From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen Date: Sun, 02 Mar 2025 20:14:30 +0100 Message-ID: <20250302191431.20813-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6890269860485472662==" List-Id: --===============6890269860485472662== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - When the regeneration is carried out the existing cert, with serial number = 01, is revoked but when the new cert is created the serial number is still 01 cau= sing error messages about the new cert being revoked. - This patch increments the serial number from 01 to 02 after the initial roo= t/host certificate set is created. - Then when the olf cert is revoked the new one uses serial number 02 but also automatically increments it again. So all future regenerations work withou= t problems. - Tested out on a physical IPFire system. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a1d0f0e2a..fe14b38f0 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1241,6 +1241,13 @@ END exit(0); =20 ROOTCERT_SUCCESS: + +# Increment the serial number to 02 after root and host certificates are +# created so that cert regeneration works. + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "02"; + close FILE; + if (&vpnenabled) { &General::system('/usr/local/bin/ipsecctrl', 'S'); sleep $sleepDelay; --=20 2.48.1 --===============6890269860485472662==--