%s' "$$SERVER_DATA" | awk -F'\t' '{ print $$3 }');\
				S_DRIFT=$$(printf     '%s' "$$SERVER_DATA" | awk -F'\t' '{ print $$4 }');\
				C_STATUS=$$(printf    '%s' "$$CLIENT_DATA" | awk -F'\t' '{ print $$1 }');\
				C_NOTBEFORE=$$(printf '%s' "$$CLIENT_DATA" | awk -F'\t' '{ print $$2 }');\
				C_NOTAFTER=$$(printf  '%s' "$$CLIENT_DATA" | awk -F'\t' '{ print $$3 }');\
				C_DRIFT=$$(printf     '%s' "$$CLIENT_DATA" | awk -F'\t' '{ print $$4 }');\
				ROW='  %-9s  %s%-28s%s  %s%s%s\n';\
				printf "$$ROW" "field"     ""                           "server"        ""      ""                           "client"        "";\
				printf "$$ROW" "status"    "$$(acm_c   "$$S_STATUS")"   "$$S_STATUS"    "$$RST" "$$(acm_c   "$$C_STATUS")"   "$$C_STATUS"    "$$RST";\
				printf "$$ROW" "notBefore" ""                           "$$S_NOTBEFORE" ""      ""                           "$$C_NOTBEFORE" "";\
				printf "$$ROW" "notAfter"  "$$(date_c  "$$S_NOTAFTER")" "$$S_NOTAFTER"  "$$RST" "$$(date_c  "$$C_NOTAFTER")" "$$C_NOTAFTER"  "$$RST";\
				printf "$$ROW" "drift"     "$$(drift_c "$$S_DRIFT")"    "$$S_DRIFT"     "$$RST" "$$(drift_c "$$C_DRIFT")"    "$$C_DRIFT"     "$$RST";\
				case "$$S_DRIFT" in\
					"DIFFERS (local newer)") printf '  %s\n' "$$(red "note: server cert drift - local pki/issued/$$VPN_NAME.crt notAfter newer than ACM; push-cert may be needed.")";;\
					"DIFFERS (ACM newer)")   printf '  %s\n' "$$(red "note: server cert drift - ACM notAfter newer than local; unusual, investigate.")";;\
				esac;\
				case "$$C_DRIFT" in\
					"DIFFERS (local newer)") printf '  %s\n' "$$(red "note: client cert drift - local pki/issued/$$VPN_NAME.crt notAfter newer than ACM; push-cert may be needed.")";;\
					"DIFFERS (ACM newer)")   printf '  %s\n' "$$(red "note: client cert drift - ACM notAfter newer than local; unusual, investigate.")";;\
				esac;\
			fi;\
		fi;\
	fi

check-reassociate:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(profile)" = "" ]; then\
		echo "profile is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_ID=$$(ensure_pki_value pki/vpn_id "Client VPN endpoint ID");\
		VPN_REGION=$$(ensure_pki_value pki/vpn_region "AWS region of the Client VPN endpoint");\
		AWS="aws --profile $(profile) --region $$VPN_REGION --output text";\
		\
		echo "=== Endpoint ===";\
		ENDPOINT_INFO=$$($$AWS ec2 describe-client-vpn-endpoints \
			--client-vpn-endpoint-ids $$VPN_ID \
			--query 'ClientVpnEndpoints[0].[ClientVpnEndpointId,ServerCertificateArn,AuthenticationOptions[?Type==`certificate-authentication`].MutualAuthentication.ClientRootCertificateChain | [0],Status.Code]' 2>/dev/null);\
		if [ -z "$$ENDPOINT_INFO" ]; then\
			echo "  Endpoint $$VPN_ID not found in $$VPN_REGION (profile=$(profile)).";\
			exit 1;\
		fi;\
		LIVE_ENDPOINT=$$(printf '%s\n' "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$1 }');\
		LIVE_SERVER=$$(printf '%s\n'   "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$2 }');\
		LIVE_CLIENT=$$(printf '%s\n'   "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$3 }');\
		LIVE_STATUS=$$(printf '%s\n'   "$$ENDPOINT_INFO" | awk -F'\t' '{ print $$4 }');\
		LOCAL_SERVER_ARN=$$([ -f pki/cert_arn ]        && cat pki/cert_arn        || echo "");\
		LOCAL_CLIENT_ARN=$$([ -f pki/client_cert_arn ] && cat pki/client_cert_arn || echo "");\
		SERVER_NOTE="";\
		if [ -n "$$LOCAL_SERVER_ARN" ]; then\
			if [ "$$LOCAL_SERVER_ARN" = "$$LIVE_SERVER" ]; then SERVER_NOTE=" (matches pki/cert_arn)"; else SERVER_NOTE=" (differs from pki/cert_arn)"; fi;\
		fi;\
		CLIENT_NOTE="";\
		if [ -z "$$LIVE_CLIENT" ] || [ "$$LIVE_CLIENT" = "None" ]; then\
			CLIENT_NOTE=" (none — endpoint has no client root cert chain)";\
		elif [ "$$LIVE_CLIENT" = "$$LIVE_SERVER" ]; then\
			CLIENT_NOTE=" (same ARN as server cert)";\
		else\
			CLIENT_NOTE=" (separate ARN)";\
		fi;\
		if [ -n "$$LOCAL_CLIENT_ARN" ]; then\
			if [ "$$LOCAL_CLIENT_ARN" = "$$LIVE_CLIENT" ]; then CLIENT_NOTE="$$CLIENT_NOTE; matches pki/client_cert_arn"; else CLIENT_NOTE="$$CLIENT_NOTE; differs from pki/client_cert_arn"; fi;\
		fi;\
		printf '  endpoint id:  %s\n'   "$$LIVE_ENDPOINT";\
		printf '  server cert:  %s%s\n' "$$LIVE_SERVER" "$$SERVER_NOTE";\
		printf '  client cert:  %s%s\n' "$$LIVE_CLIENT" "$$CLIENT_NOTE";\
		printf '  status:       %s\n'   "$$LIVE_STATUS";\
		\
		echo "";\
		echo "=== Target network associations ===";\
		ASSOCS=$$($$AWS ec2 describe-client-vpn-target-networks \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'ClientVpnTargetNetworks[].[AssociationId,TargetNetworkId,VpcId,Status.Code]');\
		if [ -z "$$ASSOCS" ]; then\
			echo "  (none)";\
			ASSOC_COUNT=0;\
		else\
			printf '%s\n' "$$ASSOCS" | awk -F'\t' '{ printf "  - %s  subnet=%s  vpc=%s  status=%s\n", $$1, $$2, $$3, $$4 }';\
			ASSOC_COUNT=$$(printf '%s\n' "$$ASSOCS" | grep -c .);\
		fi;\
		echo "  Subnets to re-associate: $$ASSOC_COUNT";\
		\
		echo "";\
		echo "=== Routes ===";\
		AUTO=$$($$AWS ec2 describe-client-vpn-routes \
			--client-vpn-endpoint-id $$VPN_ID \
			--filters Name=origin,Values=associate \
			--query 'Routes[].[DestinationCidr,TargetSubnet,Description]');\
		echo "  Auto-added (recreated automatically on re-associate):";\
		if [ -z "$$AUTO" ]; then\
			echo "    (none)";\
			AUTO_COUNT=0;\
		else\
			printf '%s\n' "$$AUTO" | awk -F'\t' '{ printf "    - %s  via subnet=%s  (%s)\n", $$1, $$2, $$3 }';\
			AUTO_COUNT=$$(printf '%s\n' "$$AUTO" | grep -c .);\
		fi;\
		MANUAL=$$($$AWS ec2 describe-client-vpn-routes \
			--client-vpn-endpoint-id $$VPN_ID \
			--filters Name=origin,Values=add-route \
			--query 'Routes[].[DestinationCidr,TargetSubnet,Description]');\
		echo "  Manually-added (MUST BE RE-ADDED after re-associate):";\
		if [ -z "$$MANUAL" ]; then\
			echo "    (none)";\
			MANUAL_COUNT=0;\
		else\
			printf '%s\n' "$$MANUAL" | awk -F'\t' '{ printf "    - %s  via subnet=%s  (%s)\n", $$1, $$2, $$3 }';\
			MANUAL_COUNT=$$(printf '%s\n' "$$MANUAL" | grep -c .);\
		fi;\
		\
		echo "";\
		echo "=== Active connections ===";\
		CONNS=$$($$AWS ec2 describe-client-vpn-connections \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'Connections[?Status.Code==`active`].[ConnectionId,Username,CommonName,ClientIp]');\
		if [ -z "$$CONNS" ]; then\
			echo "  (none)";\
			CONN_COUNT=0;\
		else\
			printf '%s\n' "$$CONNS" | awk -F'\t' '{ printf "  - %s  user=%s  cn=%s  ip=%s\n", $$1, $$2, $$3, $$4 }';\
			CONN_COUNT=$$(printf '%s\n' "$$CONNS" | grep -c .);\
		fi;\
		echo "  Active connections that would be dropped: $$CONN_COUNT";\
		\
		echo "";\
		echo "=== Authorization rules ===";\
		RULE_COUNT=$$($$AWS ec2 describe-client-vpn-authorization-rules \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'length(AuthorizationRules)');\
		echo "  $$RULE_COUNT rule(s) — these survive re-association.";\
		\
		echo "";\
		echo "=== Summary ===";\
		echo "Reassociate would: drop $$CONN_COUNT active connection(s), require re-adding $$MANUAL_COUNT custom route(s), across $$ASSOC_COUNT subnet association(s).";\
	fi

