Message ID | 20230606104050.8290-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | d57f305a1042fb69aa597426ee3f62ccce384f80 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Qb6T8203rz3wgN for <patchwork@web04.haj.ipfire.org>; Tue, 6 Jun 2023 10:41:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Qb6T61DZMzZJ; Tue, 6 Jun 2023 10:40:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Qb6T56D7gz2y0t; Tue, 6 Jun 2023 10:40:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Qb6T44M4Zz2xfc for <development@lists.ipfire.org>; Tue, 6 Jun 2023 10:40:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Qb6T26TRqzZJ; Tue, 6 Jun 2023 10:40:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1686048055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=bO+mRw4CK+0oAqpqZZOrS9A398G0ujUphbWHohzSnWA=; b=8ZfhlieDykaLDM4Qi1sfXt/GUUY64+1CqGb2U4xk7xtNvGzydm6s4BUAkilmuTWTR+Qt/6 TxPHXg2BzIvADTDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1686048055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=bO+mRw4CK+0oAqpqZZOrS9A398G0ujUphbWHohzSnWA=; b=AhQ1OFSc3fxdmEYVpInIIpejufIxwwYCndCV0HwqgfXW/LYwEDVNK86CzOHXesUckBEC6x LrFjPyFIE8bzYWcB6YoqqC8aca79hdvZz2rzdnPOrd7LJsLP/eI8ImIyKVTwJMXVW66Lcv M4agVBuXL+untqEx2acHnJ5OXDvjrFj5hE5aXahejYbZ8F0xyBj8YBFyAcyOmfTWT8J8Kq cn/rAMp7+rDHcrtVlWnUk4f6pC9tDHZjG0OxP3plWQom9HL2vd6sssSUrrfKhLVbAbmBUU E1bSrlXr5/pH9WICEwHiIQrYzTb6wzf8/7n7hFHhEh293xBB+2wlIHDznMqfGA== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] update.sh: Fixes bug#13138 - root/host certificate set fails to be created Date: Tue, 6 Jun 2023 12:40:50 +0200 Message-Id: <20230606104050.8290-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
update.sh: Fixes bug#13138 - root/host certificate set fails to be created
|
|
Commit Message
Adolf Belka
June 6, 2023, 10:40 a.m. UTC
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr file after the first time that the root/host certificates are attempted to be created. - Without this line in update.sh, the first attempt to create the root/host certificate set will still have the original error code. If the creation is attempted again then it will work because the unique_subject = yes will have then been added into the file. - This patch ensures that the first attempt to create a root/host certificate set in CU175 will work. - Confirmed on vm testbed with freshly updated CU175. Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- config/rootfiles/core/175/update.sh | 3 +++ 1 file changed, 3 insertions(+)
Comments
Hi Peter, I tested out the latest nightly build and everything worked fine except for one small hiccup. The fix for creating the IPSec root/host certificate set still gave the same error when first attempted but then created it if the attempt was directly made again. Turns out the addition of unique_subject = yes to /var/ipfire/certs/index.txt.attr is only done in the vpnmain.cgi after the root/host creation was attempted the first time. The patch below ensures that the index.txt.attr file has the unique_subject = yes entry the first time the root/host certificate set creation is attempted. Apart from the above, all the other things I was able to test in IPSec and OpenVPN worked with that latest nightly. Regards, Adolf. On 06/06/2023 12:40, Adolf Belka wrote: > - The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr > file after the first time that the root/host certificates are attempted to be created. > - Without this line in update.sh, the first attempt to create the root/host certificate set > will still have the original error code. If the creation is attempted again then it will > work because the unique_subject = yes will have then been added into the file. > - This patch ensures that the first attempt to create a root/host certificate set in CU175 > will work. > - Confirmed on vm testbed with freshly updated CU175. > > Fixes: Bug#13138 > Tested-by: Adolf Belka <adolf.belka@ipfire.org> > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > config/rootfiles/core/175/update.sh | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh > index 82676bc72..f1c6873c1 100644 > --- a/config/rootfiles/core/175/update.sh > +++ b/config/rootfiles/core/175/update.sh > @@ -191,6 +191,9 @@ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then > done > fi > > +## Add unique_subject = yes to vpn index.txt.attr file > +echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr > + > # This update needs a reboot... > touch /var/run/need_reboot >
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 82676bc72..f1c6873c1 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -191,6 +191,9 @@ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then done fi +## Add unique_subject = yes to vpn index.txt.attr file +echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr + # This update needs a reboot... touch /var/run/need_reboot