core183: replace https rsa key if it is too small

new openssl need at least 2048 bit rsa keys for apache.
So if the existing is smaller a new 4096 bit key is generated.

fixes #13527

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 75a0e4f60c385bea6c477d8280d69b49dfb9f75d..7992f21c58aba352c1c3548c2103b8d2f9ad2d66 100644 (file)
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -229,6 +229,19 @@ restore_backup() {
        # Set correct ownership
        chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
 
+       # Generate new HTTPS RSA key if the existing is too small
+       KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+       if [ $KEYSIZE \< 2048 ]; then
+               openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+               chmod 600 /etc/httpd/server.key
+               sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+                               openssl req -new -key /etc/httpd/server.key \
+                               -out /etc/httpd/server.csr &>/dev/null
+               openssl x509 -req -days 999999 -sha256 \
+                       -in /etc/httpd/server.csr \
+                       -signkey /etc/httpd/server.key \
+                       -out /etc/httpd/server.crt &>/dev/null
+       fi
        return 0
 }
 

diff --git a/config/rootfiles/core/183/filelists/files b/config/rootfiles/core/183/filelists/files
index 8e58c6ec2aacb1bf376c73787f9450c3509e7461..42ddf682ebb23008b6a32aaf58c33ca9ac002997 100644 (file)
--- a/config/rootfiles/core/183/filelists/files
+++ b/config/rootfiles/core/183/filelists/files
@@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
 usr/local/bin/backupiso
+var/ipfire/backup/bin/backup.pl

diff --git a/config/rootfiles/core/183/update.sh b/config/rootfiles/core/183/update.sh
index 3312608bc22f08a9c5ddae0472bfda0800220a55..5930ad324200a51d854670d39134d7aba8572cee 100644 (file)
--- a/config/rootfiles/core/183/update.sh
+++ b/config/rootfiles/core/183/update.sh
@@ -128,6 +128,21 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
        /etc/rc.d/init.d/ipsec start
 fi
 
+# Check apache rsa key and replace if it is too small
+KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+if [ $KEYSIZE \< 2048 ]; then
+       echo "Generating new HTTPS RSA server key (this will take a moment)..."
+       openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+       chmod 600 /etc/httpd/server.key
+       sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+               openssl req -new -key /etc/httpd/server.key \
+                       -out /etc/httpd/server.csr &>/dev/null
+       openssl x509 -req -days 999999 -sha256 \
+               -in /etc/httpd/server.csr \
+               -signkey /etc/httpd/server.key \
+               -out /etc/httpd/server.crt &>/dev/null
+fi
+
 # Rebuild initial ramdisks
 dracut --regenerate-all --force
 KVER="xxxKVERxxx"