Hello Michael,

> Hi,
> 
> is this not better to just call the httpscert script? Avoids copying
> code.
Yes. Never repeat yourself, as they say...

Will develop a 2nd version.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
> > Generate ECDSA certificate and key file on existing installations
> > via the update.sh script.
> > 
> > This is required since Apache crashes if some Certificate(Key)File
> > directives point to non-existing files:
> > 
> > Restarting Apache daemon...
> > Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
> > SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
> > 
> > Key generation only takes a few seconds even on legacy systems. Also
> > existing installations will then use ECDSA/RSA certificate dual-stack.
> > 
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> > diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
> > index 6d7a10b5e..c5d945b21 100644
> > --- a/config/rootfiles/core/114/update.sh
> > +++ b/config/rootfiles/core/114/update.sh
> > @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
> >  # Update Language cache
> >  /usr/local/bin/update-lang-cache
> >  
> > +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
> > +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> > +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > +	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> > +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > +	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> > +	/etc/httpd/server-ecdsa.crt
> > +
> >  # Start services
> >  /etc/init.d/unbound start
> >  /etc/init.d/apache start