[3/3] generate ECDSA certificate and key on existing installations
Commit Message
Generate ECDSA certificate and key file on existing installations
via the update.sh script.
This is required since Apache crashes if some Certificate(Key)File
directives point to non-existing files:
Restarting Apache daemon...
Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
Key generation only takes a few seconds even on legacy systems. Also
existing installations will then use ECDSA/RSA certificate dual-stack.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Hi,
is this not better to just call the httpscert script? Avoids copying
code.
-Michael
On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
> Generate ECDSA certificate and key file on existing installations
> via the update.sh script.
>
> This is required since Apache crashes if some Certificate(Key)File
> directives point to non-existing files:
>
> Restarting Apache daemon...
> Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
> SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
>
> Key generation only takes a few seconds even on legacy systems. Also
> existing installations will then use ECDSA/RSA certificate dual-stack.
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
> index 6d7a10b5e..c5d945b21 100644
> --- a/config/rootfiles/core/114/update.sh
> +++ b/config/rootfiles/core/114/update.sh
> @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
> # Update Language cache
> /usr/local/bin/update-lang-cache
>
> +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
> +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> + /etc/httpd/server-ecdsa.crt
> +
> # Start services
> /etc/init.d/unbound start
> /etc/init.d/apache start
Hello Michael,
> Hi,
>
> is this not better to just call the httpscert script? Avoids copying
> code.
Yes. Never repeat yourself, as they say...
Will develop a 2nd version.
Best regards,
Peter Müller
>
> -Michael
>
> On Mon, 2017-09-04 at 20:23 +0200, Peter Müller wrote:
> > Generate ECDSA certificate and key file on existing installations
> > via the update.sh script.
> >
> > This is required since Apache crashes if some Certificate(Key)File
> > directives point to non-existing files:
> >
> > Restarting Apache daemon...
> > Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf:
> > SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty
> >
> > Key generation only takes a few seconds even on legacy systems. Also
> > existing installations will then use ECDSA/RSA certificate dual-stack.
> >
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh
> > index 6d7a10b5e..c5d945b21 100644
> > --- a/config/rootfiles/core/114/update.sh
> > +++ b/config/rootfiles/core/114/update.sh
> > @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
> > # Update Language cache
> > /usr/local/bin/update-lang-cache
> >
> > +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
> > +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> > +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> > +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> > + /etc/httpd/server-ecdsa.crt
> > +
> > # Start services
> > /etc/init.d/unbound start
> > /etc/init.d/apache start
@@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd
# Update Language cache
/usr/local/bin/update-lang-cache
+# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations
+/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+ /etc/httpd/server-ecdsa.crt
+
# Start services
/etc/init.d/unbound start
/etc/init.d/apache start