Hi,
is this not better to just call the httpscert script? Avoids copying code.
-Michael
On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
Generate ECDSA certificate and key file on existing installations via the update.sh script.
This is required since Apache crashes if some Certificate(Key)File directives point to non-existing files:
Restarting Apache daemon... Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf: SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
Key generation only takes a few seconds even on legacy systems. Also existing installations will then use ECDSA/RSA certificate dual-stack.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh index 6d7a10b5e..c5d945b21 100644 --- a/config/rootfiles/core/114/update.sh +++ b/config/rootfiles/core/114/update.sh @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd # Update Language cache /usr/local/bin/update-lang-cache
+# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
- req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
- /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
- /etc/httpd/server-ecdsa.crt
# Start services /etc/init.d/unbound start /etc/init.d/apache start