This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core115 has been updated
via 9064ba72fe03d324478b8c321f4368192e8f551c (commit)
via 0d6b6a219ff9dc2735f4b4b6213f9936f4a239d7 (commit)
from cf361ef4b55134254150b5070069f9d25b201bd1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9064ba72fe03d324478b8c321f4368192e8f551c
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Oct 22 15:50:38 2017 +0200
drop httpscert and merge to apache initskript
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/stage2 | 1 -
config/rootfiles/common/x86_64/stage2 | 1 -
config/rootfiles/core/115/filelists/files | 2 +-
config/rootfiles/core/115/update.sh | 8 ++--
src/initscripts/system/apache | 60 +++++++++++++++++++++++++-----
src/scripts/httpscert | 61 -------------------------------
6 files changed, 54 insertions(+), 79 deletions(-)
delete mode 100644 src/scripts/httpscert
Difference in files:
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 8c6dd40..a5ba6ae 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -91,7 +91,6 @@ usr/local/bin/connscheduler
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
-usr/local/bin/httpscert
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
index 2897adc..70a33d6 100644
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -93,7 +93,6 @@ usr/local/bin/connscheduler
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
-usr/local/bin/httpscert
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files
index 72c5e5f..d3e2958 100644
--- a/config/rootfiles/core/115/filelists/files
+++ b/config/rootfiles/core/115/filelists/files
@@ -3,6 +3,7 @@ etc/issue
etc/httpd/conf/vhosts.d/captive.conf
etc/httpd/conf/vhosts.d/ipfire-interface.conf
etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
etc/rc.d/init.d/firewall
srv/web/ipfire/cgi-bin/captive/index.cgi
srv/web/ipfire/cgi-bin/captive/logo.cgi
@@ -16,7 +17,6 @@ srv/web/ipfire/html/captive
usr/bin/captive-cleanup
usr/local/bin/backupiso
usr/local/bin/captivectrl
-usr/local/bin/httpscert
usr/local/bin/wirelessctrl
var/ipfire/backup/include
var/ipfire/captive
diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh
index 61634a7..91bb808 100644
--- a/config/rootfiles/core/115/update.sh
+++ b/config/rootfiles/core/115/update.sh
@@ -34,13 +34,14 @@ done
# Stop services
openvpnctrl -k
openvpnctrl -kn2n
-
+/etc/rc.d/init.d/apache stop
# Extract files
extract_files
# Remove files
rm -vf \
+ /usr/local/bin/httpscert \
/srv/web/ipfire/html/dial.cgi
# update linker config
@@ -49,11 +50,8 @@ ldconfig
# Update Language cache
/usr/local/bin/update-lang-cache
-# generate ECDSA key on existing installations to prevent Apache from crashing
-/usr/local/bin/httpscert
-
# Start services
-/etc/rc.d/init.d/apache2 restart
+/etc/rc.d/init.d/apache2 start
openvpnctrl -s
openvpnctrl -sn2n
diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache
index 5dd39f9..541141e 100644
--- a/src/initscripts/system/apache
+++ b/src/initscripts/system/apache
@@ -7,18 +7,58 @@
. /etc/sysconfig/rc
. $rc_functions
+generate_certificates() {
+ if [ ! -f "/etc/httpd/server.key" ]; then
+ boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
+ openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+ evaluate_retval
+ fi
+
+ if [ ! -f "/etc/httpd/server-ecdsa.key" ]; then
+ boot_mesg "Generating HTTPS ECDSA server key..."
+ openssl ecparam -genkey -name secp384r1 -noout \
+ -out /etc/httpd/server-ecdsa.key &>/dev/null
+ evaluate_retval
+ fi
+
+ # Generate RSA CSR
+ if [ ! -f "/etc/httpd/server.csr" ]; then
+ sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+ openssl req -new -key /etc/httpd/server.key \
+ -out /etc/httpd/server.csr &>/dev/null
+ fi
+
+ # Generate ECDSA CSR
+ if [ ! -f "/etc/httpd/server-ecdsa.csr" ]; then
+ sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+ openssl req -new -key /etc/httpd/server-ecdsa.key \
+ -out /etc/httpd/server-ecdsa.csr &>/dev/null
+ fi
+
+ if [ ! -f "/etc/httpd/server.crt" ]; then
+ boot_mesg "Signing RSA certificate..."
+ openssl x509 -req -days 999999 -sha256 \
+ -in /etc/httpd/server.csr \
+ -signkey /etc/httpd/server.key \
+ -out /etc/httpd/server.crt &>/dev/null
+ evaluate_retval
+ fi
+
+ if [ ! -f "/etc/httpd/server-ecdsa.crt" ]; then
+ boot_mesg "Signing ECDSA certificate..."
+ openssl x509 -req -days 999999 -sha256 \
+ -in /etc/httpd/server-ecdsa.csr \
+ -signkey /etc/httpd/server-ecdsa.key \
+ -out /etc/httpd/server-ecdsa.crt &>/dev/null
+ evaluate_retval
+ fi
+}
+
case "$1" in
start)
- if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
- /usr/local/bin/httpscert read >/dev/null 2>&1
- else
- boot_mesg "Generating HTTPS host certificate (may take a couple of minutes)..."
- /usr/local/bin/httpscert new >/dev/null 2>&1
- evaluate_retval
-
- # Make sure that the key is written to disk.
- sync
- fi
+ # Generate all required certificates
+ generate_certificates
+
boot_mesg "Starting Apache daemon..."
/usr/sbin/apachectl -k start
evaluate_retval
diff --git a/src/scripts/httpscert b/src/scripts/httpscert
deleted file mode 100644
index cae39fb..0000000
--- a/src/scripts/httpscert
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-#
-# new : generate new certificate
-# read: read issuer in certificate and verify if it is the same as hostname
-
-# See how we were called.
-case "$1" in
- new)
- if [ ! -f /etc/httpd/server.key ]; then
- echo "Generating HTTPS RSA server key."
- /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
- fi
- if [ ! -f /etc/httpd/server-ecdsa.key ]; then
- echo "Generating HTTPS ECDSA server key."
- /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
- fi
-
- echo "Generating CSRs"
- if [ ! -f /etc/httpd/server.csr ]; then
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
- req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- fi
- if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
- req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
- fi
-
- echo "Signing certificates"
- if [ ! -f /etc/httpd/server.crt ]; then
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
- /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
- /etc/httpd/server.crt
- fi
- if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
- /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
- /etc/httpd/server-ecdsa.crt
- fi
- ;;
- read)
- if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
- ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
- HOSTNAME=`/bin/hostname -f`
- if [ "$ISSUER" != "$HOSTNAME" ]; then
- echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
- echo "Probably host or domain name has been changed in setup"
- echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
- exit 1
- else
- echo "https certificate issuer match $HOSTNAME"
- fi
- else
- echo "Certificate not found"
- exit 1
- fi
- ;;
- *)
- /bin/echo "Usage: $0 {read|new}"
- exit 1
- ;;
-esac
hooks/post-receive
--
IPFire 2.x development tree