From patchwork Thu Oct 5 06:38:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1438 Return-Path: Received: from mail01.ipfire.org by mail01.ipfire.org (Dovecot) with LMTP id zX4IJMU41VntSwAAmDronw ; Wed, 04 Oct 2017 21:38:45 +0200 Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 95913282B; Wed, 4 Oct 2017 21:38:44 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 325872828 for ; Wed, 4 Oct 2017 21:38:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 7F0EE414DA for ; Wed, 4 Oct 2017 21:38:32 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id EA2169F24E for ; Wed, 4 Oct 2017 21:38:32 +0200 (CEST) Date: Wed, 4 Oct 2017 21:38:20 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH v2 3/3] generate ECDSA certificate and key on existing installations Message-ID: <20171004213820.125b7aae.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" X-Evolution-Source: 1292431680.19116.5@rice-oxley.tremer.info Generate ECDSA certificate and key file on existing installations via the update.sh script. This is required since Apache crashes if some Certificate(Key)File directives point to non-existing files: Restarting Apache daemon... Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf: SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty Key generation only takes a few seconds even on legacy systems. Also existing installations will then use ECDSA/RSA certificate dual-stack. Changes from v1: Use the httpscert script (never repeat yourself) and restart Apache afterwards to load the changes. Signed-off-by: Peter Müller diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index e0ee121ce..afeeca14a 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -35,6 +35,7 @@ done openvpnctrl -k openvpnctrl -kn2n + # Extract files extract_files @@ -44,10 +45,13 @@ ldconfig # Update Language cache #/usr/local/bin/update-lang-cache +# generate ECDSA certificate and key file to prevent Apache from crashing on existing installations +/usr/local/bin/httpscert + # Start services openvpnctrl -s openvpnctrl -sn2n - +/etc/init.d/apache restart # This update need a reboot... #touch /var/run/need_reboot