From patchwork Tue Apr 29 14:42:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8648 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Zn31t5qmmz3wmg for ; Tue, 29 Apr 2025 14:42:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Zn31t315lz3G5 for ; Tue, 29 Apr 2025 14:42:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zn31t2HgFz330h for ; Tue, 29 Apr 2025 14:42:26 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zn31q2V63z2y0C for ; Tue, 29 Apr 2025 14:42:23 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zn31p5Jkvz1Zc; Tue, 29 Apr 2025 14:42:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1745937742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hki/JFz6X8k6+heU44x198gbIR9T1xyBH8gwQ4D92/I=; b=QMWVWAUSseOD38wawtxx/ukYsXygNT+e/hDp6U6xOjvycsuf2Dg5QSV1/xJ4dBJgirCaJA GsocZdwXywyEMDCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1745937742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hki/JFz6X8k6+heU44x198gbIR9T1xyBH8gwQ4D92/I=; b=ORC/60vn9rKQc/tHFTt2oJdjZCjgxHJObdS4k92CqdsLZonTQT47UnedwGbM52VTREl+Fi QmBXg/z9WTKhwqOCqKLVBQluMrw1Wh9+75iwlV6XB8kxFr02ap2bvo2w48SEMBfRYA+UG+ KpJoMiqhD74ry3cn473PqHJ1tv6nzA9mAVKuiO0pnlez6gvUKTaYe8hA/mAS5x49jlW8Tt f4XWOmQbvEgRdfLQWOhe++nlkrhjwG/rEscgTfj5UxbFASyOHkGbYzc4F7a8Lbc95pPKDY J2pPHWDA85tUMx/rqoR6MVVY+tg5KqzrEftqKusgB9CVkwPR2uz4Z5D0mfWL1w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] backup.pl: Fix restores for ipsec backups before regen was fixed Date: Tue, 29 Apr 2025 16:42:19 +0200 Message-ID: <20250429144219.33884-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Prior to the ipsec host cert regen fix, the backup did not include the serial or the index.txt files. - After the ipsec regen patch set, if a backup from before the change is retsored then the serial and index.attr could end up not matching. This would break the ipsec regen again. - All backups before the change will have hostcerts with serial numbers of 1. - This patch extracts the serial number from the restored hostcert.pem. If the serial number is 1 and if the existing serial number file does not contain 02, then the serial file contents are replaced by 02 and the index.txt contents are deleted. - If the restored hostcert.pem serial number is greater than 1 then the backup will contain the serial anf index.txt files. - If the restored hostcert.pem serial number is 1 and the serial file contains 02 then the ipsec regen will work correctly. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/backup/backup.pl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 0cfbd4fc3..301faa3df 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -307,6 +307,18 @@ restore_backup() { # start collectd after restore /etc/rc.d/init.d/collectd start + # Check if ipsec hosctcert.pem serial number is 1 and if the serial file does not contain 02 + # In this case set the serial file to 02 and empty the index.txt file + ARR=() + while IFS= read -r line; do + ARR+=("$line") + done <<< "$(openssl x509 -in /var/ipfire/certs/hostcert.pem -noout -text)" + if [ $(echo ${ARR[3]} | sed -E 's,^[^0-9]*([0-9]+).*$,\1,') = 1 ] && \ + [ $(expr $(cat "/var/ipfire/certs/serial") + 0) != 2 ]; then + sed -i "s/.*/02/" /var/ipfire/certs/serial + sed -i 'd' /var/ipfire/certs/index.txt + fi + # Restart ipsec if enabled # This will ensure that the restored certs and secrets etc are loaded and used if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then