reassociate:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(profile)" = "" ]; then\
		echo "profile is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_ID=$$(ensure_pki_value pki/vpn_id "Client VPN endpoint ID");\
		VPN_REGION=$$(ensure_pki_value pki/vpn_region "AWS region of the Client VPN endpoint");\
		AWS="aws --profile $(profile) --region $$VPN_REGION --output text";\
		\
		ENDPOINT=$$($$AWS ec2 describe-client-vpn-endpoints \
			--client-vpn-endpoint-ids $$VPN_ID \
			--query 'ClientVpnEndpoints[0].ClientVpnEndpointId' 2>/dev/null);\
		if [ -z "$$ENDPOINT" ] || [ "$$ENDPOINT" = "None" ]; then\
			echo "Endpoint $$VPN_ID not found in $$VPN_REGION (profile=$(profile)).";\
			exit 1;\
		fi;\
		\
		ASSOCS=$$($$AWS ec2 describe-client-vpn-target-networks \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'ClientVpnTargetNetworks[].[AssociationId,TargetNetworkId,Status.Code]');\
		if [ -z "$$ASSOCS" ]; then\
			echo "No target network associations on $$VPN_ID; nothing to re-associate.";\
			exit 0;\
		fi;\
		BAD=$$(printf '%s\n' "$$ASSOCS" | awk -F'\t' '$$3 != "associated"');\
		if [ -n "$$BAD" ]; then\
			echo "One or more associations are not in 'associated' state. Wait for stabilisation and re-run:";\
			printf '%s\n' "$$BAD" | awk -F'\t' '{ printf "  - %s subnet=%s status=%s\n", $$1, $$2, $$3 }';\
			exit 1;\
		fi;\
		ASSOC_IDS=$$(printf '%s\n' "$$ASSOCS" | awk -F'\t' '{ print $$1 }');\
		SUBNETS=$$(printf '%s\n' "$$ASSOCS" | awk -F'\t' '{ print $$2 }');\
		ASSOC_COUNT=$$(printf '%s\n' "$$ASSOC_IDS" | grep -c .);\
		\
		VPC_ID=$$($$AWS ec2 describe-client-vpn-target-networks \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'ClientVpnTargetNetworks[0].VpcId');\
		SGS=$$($$AWS ec2 describe-client-vpn-target-networks \
			--client-vpn-endpoint-id $$VPN_ID \
			--query 'ClientVpnTargetNetworks[0].SecurityGroups[]');\
		\
		ROUTES=$$($$AWS ec2 describe-client-vpn-routes \
			--client-vpn-endpoint-id $$VPN_ID \
			--filters Name=origin,Values=add-route \
			--query 'Routes[].[DestinationCidr,TargetSubnet]');\
		ROUTE_PAIRS=$$(printf '%s\n' "$$ROUTES" | awk -F'\t' 'NF==2 { print $$1 "," $$2 }');\
		ROUTE_COUNT=0;\
		if [ -n "$$ROUTE_PAIRS" ]; then\
			ROUTE_COUNT=$$(printf '%s\n' "$$ROUTE_PAIRS" | grep -c .);\
		fi;\
		\
		if [ "$(proceed)" != "1" ]; then\
			echo "Would re-associate $$ASSOC_COUNT subnet(s) on $$VPN_ID (vpc=$$VPC_ID):";\
			printf '%s\n' "$$ASSOCS" | awk -F'\t' '{ printf "  - %s subnet=%s\n", $$1, $$2 }';\
			if [ -n "$$SGS" ]; then\
				echo "Would re-apply security groups: $$SGS";\
			else\
				echo "No security groups currently applied at endpoint level (would inherit VPC default).";\
			fi;\
			if [ "$$ROUTE_COUNT" -gt 0 ]; then\
				echo "Would re-add $$ROUTE_COUNT custom route(s):";\
				for PAIR in $$ROUTE_PAIRS; do\
					CIDR=$${PAIR%,*};\
					SUBNET=$${PAIR#*,};\
					echo "  - $$CIDR via subnet=$$SUBNET";\
				done;\
			else\
				echo "No custom routes to re-add (auto-added VPC CIDR routes recreate themselves).";\
			fi;\
			echo "All active connections will be dropped. Endpoint will be unavailable for ~5-10 min while subnets re-associate.";\
