From patchwork Tue Jan 30 17:45:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7514
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdd2cLdz3xPk
	for <patchwork@web04.haj.ipfire.org>; Tue, 30 Jan 2024 17:45:57 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdZ1DBmz2T1;
	Tue, 30 Jan 2024 17:45:54 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdY5My4z32jB;
	Tue, 30 Jan 2024 17:45:53 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2gKJz30F7
	for <development@lists.ipfire.org>; Tue, 30 Jan 2024 17:45:51 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV3BqKz1FC;
	Tue, 30 Jan 2024 17:45:50 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4TPXdR6r63zThHT; Tue, 30 Jan 2024 17:45:47 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/3] vpnmain.cgi: Do not use a bad source for randomness
Date: Tue, 30 Jan 2024 17:45:42 +0000
Message-Id: <20240130174544.3986725-1-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Message-ID-Hash: QR23L5JC3GQE6JBQ2AE56FLZLB3NF3FK
X-Message-ID-Hash: QR23L5JC3GQE6JBQ2AE56FLZLB3NF3FK
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/QR23L5JC3GQE6JBQ2AE56FLZLB3NF3FK/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 53507305f..8b05a0de7 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2141,7 +2141,7 @@ END
 		&General::log("ipsec", "Creating a cert...");
 
 		if (open(STDIN, "-|")) {
-			my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+			my $opt = " req -nodes";
 			$opt .= " -newkey rsa:4096";
 			$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
 			$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";

From patchwork Tue Jan 30 17:45:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7513
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdd2CJcz3xN2
	for <patchwork@web04.haj.ipfire.org>; Tue, 30 Jan 2024 17:45:57 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdY5NLwzlg;
	Tue, 30 Jan 2024 17:45:53 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdY3mTLz32j1;
	Tue, 30 Jan 2024 17:45:53 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2dcCz2xcF
	for <development@lists.ipfire.org>; Tue, 30 Jan 2024 17:45:51 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV5b02zLW;
	Tue, 30 Jan 2024 17:45:50 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4TPXdV35v1zThPd; Tue, 30 Jan 2024 17:45:47 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/3] vpnmain.cgi: Return the entire error message if OpenSSL
 fails
Date: Tue, 30 Jan 2024 17:45:43 +0000
Message-Id: <20240130174544.3986725-2-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org>
References: <20240130174544.3986725-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: DJPB6VK6UPL2A3ZYKGZRHWFNB4P2NPTI
X-Message-ID-Hash: DJPB6VK6UPL2A3ZYKGZRHWFNB4P2NPTI
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/DJPB6VK6UPL2A3ZYKGZRHWFNB4P2NPTI/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

The function did not evaluate the return code which is why it used a
hack to figure out if some output is an error or not.

This is being fixed in this commit and the entire output is being
returned if the return code is non-zero.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 8b05a0de7..d82e6b5c9 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -229,13 +229,14 @@ sub callssl ($) {
 	my $opt = shift;
 	my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
 	my $ret = '';
-	foreach my $line (split (/\n/, $retssl)) {
-		&General::log("ipsec", "$line") if (0); # 1 for verbose logging
-		$ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
-	}
-	if ($ret) {
-		$ret= &Header::cleanhtml($ret);
+
+	if ($?) {
+		foreach my $line (split (/\n/, $retssl)) {
+			&General::log("ipsec", "$line") if (0); # 1 for verbose logging
+			$ret .= '<br>' . &Header::escape($line);
+		}
 	}
+
 	return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
 }
 ###

From patchwork Tue Jan 30 17:45:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7515
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdf4hbvz3xN2
	for <patchwork@web04.haj.ipfire.org>; Tue, 30 Jan 2024 17:45:58 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdf0GMcz1c2;
	Tue, 30 Jan 2024 17:45:58 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdd6qfjz30sP;
	Tue, 30 Jan 2024 17:45:57 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2hYZz30sJ
	for <development@lists.ipfire.org>; Tue, 30 Jan 2024 17:45:51 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV4qlPz1Fq;
	Tue, 30 Jan 2024 17:45:50 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4TPXdT4SdYzTgK3; Tue, 30 Jan 2024 17:45:49 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] vpnmain.cgi: Add option to regenerate the host
 certificate
Date: Tue, 30 Jan 2024 17:45:44 +0000
Message-Id: <20240130174544.3986725-3-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org>
References: <20240130174544.3986725-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: 56KHIYJ2DY7VLX5XT5N5IPI2SMLQWJDH
X-Message-ID-Hash: 56KHIYJ2DY7VLX5XT5N5IPI2SMLQWJDH
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/56KHIYJ2DY7VLX5XT5N5IPI2SMLQWJDH/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.

A caveat of this patch is that we do not rollover the key.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/ssl/openssl.cnf   |  1 +
 doc/language_issues.de   |  1 +
 doc/language_issues.en   |  1 +
 doc/language_issues.es   |  1 +
 doc/language_issues.fr   |  1 +
 doc/language_issues.it   |  1 +
 doc/language_issues.nl   |  1 +
 doc/language_issues.pl   |  1 +
 doc/language_issues.ru   |  1 +
 doc/language_issues.tr   |  1 +
 doc/language_missings    |  8 ++++++
 html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  1 +
 13 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
index 3b980fcd4..00c206ed8 100644
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -23,6 +23,7 @@ default_md	= sha256
 preserve	= no
 policy		= policy_match
 email_in_dn	= no
+copy_extensions = copyall
 
 [ policy_match ]
 countryName		= optional
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..fa0705e74 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..88e66346b 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 = RED
 WARNING: untranslated string: references = References
 WARNING: untranslated string: refresh = Refresh
 WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..ab6b5a1e9 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -995,6 +995,7 @@ WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..e6781362f 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..b21f15062 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..668df4fc3 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..f4a29cb84 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..4eface69a 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..d5f321dd8 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..2b70ef9f9 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -73,6 +73,7 @@
 < optional
 < quick control
 < random number generator daemon
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -117,6 +118,7 @@
 < invalid ip or hostname
 < openvpn cert expires soon
 < openvpn cert has expired
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < service boot setting unavailable
@@ -138,6 +140,7 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -523,6 +526,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -1063,6 +1067,7 @@
 < rdns
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -1943,6 +1948,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -2934,6 +2940,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -3405,6 +3412,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index d82e6b5c9..9173a85d8 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -866,6 +866,12 @@ END
 		exit(0);
 	}
 ###
+### Regenerate the host certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) {
+	$errormessage = &regenerate_host_certificate();
+
+###
 ### Form for generating/importing the caroot+host certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
@@ -3612,7 +3618,12 @@ END
 			<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
 			</form>
 		</td>
-		<td width='4%' $col2>&nbsp;</td></tr>
+		<td width='4%' align='center' $col2>
+			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+				<input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' />
+				<input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' />
+			</form>
+		</td></tr>
 END
 ;
 	} else {
@@ -3782,3 +3793,44 @@ sub make_subnets($$) {
 
 	return join(",", @cidr_nets);
 }
+
+sub regenerate_host_certificate() {
+	my $errormessage = "";
+
+	&General::log("ipsec", "Regenerating host certificate...");
+
+	# Create a CSR based on the existing certificate
+	my $opt = " x509 -x509toreq -copy_extensions copyall";
+	$opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
+	$opt .= " -in ${General::swroot}/certs/hostcert.pem";
+	$opt .= " -out ${General::swroot}/certs/hostreq.pem";
+	$errormessage = &callssl($opt);
+
+	# Revoke the old certificate
+	if (!$errormessage) {
+		&General::log("ipsec", "Revoking the old host cert...");
+
+		my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl($opt);
+	}
+
+	# Sign the host certificate request
+	if (!$errormessage) {
+		&General::log("ipsec", "Self signing host cert...");
+
+		my $opt = " ca -md sha256 -days 825";
+		$opt .= " -batch -notext";
+		$opt .= " -in ${General::swroot}/certs/hostreq.pem";
+		$opt .= " -out ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl ($opt);
+
+		unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+	}
+
+	# Reload the new certificate
+	if (!$errormessage) {
+		&General::system('/usr/local/bin/ipsecctrl', 'R');
+	}
+
+	return $errormessage;
+}
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..5ac651e2f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2208,6 +2208,7 @@
 'refresh' => 'Refresh',
 'refresh index page while connected' => 'Refresh index.cgi page while connected',
 'refresh update list' => 'Refresh update list',
+'regenerate host certificate' => 'Renew Host Certificate',
 'registered user rules' => 'Talos VRT rules for registered users',
 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',