[3/3] generate ECDSA certificate and key on existing installations

Message ID 20170904202305.28c45ae6.peter.mueller@link38.eu
State New
Headers show
Series
  • [1/3] add ECDSA key generation to httpscert
Related show

Commit Message

Peter Müller Sept. 4, 2017, 6:23 p.m.
Generate ECDSA certificate and key file on existing installations
via the update.sh script.

This is required since Apache crashes if some Certificate(Key)File
directives point to non-existing files:

Restarting Apache daemon...
Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty

Key generation only takes a few seconds even on legacy systems. Also
existing installations will then use ECDSA/RSA certificate dual-stack.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Patch

diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
index 6d7a10b5e..c5d945b21 100644
--- a/config/rootfiles/core/114/update.sh
+++ b/config/rootfiles/core/114/update.sh
@@ -60,6 +60,14 @@  rm -f /usr/sbin/htpasswd
 # Update Language cache
 /usr/local/bin/update-lang-cache
 
+# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
+/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+	/etc/httpd/server-ecdsa.crt
+
 # Start services
 /etc/init.d/unbound start
 /etc/init.d/apache start