From patchwork Sun Mar 2 19:14:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8505 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wpr4SnQz3x2l for ; Sun, 2 Mar 2025 19:14:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z5Wpn35CDzTg; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z5Wpn1JNMz36Wb; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wpk6ysKz36WT for ; Sun, 2 Mar 2025 19:14:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z5Wpk35zmz9V; Sun, 2 Mar 2025 19:14:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=riQ20doWbkGcc2kjcfGFcb24Epdek6vLZ5QcU6zl8sc=; b=gctxSQ7qpwJ3kPqiyZ3gapGqiciTSjfQcG+W7p1Dcjs65UbwPDFRdiXi6yeLWmHhtJPab7 vwkY+yZDPQS81DBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=riQ20doWbkGcc2kjcfGFcb24Epdek6vLZ5QcU6zl8sc=; b=KrJE8aUpDTRdzmIqIHv9G/2dKejf9BOVGWqgemKxA9FwHqrv/qv01LPs02WYgeKBo9BZRe h8D8CFpz3BJYx0z3Wi9GbNiCwgCrDKv99I7KIReBgVErB3M4cZTtQR8Ynn9tJXNmQYL6hj Pi7wnHmSl70ItXnpnkROhQZiKWgVurvgxytXVQ0Ha+SjWIMAtdnyQSm3hfmaDqiqkT9sSG O5dlgqwTUBhnKhFLau/lkzTwWSjMa68W9Tr5EHnQ5eU8GoswxylXru26LK9SdtnH+aqmVN h6OtTLKsCqhFuvhOdb5mJ5Si7J35HDTgj7FNmgWmH+gegB7P52x35TAUKAnMVg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen Date: Sun, 2 Mar 2025 20:14:30 +0100 Message-ID: <20250302191431.20813-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZL2WIMYA7BIM5D2M7ALRRJ2MTTDADF2A X-Message-ID-Hash: ZL2WIMYA7BIM5D2M7ALRRJ2MTTDADF2A X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - When the regeneration is carried out the existing cert, with serial number 01, is revoked but when the new cert is created the serial number is still 01 causing error messages about the new cert being revoked. - This patch increments the serial number from 01 to 02 after the initial root/host certificate set is created. - Then when the olf cert is revoked the new one uses serial number 02 but also automatically increments it again. So all future regenerations work without problems. - Tested out on a physical IPFire system. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a1d0f0e2a..fe14b38f0 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1241,6 +1241,13 @@ END exit(0); ROOTCERT_SUCCESS: + +# Increment the serial number to 02 after root and host certificates are +# created so that cert regeneration works. + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "02"; + close FILE; + if (&vpnenabled) { &General::system('/usr/local/bin/ipsecctrl', 'S'); sleep $sleepDelay; From patchwork Sun Mar 2 19:14:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8506 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wps4zYRz3x2l for ; Sun, 2 Mar 2025 19:14:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z5Wpn6Vdxz3vn; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z5Wpn3FT1z36Wf; Sun, 2 Mar 2025 19:14:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z5Wpl0c0sz36WT for ; Sun, 2 Mar 2025 19:14:39 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z5Wpk690DzTg; Sun, 2 Mar 2025 19:14:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3juJiaI6zSLWp0sUiUrq/iqofZ8gz+esBfZWq9vf8f8=; b=iswmlcR6U0v/CkmSXS3u9xkWqpTVJ2l2wdRocpLkfKSHMx+v73JaHpQrOGAWEh0eEYBpDh iXq0r9pmRBTxBuAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1740942878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3juJiaI6zSLWp0sUiUrq/iqofZ8gz+esBfZWq9vf8f8=; b=eS/akX36XqUz7Ac/PyW+MxqWkIhL1fFOxgiI8LNqERJMA7GWdzVFxzzoRuYzWes7Ctz2Zq 7aRA0vUNpXqjftPfMlzEBivSg7lPgtD05UAsbyAcOV40q85KDPsLaH3vKaqopmRAOKEQhf pKCibYbkbYET9c9wHxyEMOFYOC6JIamh/S13L/oT41W8YC9rBy4fu+FGU012q/iW3gyaZG bh7qkykjMxf9SbVKGPrgibB6bAL3+pmfa1eIWXX5BzqaTkmjIDkv9GtlwNouR95ce5f8Np 6nhCNQYr3yCw7tVwlEZFSm8X5Mm+rK+NqRTHlpWA5pWLa6visHhEmD1oUYpGXg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] vpnmain.cgi: Change the log name from "ipsec" to "charon" Date: Sun, 2 Mar 2025 20:14:31 +0100 Message-ID: <20250302191431.20813-2-adolf.belka@ipfire.org> In-Reply-To: <20250302191431.20813-1-adolf.belka@ipfire.org> References: <20250302191431.20813-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: YFYVOCVLYH5NKCURDC3USV4CPBP2H6SI X-Message-ID-Hash: YFYVOCVLYH5NKCURDC3USV4CPBP2H6SI X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - The use of "ipsec" currently means that none of these messages are shown in the system log with IPSec selected as that is looking for charon. - This patch changes all "ipsec" entries in this file to "charon" - This results in the log messages for generation and regeneration of the root/host certificate set being shown in the system log. Without this then the messages log has to be searched from the command line with grep. - Tested out on a physical IPFire system. Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 58 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fe14b38f0..c9bbbb494 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -233,7 +233,7 @@ sub callssl ($) { if ($?) { foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging + &General::log("charon", "$line") if (0); # 1 for verbose logging $ret .= '
' . &Header::escape($line); } } @@ -244,7 +244,7 @@ sub callssl ($) { ### Obtain a CN from given cert ### sub getCNfromcert ($) { - #&General::log("ipsec", "Extracting name from $_[0]..."); + #&General::log("charon", "Extracting name from $_[0]..."); my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/; $temp = $1; @@ -258,7 +258,7 @@ sub getCNfromcert ($) { ### Obtain Subject from given cert ### sub getsubjectfromcert ($) { - #&General::log("ipsec", "Extracting subject from $_[0]..."); + #&General::log("charon", "Extracting subject from $_[0]..."); my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; $temp =~ /Subject: (.*)[\n]/; $temp = $1; @@ -906,7 +906,7 @@ END } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &General::log("ipsec", "Importing from p12..."); + &General::log("charon", "Importing from p12..."); unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; @@ -921,7 +921,7 @@ END } # Extract the CA certificate from the file - &General::log("ipsec", "Extracting caroot from p12..."); + &General::log("charon", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; @@ -934,7 +934,7 @@ END # Extract the Host certificate from the file if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); + &General::log("charon", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; @@ -948,7 +948,7 @@ END # Extract the Host key from the file if (!$errormessage) { - &General::log("ipsec", "Extracting private key from p12..."); + &General::log("charon", "Extracting private key from p12..."); if (open(STDIN, "-|")) { my $opt = " pkcs12 -legacy -nocerts -nodes"; $opt .= " -in $filename"; @@ -961,21 +961,21 @@ END } if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); + &General::log("charon", "Moving cacert..."); unless(move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; } } if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); + &General::log("charon", "Moving host cert..."); unless(move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; } } if (!$errormessage) { - &General::log("ipsec", "Moving private key..."); + &General::log("charon", "Moving private key..."); unless(move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; } @@ -997,7 +997,7 @@ END # the private key for this CAROOT # IPFire can only import certificates - &General::log("ipsec", "p12 import completed!"); + &General::log("charon", "p12 import completed!"); &cleanssldatabase(); goto ROOTCERT_SUCCESS; @@ -1083,7 +1083,7 @@ END # Create the CA certificate if (!$errormessage) { - &General::log("ipsec", "Creating cacert..."); + &General::log("charon", "Creating cacert..."); if (open(STDIN, "-|")) { my $opt = " req -x509 -sha256 -nodes"; $opt .= " -days 3650"; @@ -1106,7 +1106,7 @@ END # Create the Host certificate request if (!$errormessage) { - &General::log("ipsec", "Creating host cert..."); + &General::log("charon", "Creating host cert..."); if (open(STDIN, "-|")) { my $opt = " req -sha256 -nodes"; $opt .= " -newkey rsa:4096"; @@ -1129,7 +1129,7 @@ END # Sign the host certificate request if (!$errormessage) { - &General::log("ipsec", "Self signing host cert..."); + &General::log("charon", "Self signing host cert..."); #No easy way for specifying the contain of subjectAltName without writing a config file... my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); @@ -1156,7 +1156,7 @@ END # Create an empty CRL if (!