From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] backup.pl: Fix restores for ipsec backups before regen was fixed
Date: Tue, 29 Apr 2025 16:42:19 +0200 [thread overview]
Message-ID: <20250429144219.33884-1-adolf.belka@ipfire.org> (raw)
- Prior to the ipsec host cert regen fix, the backup did not include the serial or the
index.txt files.
- After the ipsec regen patch set, if a backup from before the change is retsored then
the serial and index.attr could end up not matching. This would break the ipsec regen
again.
- All backups before the change will have hostcerts with serial numbers of 1.
- This patch extracts the serial number from the restored hostcert.pem. If the serial
number is 1 and if the existing serial number file does not contain 02, then the
serial file contents are replaced by 02 and the index.txt contents are deleted.
- If the restored hostcert.pem serial number is greater than 1 then the backup will
contain the serial anf index.txt files.
- If the restored hostcert.pem serial number is 1 and the serial file contains 02 then
the ipsec regen will work correctly.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/backup/backup.pl | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 0cfbd4fc3..301faa3df 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -307,6 +307,18 @@ restore_backup() {
# start collectd after restore
/etc/rc.d/init.d/collectd start
+ # Check if ipsec hosctcert.pem serial number is 1 and if the serial file does not contain 02
+ # In this case set the serial file to 02 and empty the index.txt file
+ ARR=()
+ while IFS= read -r line; do
+ ARR+=("$line")
+ done <<< "$(openssl x509 -in /var/ipfire/certs/hostcert.pem -noout -text)"
+ if [ $(echo ${ARR[3]} | sed -E 's,^[^0-9]*([0-9]+).*$,\1,') = 1 ] && \
+ [ $(expr $(cat "/var/ipfire/certs/serial") + 0) != 2 ]; then
+ sed -i "s/.*/02/" /var/ipfire/certs/serial
+ sed -i 'd' /var/ipfire/certs/index.txt
+ fi
+
# Restart ipsec if enabled
# This will ensure that the restored certs and secrets etc are loaded and used
if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then
--
2.49.0
reply other threads:[~2025-04-29 14:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250429144219.33884-1-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox