From patchwork Tue Apr 29 10:10:49 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 8647
Return-Path: <development+bounces-271-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Zmx0d4dkCz3x1X
	for <patchwork@web04.haj.ipfire.org>; Tue, 29 Apr 2025 10:10:57 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Zmx0d0myrz3LM
	for <patchwork@ipfire.org>; Tue, 29 Apr 2025 10:10:57 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zmx0d035Wz3344
	for <patchwork@ipfire.org>; Tue, 29 Apr 2025 10:10:57 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zmx0Z0G1pz2xLm
	for <development@lists.ipfire.org>; Tue, 29 Apr 2025 10:10:54 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zmx0Y1kx5zHP;
	Tue, 29 Apr 2025 10:10:53 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1745921453;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=heo8aKaVbAMNkinUuZWsSCKU0GQ9C9XPCKAntxcfXD4=;
	b=+AgiJ0L+fWCHgyMTPIrunNP9SIgwGv9fXbVjyRg2JYvB6lwjyH7Y59/8s3g3xqWiumdnQz
	GZItB46RVjbLztAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1745921453;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=heo8aKaVbAMNkinUuZWsSCKU0GQ9C9XPCKAntxcfXD4=;
	b=QmpiFdo+vIQW2WhY10bLf7n+77k8isfUkL+x0FDbqgHUd7wf4yURljGdNUbf2N0UEYXDYG
	q0DT1+MXuuPloTszJUN/WrwzcA3VWwDszz9rEC9p5q71E0euj2RayAFTNZo2IyyxnupiyP
	vUfltG2SlFCwjppN86JC4gfW6VLsshN7rkSuu/qvi4591bH2JuYLDz6vM4EPPbx8fRtOEM
	FzmfsVz06yv8SayOkL9TjPAGWmc887A1kZCXcBD1A7/HT20pZMH7ePtOiLjTZbS3BcbuoP
	0H7IkfWdhoGG1Lq3JlNz8AHhR9/H6hOL3sNfMWJRIQY+H0dPtip4AEVIhw5WhQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] update.sh: Core 194 - increment ipsec serial file if x509 set
 exists
Date: Tue, 29 Apr 2025 12:10:49 +0200
Message-ID: <20250429101049.10785-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

- This is related to the fix patch set for bug13737. That patch set works with no problems
   if the root/host x509 set is created for the first time with that patch set merged.
   However if the x509 is already created previously then the contents of serial will
   still be 01 instead of 02.
- This patch checks if the hostcert.pm file exists and that the index.txt file is empty,
   and then increments the serial content from 01 to 02. This means that when the x509
   is regenerated the system will not complain that 01 cannot be used as it has already
   been revoked but will use 02 for the new host and everything works fine after that.

Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/194/update.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/rootfiles/core/194/update.sh b/config/rootfiles/core/194/update.sh
index e1e9dde9b..2ab4ca2a2 100644
--- a/config/rootfiles/core/194/update.sh
+++ b/config/rootfiles/core/194/update.sh
@@ -103,6 +103,11 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
 
+# Increment ipsec serial file if x509 certificates present and no content in index.txt
+if [ -e /var/ipfire/certs/hostcert.pm ] && [ -z /var/ipfire/certs/index.txt]; then
+    sed -i "s/01/02/" /var/ipfire/certs/serial
+fi
+
 # Start services
 /etc/init.d/ipsec restart
 /etc/init.d/suricata restart