diff mbox series

[3/3] generate ECDSA certificate and key on existing installations

Message ID 20170904202305.28c45ae6.peter.mueller@link38.eu
State Superseded
Headers
Series [1/3] add ECDSA key generation to httpscert |

Commit Message

Peter Müller Sept. 5, 2017, 4:23 a.m. UTC 
  Generate ECDSA certificate and key file on existing installations
via the update.sh script.

This is required since Apache crashes if some Certificate(Key)File
directives point to non-existing files:

Restarting Apache daemon...
Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty

Key generation only takes a few seconds even on legacy systems. Also
existing installations will then use ECDSA/RSA certificate dual-stack.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Comments

Michael Tremer Sept. 25, 2017, 8:07 a.m. UTC | #1 
Hi,

is this not better to just call the httpscert script? Avoids copying
code.

-Michael

On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
> Generate ECDSA certificate and key file on existing installations
> via the update.sh script.
> 
> This is required since Apache crashes if some Certificate(Key)File
> directives point to non-existing files:
> 
> Restarting Apache daemon...
> Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
> SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
> 
> Key generation only takes a few seconds even on legacy systems. Also
> existing installations will then use ECDSA/RSA certificate dual-stack.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
> index 6d7a10b5e..c5d945b21 100644
> --- a/config/rootfiles/core/114/update.sh
> +++ b/config/rootfiles/core/114/update.sh
> @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
>  # Update Language cache
>  /usr/local/bin/update-lang-cache
>  
> +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
> +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> +	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> +	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> +	/etc/httpd/server-ecdsa.crt
> +
>  # Start services
>  /etc/init.d/unbound start
>  /etc/init.d/apache start
Peter Müller Sept. 26, 2017, 2:08 a.m. UTC | #2 
Hello Michael,

> Hi,
> 
> is this not better to just call the httpscert script? Avoids copying
> code.
Yes. Never repeat yourself, as they say...

Will develop a 2nd version.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
> > Generate ECDSA certificate and key file on existing installations
> > via the update.sh script.
> > 
> > This is required since Apache crashes if some Certificate(Key)File
> > directives point to non-existing files:
> > 
> > Restarting Apache daemon...
> > Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
> > SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
> > 
> > Key generation only takes a few seconds even on legacy systems. Also
> > existing installations will then use ECDSA/RSA certificate dual-stack.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
> > index 6d7a10b5e..c5d945b21 100644
> > --- a/config/rootfiles/core/114/update.sh
> > +++ b/config/rootfiles/core/114/update.sh
> > @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
> >  # Update Language cache
> >  /usr/local/bin/update-lang-cache
> >  
> > +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
> > +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> > +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > +	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> > +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > +	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> > +	/etc/httpd/server-ecdsa.crt
> > +
> >  # Start services
> >  /etc/init.d/unbound start
> >  /etc/init.d/apache start
diff mbox series

Patch

diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
index 6d7a10b5e..c5d945b21 100644
--- a/config/rootfiles/core/114/update.sh
+++ b/config/rootfiles/core/114/update.sh
@@ -60,6 +60,14 @@  rm -f /usr/sbin/htpasswd
 # Update Language cache
 /usr/local/bin/update-lang-cache
 
+# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
+/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+	/etc/httpd/server-ecdsa.crt
+
 # Start services
 /etc/init.d/unbound start
 /etc/init.d/apache start