public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] vpnmain.cgi: Add option to regenerate the host certificate
Date: Tue, 30 Jan 2024 17:45:44 +0000	[thread overview]
Message-ID: <20240130174544.3986725-3-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 13663 bytes --]

This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.

A caveat of this patch is that we do not rollover the key.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/ssl/openssl.cnf   |  1 +
 doc/language_issues.de   |  1 +
 doc/language_issues.en   |  1 +
 doc/language_issues.es   |  1 +
 doc/language_issues.fr   |  1 +
 doc/language_issues.it   |  1 +
 doc/language_issues.nl   |  1 +
 doc/language_issues.pl   |  1 +
 doc/language_issues.ru   |  1 +
 doc/language_issues.tr   |  1 +
 doc/language_missings    |  8 ++++++
 html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  1 +
 13 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
index 3b980fcd4..00c206ed8 100644
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -23,6 +23,7 @@ default_md	= sha256
 preserve	= no
 policy		= policy_match
 email_in_dn	= no
+copy_extensions = copyall
 
 [ policy_match ]
 countryName		= optional
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..fa0705e74 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..88e66346b 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 = RED
 WARNING: untranslated string: references = References
 WARNING: untranslated string: refresh = Refresh
 WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..ab6b5a1e9 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -995,6 +995,7 @@ WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..e6781362f 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..b21f15062 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..668df4fc3 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..f4a29cb84 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..4eface69a 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..d5f321dd8 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..2b70ef9f9 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -73,6 +73,7 @@
 < optional
 < quick control
 < random number generator daemon
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -117,6 +118,7 @@
 < invalid ip or hostname
 < openvpn cert expires soon
 < openvpn cert has expired
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < service boot setting unavailable
@@ -138,6 +140,7 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -523,6 +526,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -1063,6 +1067,7 @@
 < rdns
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -1943,6 +1948,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -2934,6 +2940,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -3405,6 +3412,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index d82e6b5c9..9173a85d8 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -866,6 +866,12 @@ END
 		exit(0);
 	}
 ###
+### Regenerate the host certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) {
+	$errormessage = &regenerate_host_certificate();
+
+###
 ### Form for generating/importing the caroot+host certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
@@ -3612,7 +3618,12 @@ END
 			<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
 			</form>
 		</td>
-		<td width='4%' $col2>&nbsp;</td></tr>
+		<td width='4%' align='center' $col2>
+			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+				<input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' />
+				<input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' />
+			</form>
+		</td></tr>
 END
 ;
 	} else {
@@ -3782,3 +3793,44 @@ sub make_subnets($$) {
 
 	return join(",", @cidr_nets);
 }
+
+sub regenerate_host_certificate() {
+	my $errormessage = "";
+
+	&General::log("ipsec", "Regenerating host certificate...");
+
+	# Create a CSR based on the existing certificate
+	my $opt = " x509 -x509toreq -copy_extensions copyall";
+	$opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
+	$opt .= " -in ${General::swroot}/certs/hostcert.pem";
+	$opt .= " -out ${General::swroot}/certs/hostreq.pem";
+	$errormessage = &callssl($opt);
+
+	# Revoke the old certificate
+	if (!$errormessage) {
+		&General::log("ipsec", "Revoking the old host cert...");
+
+		my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl($opt);
+	}
+
+	# Sign the host certificate request
+	if (!$errormessage) {
+		&General::log("ipsec", "Self signing host cert...");
+
+		my $opt = " ca -md sha256 -days 825";
+		$opt .= " -batch -notext";
+		$opt .= " -in ${General::swroot}/certs/hostreq.pem";
+		$opt .= " -out ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl ($opt);
+
+		unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+	}
+
+	# Reload the new certificate
+	if (!$errormessage) {
+		&General::system('/usr/local/bin/ipsecctrl', 'R');
+	}
+
+	return $errormessage;
+}
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..5ac651e2f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2208,6 +2208,7 @@
 'refresh' => 'Refresh',
 'refresh index page while connected' => 'Refresh index.cgi page while connected',
 'refresh update list' => 'Refresh update list',
+'regenerate host certificate' => 'Renew Host Certificate',
 'registered user rules' => 'Talos VRT rules for registered users',
 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
-- 
2.39.2


      parent reply	other threads:[~2024-01-30 17:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-30 17:45 [PATCH 1/3] vpnmain.cgi: Do not use a bad source for randomness Michael Tremer
2024-01-30 17:45 ` [PATCH 2/3] vpnmain.cgi: Return the entire error message if OpenSSL fails Michael Tremer
2024-01-30 17:45 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240130174544.3986725-3-michael.tremer@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox