From patchwork Tue Sep 5 04:23:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1405 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 95CD761AB5 for ; Mon, 4 Sep 2017 20:23:20 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 2B03F2858; Mon, 4 Sep 2017 20:23:20 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id EBBF3284F for ; Mon, 4 Sep 2017 20:23:17 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id B8145410BF for ; Mon, 4 Sep 2017 20:23:06 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 0C1DE9F451 for ; Mon, 4 Sep 2017 20:23:06 +0200 (CEST) Date: Mon, 4 Sep 2017 20:23:05 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH 3/3] generate ECDSA certificate and key on existing installations Message-ID: <20170904202305.28c45ae6.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Generate ECDSA certificate and key file on existing installations via the update.sh script. This is required since Apache crashes if some Certificate(Key)File directives point to non-existing files: Restarting Apache daemon... Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf: SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty Key generation only takes a few seconds even on legacy systems. Also existing installations will then use ECDSA/RSA certificate dual-stack. Signed-off-by: Peter Müller diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh index 6d7a10b5e..c5d945b21 100644 --- a/config/rootfiles/core/114/update.sh +++ b/config/rootfiles/core/114/update.sh @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd # Update Language cache /usr/local/bin/update-lang-cache +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + # Start services /etc/init.d/unbound start /etc/init.d/apache start