Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 53507305f..8b05a0de7 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2141,7 +2141,7 @@ END &General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + my $opt = " req -nodes"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
The function did not evaluate the return code which is why it used a hack to figure out if some output is an error or not.
This is being fixed in this commit and the entire output is being returned if the return code is non-zero.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 8b05a0de7..d82e6b5c9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -229,13 +229,14 @@ sub callssl ($) { my $opt = shift; my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); + + if ($?) { + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '<br>' . &Header::escape($line); + } } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ###
This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/ssl/openssl.cnf | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 13 files changed, 72 insertions(+), 1 deletion(-)
diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd4..00c206ed8 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md = sha256 preserve = no policy = policy_match email_in_dn = no +copy_extensions = copyall
[ policy_match ] countryName = optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..fa0705e74 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional WARNING: untranslated string: pakfire invalid tree = Invalid repository selected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..88e66346b 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..ab6b5a1e9 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -995,6 +995,7 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..e6781362f 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..b21f15062 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..668df4fc3 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..f4a29cb84 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..4eface69a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..d5f321dd8 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..2b70ef9f9 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -73,6 +73,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -117,6 +118,7 @@ < invalid ip or hostname < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -138,6 +140,7 @@ < extrahd not mounted < g.dtm < g.lite +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -523,6 +526,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -1063,6 +1067,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1943,6 +1948,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2934,6 +2940,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3405,6 +3412,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index d82e6b5c9..9173a85d8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -866,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage = ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || @@ -3612,7 +3618,12 @@ END <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> </form> </td> - <td width='4%' $col2> </td></tr> + <td width='4%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' /> + </form> + </td></tr> END ; } else { @@ -3782,3 +3793,44 @@ sub make_subnets($$) {
return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage = ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt = " x509 -x509toreq -copy_extensions copyall"; + $opt .= " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .= " -in ${General::swroot}/certs/hostcert.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt = " ca -md sha256 -days 825"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..5ac651e2f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2208,6 +2208,7 @@ 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', 'refresh update list' => 'Refresh update list', +'regenerate host certificate' => 'Renew Host Certificate', 'registered user rules' => 'Talos VRT rules for registered users', 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.', 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
-
Michael Tremer