			echo "Run 'make reassociate profile=$(profile) proceed=1' to continue.";\
		else\
			echo "Captured state (record this in case the script fails partway through):";\
			echo "  endpoint:        $$VPN_ID";\
			echo "  vpc:             $$VPC_ID";\
			echo "  subnets:         $$(echo $$SUBNETS | tr '\n' ' ')";\
			echo "  security groups: $${SGS:-(none)}";\
			if [ "$$ROUTE_COUNT" -gt 0 ]; then\
				echo "  custom routes:";\
				for PAIR in $$ROUTE_PAIRS; do\
					CIDR=$${PAIR%,*};\
					SUBNET=$${PAIR#*,};\
					echo "    $$CIDR via $$SUBNET";\
				done;\
			else\
				echo "  custom routes:   (none)";\
			fi;\
			\
			echo "Disassociating $$ASSOC_COUNT subnet(s)...";\
			for ASSOC in $$ASSOC_IDS; do\
				echo "  - $$ASSOC";\
				$$AWS ec2 disassociate-client-vpn-target-network \
					--client-vpn-endpoint-id $$VPN_ID \
					--association-id $$ASSOC >/dev/null \
					|| { echo "Failed to disassociate $$ASSOC; aborting."; exit 1; };\
			done;\
			\
			echo "Waiting for all to fully disassociate (up to 15 min)...";\
			TRIES=0;\
			while [ $$TRIES -lt 30 ]; do\
				REMAINING=$$($$AWS ec2 describe-client-vpn-target-networks \
					--client-vpn-endpoint-id $$VPN_ID \
					--query 'ClientVpnTargetNetworks[?Status.Code!=`disassociated`].AssociationId');\
				if [ -z "$$REMAINING" ]; then break; fi;\
				printf '.';\
				sleep 30;\
				TRIES=$$((TRIES+1));\
			done;\
			echo "";\
			\
			echo "Re-associating each subnet...";\
			for SUBNET in $$SUBNETS; do\
				NEW_ASSOC=$$($$AWS ec2 associate-client-vpn-target-network \
					--client-vpn-endpoint-id $$VPN_ID \
					--subnet-id $$SUBNET \
					--query 'AssociationId') \
					|| { echo "Failed to associate subnet $$SUBNET; aborting."; exit 1; };\
				echo "  - subnet=$$SUBNET → $$NEW_ASSOC";\
			done;\
			\
			echo "Waiting for all to reach 'associated' state (~5-10 min, up to 15)...";\
			TRIES=0;\
			while [ $$TRIES -lt 30 ]; do\
				PENDING=$$($$AWS ec2 describe-client-vpn-target-networks \
					--client-vpn-endpoint-id $$VPN_ID \
					--query 'ClientVpnTargetNetworks[?Status.Code!=`associated`].AssociationId');\
				if [ -z "$$PENDING" ]; then break; fi;\
				printf '.';\
				sleep 30;\
				TRIES=$$((TRIES+1));\
			done;\
			echo "";\
			\
			if [ -n "$$SGS" ]; then\
				echo "Re-applying security groups: $$SGS";\
				$$AWS ec2 apply-security-groups-to-client-vpn-target-network \
					--client-vpn-endpoint-id $$VPN_ID \
					--vpc-id $$VPC_ID \
					--security-group-ids $$SGS >/dev/null \
					|| echo "WARNING: failed to re-apply security groups; restore manually.";\
			fi;\
			\
			if [ "$$ROUTE_COUNT" -gt 0 ]; then\
				echo "Re-adding $$ROUTE_COUNT custom route(s)...";\
				for PAIR in $$ROUTE_PAIRS; do\
					CIDR=$${PAIR%,*};\
					SUBNET=$${PAIR#*,};\
					echo "  - $$CIDR via subnet=$$SUBNET";\
					$$AWS ec2 create-client-vpn-route \
						--client-vpn-endpoint-id $$VPN_ID \
						--destination-cidr-block $$CIDR \
						--target-vpc-subnet-id $$SUBNET >/dev/null \
						|| echo "    WARNING: failed to re-add this route; restore manually.";\
				done;\
			fi;\
			\
			echo "Done. Run 'make check-reassociate profile=$(profile)' to verify state.";\
		fi;\
	fi

current:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no current server";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		echo "The current server is $$VPN_NAME";\
	fi

available:
	cd easyrsa3;\
	FILES=$$(find . -maxdepth 1 -type f -name '*.zip' | grep -oP '^\./\K.+(?=\.[0-9]{8}\.zip)');\
	UNIQUE_CODES=$$(echo "$$FILES" | sort -u);\
	for code in $$UNIQUE_CODES; do\
		LATEST_FILE=$$(ls $$code.*.zip | sort -r | head -n 1);\
		CLIENT_CODE=$${LATEST_FILE%.[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9].zip};\
		DATE=$${LATEST_FILE%.zip};\
		DATE=$${DATE##*.};\
		echo "$$CLIENT_CODE:$$DATE ('make restore name=$$CLIENT_CODE date=$$DATE')";\
	done;\
	if [ -f "pki/vpn_name" ]; then\
		echo "There is an existing server open (see 'make current'). You will need to archive it before restoring another (see 'make archive').";\
	fi;

new-server:
	cd easyrsa3;\
	if [ -d "pki" ]; then\
		echo "There is an existing ./easyrsa3/pki directory. Run 'make archive' or 'make purge-server' first.";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	else\
		CERT_EXPIRE="$(cert_expire)";\
		CERT_EXPIRE="$${CERT_EXPIRE:-$(DEFAULT_CERT_EXPIRE)}";\
		CLIENT_CERT_EXPIRE="$(client_cert_expire)";\
		CLIENT_CERT_EXPIRE="$${CLIENT_CERT_EXPIRE:-$(DEFAULT_CLIENT_CERT_EXPIRE)}";\
		CRL_DAYS="$(crl_days)";\
		CRL_DAYS="$${CRL_DAYS:-$(DEFAULT_CRL_DAYS)}";\
		./easyrsa init-pki;\
		echo "$(name)" >pki/vpn_name;\
		echo "$$CERT_EXPIRE" >pki/cert_expire;\
		echo "$$CLIENT_CERT_EXPIRE" >pki/client_cert_expire;\
		echo "$$CRL_DAYS" >pki/crl_days;\
		EASYRSA_REQ_CN="$(name)" \
		EASYRSA_CERT_EXPIRE="$$CERT_EXPIRE" \
			./easyrsa --batch build-ca nopass;\
		EASYRSA_CERT_EXPIRE="$$CERT_EXPIRE" \
			./easyrsa build-server-full $(name) nopass;\
		echo "Created certificate for $(name). Find the following files for importing into AWS Certificate Manager:";\
		echo "- Certificate body: easyrsa3/pki/issued/$(name).crt";\
		echo "- Certificate private key: easyrsa3/pki/private/$(name).key";\
		echo "- Certificate chain: easyrsa3/pki/ca.crt";\
		echo "(Or run 'make push-cert profile=AWSPROFILE proceed=1' to import via the CLI.)";\
		echo "Once the endpoint has been set up, download the client config ('downloaded-client-config.ovpn')";\
		echo "to the pki directory. You will then be able to create client certificates with 'make new-client name=bob'.";\
	fi

renew-server:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		CERT_EXPIRE=$$(ensure_pki_value pki/cert_expire "Server cert validity in days" "$(DEFAULT_CERT_EXPIRE)");\
		if [ -f "pki/renewed/issued/$$VPN_NAME.crt" ]; then\
			echo "A previously-renewed cert exists at pki/renewed/issued/$$VPN_NAME.crt; revoking it before renewing again...";\
			./easyrsa --batch revoke-renewed $$VPN_NAME;\
		fi;\
		EASYRSA_CERT_EXPIRE="$$CERT_EXPIRE" ./easyrsa --batch renew $$VPN_NAME;\
		echo "Updated certificate for $$VPN_NAME. Find the following files for importing into AWS Certificate Manager:";\
		echo "- Certificate body: easyrsa3/pki/issued/$$VPN_NAME.crt";\
		echo "- Certificate private key: easyrsa3/pki/private/$$VPN_NAME.key";\
		echo "- Certificate chain: easyrsa3/pki/ca.crt";\
		echo "(Or run 'make push-cert profile=AWSPROFILE proceed=1' to push the renewed cert via the CLI.)";\
		echo "Note that you should not need to recreate the client certficiates, but if you choose to then download the";\
		echo "updated client config ('downloaded-client-config.ovpn') to the pki directory first.";\
	fi