$errormessage) { - &General::log("ipsec", "Creating emptycrl..."); + &General::log("charon", "Creating emptycrl..."); my $opt = " ca -gencrl"; $opt .= " -out ${General::swroot}/crls/cacrl.pem"; $errormessage = &callssl ($opt); @@ -1925,7 +1925,7 @@ END } # Sign the certificate request - &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); + &General::log("charon", "Signing your cert $cgiparams{'NAME'}..."); my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in $filename"; @@ -1947,7 +1947,7 @@ END goto VPNCONF_ERROR; } } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { - &General::log("ipsec", "Importing from p12..."); + &General::log("charon", "Importing from p12..."); unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; @@ -1962,7 +1962,7 @@ END } # Extract the CA certificate from the file - &General::log("ipsec", "Extracting caroot from p12..."); + &General::log("charon", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; @@ -1975,7 +1975,7 @@ END # Extract the Host certificate from the file if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); + &General::log("charon", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; @@ -1988,7 +1988,7 @@ END } if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); + &General::log("charon", "Moving cacert..."); #If CA have new subject, add it to our list of CA my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); my @names; @@ -2022,7 +2022,7 @@ END } } if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); + &General::log("charon", "Moving host cert..."); unless(move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; } @@ -2037,7 +2037,7 @@ END unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); goto VPNCONF_ERROR; } - &General::log("ipsec", "p12 import completed!"); + &General::log("charon", "p12 import completed!"); } elsif ($cgiparams{'AUTH'} eq 'certfile') { if ($cgiparams{'KEY'}) { $errormessage = $Lang::tr{'cant change certificates'}; @@ -2055,7 +2055,7 @@ END } # Verify the certificate has a valid CA and move it - &General::log("ipsec", "Validating imported cert against our known CA..."); + &General::log("charon", "Validating imported cert against our known CA..."); my $validca = 1; #assume ok my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename"); if (! grep(/: OK/, @test)) { @@ -2160,7 +2160,7 @@ END (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; # Create the Client certificate request - &General::log("ipsec", "Creating a cert..."); + &General::log("charon", "Creating a cert..."); if (open(STDIN, "-|")) { my $opt = " req -nodes"; @@ -2187,7 +2187,7 @@ END } # Sign the client certificate request - &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); + &General::log("charon", "Signing the cert $cgiparams{'NAME'}..."); #No easy way for specifying the contain of subjectAltName without writing a config file... my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); @@ -2221,7 +2221,7 @@ END } # Create the pkcs12 file - &General::log("ipsec", "Packing a pkcs12 file..."); + &General::log("charon", "Packing a pkcs12 file..."); $opt = " pkcs12 -legacy -export"; $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -3834,7 +3834,7 @@ sub make_subnets($$) { sub regenerate_host_certificate() { my $errormessage = ""; - &General::log("ipsec", "Regenerating host certificate..."); + &General::log("charon", "Regenerating host certificate..."); # Create a CSR based on the existing certificate my $opt = " x509 -x509toreq -copy_extensions copyall"; @@ -3845,7 +3845,7 @@ sub regenerate_host_certificate() { # Revoke the old certificate if (!$errormessage) { - &General::log("ipsec", "Revoking the old host cert..."); + &General::log("charon", "Revoking the old host cert..."); my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem"; $errormessage = &callssl($opt); @@ -3853,7 +3853,7 @@ sub regenerate_host_certificate() { # Sign the host certificate request if (!$errormessage) { - &General::log("ipsec", "Self signing host cert..."); + &General::log("charon", "Self signing host cert..."); my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext";