From patchwork Sun Mar 2 19:14:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8505 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wpr4SnQz3x2l for ; Sun, 2 Mar 2025 19:14:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z5Wpn35CDzTg; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z5Wpn1JNMz36Wb; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wpk6ysKz36WT for ; Sun, 2 Mar 2025 19:14:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z5Wpk35zmz9V; Sun, 2 Mar 2025 19:14:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=riQ20doWbkGcc2kjcfGFcb24Epdek6vLZ5QcU6zl8sc=; b=gctxSQ7qpwJ3kPqiyZ3gapGqiciTSjfQcG+W7p1Dcjs65UbwPDFRdiXi6yeLWmHhtJPab7 vwkY+yZDPQS81DBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=riQ20doWbkGcc2kjcfGFcb24Epdek6vLZ5QcU6zl8sc=; b=KrJE8aUpDTRdzmIqIHv9G/2dKejf9BOVGWqgemKxA9FwHqrv/qv01LPs02WYgeKBo9BZRe h8D8CFpz3BJYx0z3Wi9GbNiCwgCrDKv99I7KIReBgVErB3M4cZTtQR8Ynn9tJXNmQYL6hj Pi7wnHmSl70ItXnpnkROhQZiKWgVurvgxytXVQ0Ha+SjWIMAtdnyQSm3hfmaDqiqkT9sSG O5dlgqwTUBhnKhFLau/lkzTwWSjMa68W9Tr5EHnQ5eU8GoswxylXru26LK9SdtnH+aqmVN h6OtTLKsCqhFuvhOdb5mJ5Si7J35HDTgj7FNmgWmH+gegB7P52x35TAUKAnMVg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen Date: Sun, 2 Mar 2025 20:14:30 +0100 Message-ID: <20250302191431.20813-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZL2WIMYA7BIM5D2M7ALRRJ2MTTDADF2A X-Message-ID-Hash: ZL2WIMYA7BIM5D2M7ALRRJ2MTTDADF2A X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - When the regeneration is carried out the existing cert, with serial number 01, is revoked but when the new cert is created the serial number is still 01 causing error messages about the new cert being revoked. - This patch increments the serial number from 01 to 02 after the initial root/host certificate set is created. - Then when the olf cert is revoked the new one uses serial number 02 but also automatically increments it again. So all future regenerations work without problems. - Tested out on a physical IPFire system. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a1d0f0e2a..fe14b38f0 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1241,6 +1241,13 @@ END exit(0); ROOTCERT_SUCCESS: + +# Increment the serial number to 02 after root and host certificates are +# created so that cert regeneration works. + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "02"; + close FILE; + if (&vpnenabled) { &General::system('/usr/local/bin/ipsecctrl', 'S'); sleep $sleepDelay;