push-cert:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(profile)" = "" ]; then\
		echo "profile is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		VPN_REGION=$$(ensure_pki_value pki/vpn_region "AWS region of the Client VPN endpoint");\
		SERVER_CERT=pki/issued/$$VPN_NAME.crt;\
		SERVER_KEY=pki/private/$$VPN_NAME.key;\
		CA_CERT=pki/ca.crt;\
		MISSING="";\
		[ -f "$$SERVER_CERT" ] || MISSING="$$MISSING $$SERVER_CERT";\
		[ -f "$$SERVER_KEY" ]  || MISSING="$$MISSING $$SERVER_KEY";\
		[ -f "$$CA_CERT" ]     || MISSING="$$MISSING $$CA_CERT";\
		if [ -n "$$MISSING" ]; then\
			echo "Required PKI files missing:$$MISSING";\
			echo "Run 'make new-server' or 'make renew-server' first.";\
		elif [ -f pki/cert_arn ] && [ ! -f pki/client_cert_arn ]; then\
			echo "easyrsa3/pki/client_cert_arn is not set, but pki/cert_arn is.";\
			echo "This PKI predates two-ARN support. Run 'make debug-server profile=$(profile)' once";\
			echo "to backfill pki/client_cert_arn from the live endpoint, then re-run push-cert.";\
			echo "(That step avoids creating an orphaned duplicate ACM resource for the client root.)";\
		else\
			SERVER_ARN_ARG="";    SERVER_ACTION="imported (new ACM cert)";\
			if [ -f pki/cert_arn ]; then\
				SERVER_ARN=$$(cat pki/cert_arn);\
				SERVER_ARN_ARG="--certificate-arn $$SERVER_ARN";\
				SERVER_ACTION="updated in place";\
			fi;\
			CLIENT_ARN_ARG="";    CLIENT_ACTION="imported (new ACM cert)";\
			if [ -f pki/client_cert_arn ]; then\
				CLIENT_ARN=$$(cat pki/client_cert_arn);\
				CLIENT_ARN_ARG="--certificate-arn $$CLIENT_ARN";\
				CLIENT_ACTION="updated in place";\
			fi;\
			if [ "$(proceed)" = "" ]; then\
				echo "Both ARNs would be pushed to ACM ($$VPN_REGION) with the same payload";\
				echo "(server cert + key + CA chain). AWS uses the leaf for server identity at the";\
				echo "server cert ARN, and the CA chain for client validation at the client cert ARN.";\
				echo "";\
				echo "  payload:";\
				echo "    certificate: $$SERVER_CERT";\
				echo "    private key: $$SERVER_KEY";\
				echo "    chain:       $$CA_CERT";\
				echo "";\
				echo "  [1] Server certificate ARN: $$SERVER_ACTION";\
				if [ -n "$$SERVER_ARN_ARG" ]; then\
					echo "      arn:         $$SERVER_ARN";\
				else\
					echo "      arn:         (no pki/cert_arn — a new ACM cert will be created)";\
				fi;\
				echo "";\
				echo "  [2] Client cert ARN: $$CLIENT_ACTION";\
				if [ -n "$$CLIENT_ARN_ARG" ]; then\
					echo "      arn:         $$CLIENT_ARN";\
				else\
					echo "      arn:         (no pki/client_cert_arn — a new ACM cert will be created)";\
				fi;\
				echo "";\
				echo "Run 'make push-cert profile=$(profile) proceed=1' to continue.";\
			else\
				echo "Pushing to server cert ARN...";\
				NEW_SERVER_ARN=$$(aws --profile "$(profile)" --region "$$VPN_REGION" \
					acm import-certificate \
					--certificate fileb://$$SERVER_CERT \
					--private-key fileb://$$SERVER_KEY \
					--certificate-chain fileb://$$CA_CERT \
					$$SERVER_ARN_ARG \
					--output text --query CertificateArn);\
				if [ -z "$$NEW_SERVER_ARN" ]; then\
					echo "ACM import-certificate (server cert ARN) returned no ARN. Check the AWS CLI output above.";\
					exit 1;\
				fi;\
				echo "$$NEW_SERVER_ARN" > pki/cert_arn;\
				echo "Server cert ARN $$SERVER_ACTION: $$NEW_SERVER_ARN";\
				echo "(saved to easyrsa3/pki/cert_arn)";\
				echo "";\
				echo "Pushing same payload to client cert ARN...";\
				NEW_CLIENT_ARN=$$(aws --profile "$(profile)" --region "$$VPN_REGION" \
					acm import-certificate \
					--certificate fileb://$$SERVER_CERT \
					--private-key fileb://$$SERVER_KEY \
					--certificate-chain fileb://$$CA_CERT \
					$$CLIENT_ARN_ARG \
					--output text --query CertificateArn);\
				if [ -z "$$NEW_CLIENT_ARN" ]; then\
					echo "ACM import-certificate (client cert ARN) returned no ARN. Server-cert push above succeeded; re-run push-cert to retry the client-cert push (it is idempotent).";\
					exit 1;\
				fi;\
				echo "$$NEW_CLIENT_ARN" > pki/client_cert_arn;\
				echo "Client cert ARN $$CLIENT_ACTION: $$NEW_CLIENT_ARN";\
				echo "(saved to easyrsa3/pki/client_cert_arn)";\
				if [ "$$SERVER_ACTION" = "imported (new ACM cert)" ] || [ "$$CLIENT_ACTION" = "imported (new ACM cert)" ]; then\
					echo "";\
					echo "First-time import detected. Associate the relevant ARN(s) with your Client VPN endpoint in the AWS console:";\
					echo "  - Server certificate ARN:        $$NEW_SERVER_ARN";\
					echo "  - Client root cert chain ARN:    $$NEW_CLIENT_ARN";\
				fi;\
			fi;\
		fi;\
	fi

archive:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		DT=$$(date +"%Y%m%d");\
		zip -r $$VPN_NAME.$$DT.zip ./pki;\
		echo "Archived to easyrsa3/$$VPN_NAME.$$DT.zip";\
		rm -rf pki;\
		echo "Removed pki directory";\
	fi

restore:
	cd easyrsa3;\
	if [ -f "pki/vpn_name" ]; then\
		echo "There is an existing ./easyrsa3/pki directory";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	elif [ "$(date)" = "" ]; then\
		if [ "$$(ls -r $(name).*.zip | head -1)" = "" ]; then\
			echo "Backup not found";\
		elif [ "$(proceed)" != "1" ]; then\
			echo "Found backup: $$(ls -r $(name).*.zip | head -1). Run 'make restore name=$(name) proceed=1' to continue.";\
		else\
			unzip -uo $$(ls -r $(name).*.zip | head -1);\
		fi;\
	elif [ "$$(ls -r $(name).$(date).zip | head -1)" = "" ]; then\
		echo "Backup not found";\
	elif [ "$(proceed)" != "1" ]; then\
		echo "Found backup: $$(ls -r $(name).$(date).zip | head -1). Run 'make restore name=$(name) date=$(date) proceed=1' to continue.";\
	else\
		unzip -uo $$(ls -r $(name).$(date).zip | head -1);\
	fi;

debug-client:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
	    echo "There is no ./easyrsa3/pki directory. This must contain a current easyrsa configuration.";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		\
		if [ "$(name)" = "" ]; then\
			FILES=$$(ls pki/*.$${VPN_NAME}.ovpn | sed "s/\.$${VPN_NAME}\.ovpn$$//" | sed "s/^pki\///");\
			echo "Client certificate status:";\
			for file in $$FILES; do\
				echo "- $$file: $$(openssl x509 -enddate -noout -in ./pki/issued/$${file}.$${VPN_NAME}.crt)";\
			done;\
		else\
		    echo "Client certificate: $$(openssl x509 -enddate -noout -in ./pki/issued/$(name).$${VPN_NAME}.crt)";\
		fi;\
	fi

list-clients:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
	    echo "There is no ./easyrsa3/pki directory. This must contain a current easyrsa configuration.";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		FILES=$$(ls pki/*.$${VPN_NAME}.ovpn | sed "s/\.$${VPN_NAME}\.ovpn$$//" | sed "s/^pki\///");\
		echo "Clients:";\
		for file in $$FILES; do\
			echo "- $$file";\
		done;\
	fi

new-client:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	elif [ ! -f "pki/downloaded-client-config.ovpn" = "" ]; then\
		echo "downloaded-client-config.ovpn missing from pki directory";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		CLIENT_CERT_EXPIRE=$$(ensure_pki_value pki/client_cert_expire "Client cert validity in days" "$(DEFAULT_CLIENT_CERT_EXPIRE)");\
		\
		echo "Building new client certificate for $${VPN_NAME}";\
		EASYRSA_CERT_EXPIRE="$$CLIENT_CERT_EXPIRE" ./easyrsa build-client-full $(name).$${VPN_NAME} nopass;\
		\
		echo "Generating OVPN file";\
		OVPN_FILE=pki/$(name).$${VPN_NAME}.ovpn;\
		cp pki/downloaded-client-config.ovpn $$OVPN_FILE;\
		echo "" >>$$OVPN_FILE;\
		echo "<cert>" >>$$OVPN_FILE;\
		awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' pki/issued/$(name).$${VPN_NAME}.crt >>$$OVPN_FILE;\
		echo "</cert>" >>$$OVPN_FILE;\
		echo "<key>" >>$$OVPN_FILE;\
		cat pki/private/$(name).$${VPN_NAME}.key >>$$OVPN_FILE;\
		echo "</key>" >>$$OVPN_FILE;\
		\
		echo "Creating client archive";\
		DT=$$(date +"%Y%m%d");\
		zip -j pki/$(name).$$VPN_NAME.$$DT.zip $$OVPN_FILE;\
	fi

renew-client:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		CLIENT_CERT_EXPIRE=$$(ensure_pki_value pki/client_cert_expire "Client cert validity in days" "$(DEFAULT_CLIENT_CERT_EXPIRE)");\
		\
		echo "Renewing client certificate for $${VPN_NAME}";\
		rm -f pki/expired/$(name).$${VPN_NAME}.crt;\
		./easyrsa --batch expire $(name).$${VPN_NAME} \
			&& EASYRSA_CERT_EXPIRE="$$CLIENT_CERT_EXPIRE" ./easyrsa --batch sign-req client $(name).$${VPN_NAME} nopass \
			&& {\
				echo "Generating OVPN file";\
				OVPN_FILE=pki/$(name).$${VPN_NAME}.ovpn;\
				cp pki/downloaded-client-config.ovpn $$OVPN_FILE;\
				echo "" >>$$OVPN_FILE;\
				echo "<cert>" >>$$OVPN_FILE;\
				awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' pki/issued/$(name).$${VPN_NAME}.crt >>$$OVPN_FILE;\
				echo "</cert>" >>$$OVPN_FILE;\
				echo "<key>" >>$$OVPN_FILE;\
				cat pki/private/$(name).$${VPN_NAME}.key >>$$OVPN_FILE;\
				echo "</key>" >>$$OVPN_FILE;\
				echo "Creating client archive";\
				DT=$$(date +"%Y%m%d");\
				zip -j pki/$(name).$$VPN_NAME.$$DT.zip $$OVPN_FILE;\
			};\
	fi

