From 9f01011570be542e394503cb8a4c5184eb9be8d1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Jan 2024 17:45:44 +0000 Subject: [PATCH] vpnmain.cgi: Add option to regenerate the host certificate This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. A caveat of this patch is that we do not rollover the key. Signed-off-by: Michael Tremer --- config/ssl/openssl.cnf | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 13 files changed, 72 insertions(+), 1 deletion(-) diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd40..00c206ed8e 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md = sha256 preserve = no policy = policy_match email_in_dn = no +copy_extensions = copyall [ policy_match ] countryName = optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 56bd09414f..46fb9ee5a0 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -939,6 +939,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional WARNING: untranslated string: pakfire invalid tree = Invalid repository selected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.en b/doc/language_issues.en index c55a6fb2cf..86d5890f23 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1582,6 +1582,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.es b/doc/language_issues.es index eef18d6e0a..30e20ae87d 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1001,6 +1001,7 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 36cd4944bc..a53358147c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -954,6 +954,7 @@ WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 43bbd4a1f0..24efece2b4 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1219,6 +1219,7 @@ WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 761cda4a28..b6a65fad29 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1241,6 +1241,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 8b6e3efd0e..1a4f62870f 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1422,6 +1422,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 93ff3c636d..8da6fe4b6d 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1417,6 +1417,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 05c16e1c29..96fe71f7b5 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1129,6 +1129,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_missings b/doc/language_missings index eb58bd3859..c92e1e6a36 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -78,6 +78,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -127,6 +128,7 @@ < log drop hostile out < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -153,6 +155,7 @@ < hostile networks total < log drop hostile in < log drop hostile out +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -542,6 +545,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -1086,6 +1090,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1970,6 +1975,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2965,6 +2971,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3440,6 +3447,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index d82e6b5c94..9173a85d84 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -866,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage = ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || @@ -3612,7 +3618,12 @@ END -   + +
+ + +
+ END ; } else { @@ -3782,3 +3793,44 @@ sub make_subnets($$) { return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage = ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt = " x509 -x509toreq -copy_extensions copyall"; + $opt .= " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .= " -in ${General::swroot}/certs/hostcert.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt = " ca -md sha256 -days 825"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 27831a4927..3246102ba5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2212,6 +2212,7 @@ 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', 'refresh update list' => 'Refresh update list', +'regenerate host certificate' => 'Renew Host Certificate', 'registered user rules' => 'Talos VRT rules for registered users', 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.', 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.', -- 2.39.2