vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls

- This first part removes all usages of &cleanssldatabase with the client certificates.
   This is not needed here. If used then the serial number would be moved back to 01 when
   an existing client certificate is removged or a new one created, even if no errors
   occurred.
- The usage of &cleanssldatabase has also been removed from the root/host cert creation
   if it was successful, otherwise the index file is moved back to being empty and the
   serial file to containing 01.
- The only usage now of the &cleanssldatabase is for when the root/host cert set is
   being created or if an uploaded cert has been checked as good to install.
- This now means that each time a new client certificate is created the serial number
   is incremented.
- The removal of the x509 root/host cert also unlinks all .pem files in the certs
   directory and therefore also all the 01.pem, 02.pem etc files so the
   &cleanssldatabase routine no longer needs to unlink the 01.pem file
- The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands
   used covers the required cleaning, so it has been removed.
- This patch together with the others from this set have been tested out on my vm system
   and I was able to create a new root/host cert set and then new client certs and make
   an ipsec certificate connection successfully. I could then renew the host cert and
   the client connection still worked.

Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e30506fdfb2c41c8cdd074855f10b8610f73eb2b..85119a81d6b7050fe57b52ca8f04fa84d3ac7e68 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -200,27 +200,6 @@ sub cleanssldatabase {
        unlink ("${General::swroot}/certs/index.txt.old");
        unlink ("${General::swroot}/certs/index.txt.attr.old");
        unlink ("${General::swroot}/certs/serial.old");
-       unlink ("${General::swroot}/certs/01.pem");
-}
-sub newcleanssldatabase {
-       if (! -s "${General::swroot}/certs/serial" ) {
-               open(FILE, ">${General::swroot}/certs/serial");
-               print FILE "01";
-               close FILE;
-       }
-       if (! -s ">${General::swroot}/certs/index.txt") {
-               open(FILE, ">${General::swroot}/certs/index.txt");
-               close(FILE);
-       }
-       if (! -s ">${General::swroot}/certs/index.txt.attr") {
-               open(FILE, ">${General::swroot}/certs/index.txt.attr");
-               print FILE "unique_subject = yes";
-               close(FILE);
-       }
-       unlink ("${General::swroot}/certs/index.txt.old");
-       unlink ("${General::swroot}/certs/index.txt.attr.old");
-       unlink ("${General::swroot}/certs/serial.old");
-#      unlink ("${General::swroot}/certs/01.pem");             numbering evolves. Wrong place to delete
 }
 
 ###
@@ -889,8 +868,6 @@ END
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
        $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
 
-       &newcleanssldatabase();
-
        if (-f "${General::swroot}/ca/cacert.pem") {
                $errormessage = $Lang::tr{'valid root certificate already exists'};
                goto ROOTCERT_SKIP;
@@ -1004,7 +981,6 @@ END
                # IPFire can only import certificates
 
                &General::log("charon", "p12 import completed!");
-               &cleanssldatabase();
                goto ROOTCERT_SUCCESS;
 
        } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
@@ -1170,7 +1146,6 @@ END
 
                # Successfully build CA / CERT!
                if (!$errormessage) {
-                       &cleanssldatabase();
                        goto ROOTCERT_SUCCESS;
                }
 
@@ -1933,11 +1908,9 @@ END
                if ( $errormessage = &callssl ($opt) ) {
                        unlink ($filename);
                        unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
-                       &cleanssldatabase();
                        goto VPNCONF_ERROR;
                } else {
                        unlink ($filename);
-                       &cleanssldatabase();
                }
 
                $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
@@ -2220,7 +2193,6 @@ END
                } else {
                        unlink ($v3extname);
                        unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
-                       &cleanssldatabase();
                }
 
                # Create the pkcs12 file