renew-clients:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		CLIENT_CERT_EXPIRE=$$(ensure_pki_value pki/client_cert_expire "Client cert validity in days" "$(DEFAULT_CLIENT_CERT_EXPIRE)");\
		\
		CLIENTS=$$(ls pki/*.$${VPN_NAME}.ovpn 2>/dev/null | sed "s/\.$${VPN_NAME}\.ovpn$$//" | sed "s/^pki\///");\
		if [ -z "$$CLIENTS" ]; then\
			echo "No client certificates found";\
		else\
			DT=$$(date +"%Y%m%d");\
			OK="";\
			FAIL="";\
			for client in $$CLIENTS; do\
				echo "=== Renewing $$client.$${VPN_NAME} ===";\
				rm -f pki/expired/$$client.$${VPN_NAME}.crt;\
				if ./easyrsa --batch expire $$client.$${VPN_NAME} \
					&& EASYRSA_CERT_EXPIRE="$$CLIENT_CERT_EXPIRE" ./easyrsa --batch sign-req client $$client.$${VPN_NAME} nopass; then\
					OVPN_FILE=pki/$$client.$${VPN_NAME}.ovpn;\
					cp pki/downloaded-client-config.ovpn $$OVPN_FILE;\
					echo "" >>$$OVPN_FILE;\
					echo "<cert>" >>$$OVPN_FILE;\
					awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' pki/issued/$$client.$${VPN_NAME}.crt >>$$OVPN_FILE;\
					echo "</cert>" >>$$OVPN_FILE;\
					echo "<key>" >>$$OVPN_FILE;\
					cat pki/private/$$client.$${VPN_NAME}.key >>$$OVPN_FILE;\
					echo "</key>" >>$$OVPN_FILE;\
					zip -j pki/$$client.$${VPN_NAME}.$$DT.zip $$OVPN_FILE;\
					OK="$$OK $$client";\
				else\
					echo "Renewal failed for $$client.$${VPN_NAME}";\
					FAIL="$$FAIL $$client";\
				fi;\
			done;\
			echo "Renewed:$${OK:- (none)}";\
			if [ -n "$$FAIL" ]; then\
				echo "Failed:$$FAIL";\
			fi;\
		fi;\
	fi

revoke-client:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		\
		if ./easyrsa revoke $(name).$${VPN_NAME}; then\
			rm -f pki/$(name).$${VPN_NAME}.ovpn pki/$(name).$${VPN_NAME}.zip pki/$(name).$${VPN_NAME}.*.zip;\
			echo "Client revoked. Removed local .ovpn and zip artefacts.";\
			echo "See `make generate-crl` and `make push-crl`.";\
		fi;\
	fi;

generate-crl:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	else\
		$(ENSURE_PKI_VALUE) \
		CRL_DAYS=$$(ensure_pki_value pki/crl_days "CRL validity in days" "$(DEFAULT_CRL_DAYS)");\
		EASYRSA_CRL_DAYS="$$CRL_DAYS" ./easyrsa gen-crl;\
		echo "Upload the content of the above file as the new client revocation list. See 'make push-crl'.";\
	fi

push-crl:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(profile)" = "" ]; then\
		echo "profile is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_ID=$$(ensure_pki_value pki/vpn_id "Client VPN endpoint ID");\
		VPN_REGION=$$(ensure_pki_value pki/vpn_region "AWS region of the Client VPN endpoint");\
		\
		if [ "$(proceed)" = "" ]; then\
			echo "CRL would be pushed to $${VPN_ID} in $${VPN_REGION}";\
			echo "Run 'make push-crl profile=$(profile) proceed=1' to continue";\
		else\
			aws --profile "${profile}" ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://pki/crl.pem --client-vpn-endpoint-id $${VPN_ID} --region $${VPN_REGION};\
			\
			echo "CRL is updated. It may take a minute or two for connections to reflect the change.";\
		fi;\
	fi

cat-crl:
	cat easyrsa3/pki/crl.pem

purge-client:
	cd easyrsa3;\
	if [ ! -d "pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(name)" = "" ]; then\
		echo "name is not specified";\
	else\
		$(ENSURE_PKI_VALUE) \
		VPN_NAME=$$(ensure_pki_value pki/vpn_name "Enter the VPN name");\
		FILES=$$(ls pki/reqs/$(name).$$VPN_NAME.req pki/private/$(name).$$VPN_NAME.key pki/issued/$(name).$$VPN_NAME.crt pki/$(name).$$VPN_NAME.*);\
		if [ "$(proceed)" != "1" ]; then\
			echo $$FILES;\
			if [ -z "$$FILES" ]; then\
				echo "No client files found";\
			else\
				echo "The following files will be removed:";\
				for file in $$FILES; do\
					echo "- $$file";\
				done;\
				echo "Run 'make purge-client name=$(name) proceed=1' to continue";\
			fi;\
		else\
			rm pki/reqs/$(name).$$VPN_NAME.req pki/private/$(name).$$VPN_NAME.key pki/issued/$(name).$$VPN_NAME.crt pki/$(name).$$VPN_NAME.*;\
			echo "Removed:";\
			for file in $$FILES; do\
				echo "- $$file";\
			done;\
		fi;\
	fi;

purge-server:
	if [ ! -d "easyrsa3/pki" ]; then\
		echo "There is no ./easyrsa3/pki directory";\
	elif [ "$(proceed)" != "1" ]; then\
		FILES=$$(ls -R easyrsa3/pki/);\
		echo "$${#FILES[@]} files will be removed";\
		echo "Run 'make purge-server proceed=1' to continue";\
	else\
		rm -rf easyrsa3/pki;\
		echo "Removed pki directory";\
	fi

purge-backups:
	if [ "$(proceed)" != "1" ]; then\
		FILES=$$(ls easyrsa3/pki/*.zip);\
		echo "$${#FILES[@]} files will be removed";\
		echo "Run 'make purge-backups proceed=1' to continue";\
	else\
		rm -rf easyrsa3/*.zip;\
		echo "Removed backups";\
	fi