This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 9064ba72fe03d324478b8c321f4368192e8f551c (commit) via 0d6b6a219ff9dc2735f4b4b6213f9936f4a239d7 (commit) from cf361ef4b55134254150b5070069f9d25b201bd1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9064ba72fe03d324478b8c321f4368192e8f551c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 22 15:50:38 2017 +0200
drop httpscert and merge to apache initskript
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/stage2 | 1 - config/rootfiles/common/x86_64/stage2 | 1 - config/rootfiles/core/115/filelists/files | 2 +- config/rootfiles/core/115/update.sh | 8 ++-- src/initscripts/system/apache | 60 +++++++++++++++++++++++++----- src/scripts/httpscert | 61 ------------------------------- 6 files changed, 54 insertions(+), 79 deletions(-) delete mode 100644 src/scripts/httpscert
Difference in files: diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 8c6dd40..a5ba6ae 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -91,7 +91,6 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown -usr/local/bin/httpscert usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index 2897adc..70a33d6 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -93,7 +93,6 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown -usr/local/bin/httpscert usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files index 72c5e5f..d3e2958 100644 --- a/config/rootfiles/core/115/filelists/files +++ b/config/rootfiles/core/115/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/httpd/conf/vhosts.d/captive.conf etc/httpd/conf/vhosts.d/ipfire-interface.conf etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/rc.d/init.d/apache etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/captive/index.cgi srv/web/ipfire/cgi-bin/captive/logo.cgi @@ -16,7 +17,6 @@ srv/web/ipfire/html/captive usr/bin/captive-cleanup usr/local/bin/backupiso usr/local/bin/captivectrl -usr/local/bin/httpscert usr/local/bin/wirelessctrl var/ipfire/backup/include var/ipfire/captive diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index 61634a7..91bb808 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -34,13 +34,14 @@ done # Stop services openvpnctrl -k openvpnctrl -kn2n - +/etc/rc.d/init.d/apache stop
# Extract files extract_files
# Remove files rm -vf \ + /usr/local/bin/httpscert \ /srv/web/ipfire/html/dial.cgi
# update linker config @@ -49,11 +50,8 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache
-# generate ECDSA key on existing installations to prevent Apache from crashing -/usr/local/bin/httpscert - # Start services -/etc/rc.d/init.d/apache2 restart +/etc/rc.d/init.d/apache2 start openvpnctrl -s openvpnctrl -sn2n
diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index 5dd39f9..541141e 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -7,18 +7,58 @@ . /etc/sysconfig/rc . $rc_functions
+generate_certificates() { + if [ ! -f "/etc/httpd/server.key" ]; then + boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." + openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + evaluate_retval + fi + + if [ ! -f "/etc/httpd/server-ecdsa.key" ]; then + boot_mesg "Generating HTTPS ECDSA server key..." + openssl ecparam -genkey -name secp384r1 -noout \ + -out /etc/httpd/server-ecdsa.key &>/dev/null + evaluate_retval + fi + + # Generate RSA CSR + if [ ! -f "/etc/httpd/server.csr" ]; then + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server.key \ + -out /etc/httpd/server.csr &>/dev/null + fi + + # Generate ECDSA CSR + if [ ! -f "/etc/httpd/server-ecdsa.csr" ]; then + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server-ecdsa.key \ + -out /etc/httpd/server-ecdsa.csr &>/dev/null + fi + + if [ ! -f "/etc/httpd/server.crt" ]; then + boot_mesg "Signing RSA certificate..." + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server.csr \ + -signkey /etc/httpd/server.key \ + -out /etc/httpd/server.crt &>/dev/null + evaluate_retval + fi + + if [ ! -f "/etc/httpd/server-ecdsa.crt" ]; then + boot_mesg "Signing ECDSA certificate..." + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server-ecdsa.csr \ + -signkey /etc/httpd/server-ecdsa.key \ + -out /etc/httpd/server-ecdsa.crt &>/dev/null + evaluate_retval + fi +} + case "$1" in start) - if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then - /usr/local/bin/httpscert read >/dev/null 2>&1 - else - boot_mesg "Generating HTTPS host certificate (may take a couple of minutes)..." - /usr/local/bin/httpscert new >/dev/null 2>&1 - evaluate_retval - - # Make sure that the key is written to disk. - sync - fi + # Generate all required certificates + generate_certificates + boot_mesg "Starting Apache daemon..." /usr/sbin/apachectl -k start evaluate_retval diff --git a/src/scripts/httpscert b/src/scripts/httpscert deleted file mode 100644 index cae39fb..0000000 --- a/src/scripts/httpscert +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -# -# new : generate new certificate -# read: read issuer in certificate and verify if it is the same as hostname - -# See how we were called. -case "$1" in - new) - if [ ! -f /etc/httpd/server.key ]; then - echo "Generating HTTPS RSA server key." - /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 - fi - if [ ! -f /etc/httpd/server-ecdsa.key ]; then - echo "Generating HTTPS ECDSA server key." - /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key - fi - - echo "Generating CSRs" - if [ ! -f /etc/httpd/server.csr ]; then - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - fi - if [ ! -f /etc/httpd/server-ecdsa.csr ]; then - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr - fi - - echo "Signing certificates" - if [ ! -f /etc/httpd/server.crt ]; then - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt - fi - if [ ! -f /etc/httpd/server-ecdsa.crt ]; then - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ - /etc/httpd/server-ecdsa.crt - fi - ;; - read) - if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then - ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='` - HOSTNAME=`/bin/hostname -f` - if [ "$ISSUER" != "$HOSTNAME" ]; then - echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'" - echo "Probably host or domain name has been changed in setup" - echo "You could remake server certificate with '/usr/local/bin/httpscert new'" - exit 1 - else - echo "https certificate issuer match $HOSTNAME" - fi - else - echo "Certificate not found" - exit 1 - fi - ;; - *) - /bin/echo "Usage: $0 {read|new}" - exit 1 - ;; -esac
hooks/post-receive -- IPFire 2.x development tree