From 9064ba72fe03d324478b8c321f4368192e8f551c Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 22 Oct 2017 15:50:38 +0200 Subject: [PATCH] drop httpscert and merge to apache initskript Signed-off-by: Arne Fitzenreiter --- config/rootfiles/common/stage2 | 1 - config/rootfiles/common/x86_64/stage2 | 1 - config/rootfiles/core/115/filelists/files | 2 +- config/rootfiles/core/115/update.sh | 8 ++- src/initscripts/system/apache | 60 ++++++++++++++++++---- src/scripts/httpscert | 61 ----------------------- 6 files changed, 54 insertions(+), 79 deletions(-) delete mode 100644 src/scripts/httpscert diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 8c6dd40afd..a5ba6ae269 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -91,7 +91,6 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown -usr/local/bin/httpscert usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index 2897adc5e2..70a33d6591 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -93,7 +93,6 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown -usr/local/bin/httpscert usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files index 72c5e5fa10..d3e2958a7d 100644 --- a/config/rootfiles/core/115/filelists/files +++ b/config/rootfiles/core/115/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/httpd/conf/vhosts.d/captive.conf etc/httpd/conf/vhosts.d/ipfire-interface.conf etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/rc.d/init.d/apache etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/captive/index.cgi srv/web/ipfire/cgi-bin/captive/logo.cgi @@ -16,7 +17,6 @@ srv/web/ipfire/html/captive usr/bin/captive-cleanup usr/local/bin/backupiso usr/local/bin/captivectrl -usr/local/bin/httpscert usr/local/bin/wirelessctrl var/ipfire/backup/include var/ipfire/captive diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index 20f870d601..91bb808dbb 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -34,13 +34,14 @@ done # Stop services openvpnctrl -k openvpnctrl -kn2n - +/etc/rc.d/init.d/apache stop # Extract files extract_files # Remove files rm -vf \ + /usr/local/bin/httpscert \ /srv/web/ipfire/html/dial.cgi # update linker config @@ -49,11 +50,8 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache -# generate ECDSA key on existing installations to prevent Apache from crashing -/usr/local/bin/httpscert new - # Start services -/etc/rc.d/init.d/apache2 restart +/etc/rc.d/init.d/apache2 start openvpnctrl -s openvpnctrl -sn2n diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index 5dd39f939f..541141e3b1 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -7,18 +7,58 @@ . /etc/sysconfig/rc . $rc_functions +generate_certificates() { + if [ ! -f "/etc/httpd/server.key" ]; then + boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." + openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + evaluate_retval + fi + + if [ ! -f "/etc/httpd/server-ecdsa.key" ]; then + boot_mesg "Generating HTTPS ECDSA server key..." + openssl ecparam -genkey -name secp384r1 -noout \ + -out /etc/httpd/server-ecdsa.key &>/dev/null + evaluate_retval + fi + + # Generate RSA CSR + if [ ! -f "/etc/httpd/server.csr" ]; then + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server.key \ + -out /etc/httpd/server.csr &>/dev/null + fi + + # Generate ECDSA CSR + if [ ! -f "/etc/httpd/server-ecdsa.csr" ]; then + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server-ecdsa.key \ + -out /etc/httpd/server-ecdsa.csr &>/dev/null + fi + + if [ ! -f "/etc/httpd/server.crt" ]; then + boot_mesg "Signing RSA certificate..." + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server.csr \ + -signkey /etc/httpd/server.key \ + -out /etc/httpd/server.crt &>/dev/null + evaluate_retval + fi + + if [ ! -f "/etc/httpd/server-ecdsa.crt" ]; then + boot_mesg "Signing ECDSA certificate..." + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server-ecdsa.csr \ + -signkey /etc/httpd/server-ecdsa.key \ + -out /etc/httpd/server-ecdsa.crt &>/dev/null + evaluate_retval + fi +} + case "$1" in start) - if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then - /usr/local/bin/httpscert read >/dev/null 2>&1 - else - boot_mesg "Generating HTTPS host certificate (may take a couple of minutes)..." - /usr/local/bin/httpscert new >/dev/null 2>&1 - evaluate_retval - - # Make sure that the key is written to disk. - sync - fi + # Generate all required certificates + generate_certificates + boot_mesg "Starting Apache daemon..." /usr/sbin/apachectl -k start evaluate_retval diff --git a/src/scripts/httpscert b/src/scripts/httpscert deleted file mode 100644 index cae39fb74e..0000000000 --- a/src/scripts/httpscert +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -# -# new : generate new certificate -# read: read issuer in certificate and verify if it is the same as hostname - -# See how we were called. -case "$1" in - new) - if [ ! -f /etc/httpd/server.key ]; then - echo "Generating HTTPS RSA server key." - /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 - fi - if [ ! -f /etc/httpd/server-ecdsa.key ]; then - echo "Generating HTTPS ECDSA server key." - /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key - fi - - echo "Generating CSRs" - if [ ! -f /etc/httpd/server.csr ]; then - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - fi - if [ ! -f /etc/httpd/server-ecdsa.csr ]; then - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr - fi - - echo "Signing certificates" - if [ ! -f /etc/httpd/server.crt ]; then - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt - fi - if [ ! -f /etc/httpd/server-ecdsa.crt ]; then - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ - /etc/httpd/server-ecdsa.crt - fi - ;; - read) - if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then - ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='` - HOSTNAME=`/bin/hostname -f` - if [ "$ISSUER" != "$HOSTNAME" ]; then - echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'" - echo "Probably host or domain name has been changed in setup" - echo "You could remake server certificate with '/usr/local/bin/httpscert new'" - exit 1 - else - echo "https certificate issuer match $HOSTNAME" - fi - else - echo "Certificate not found" - exit 1 - fi - ;; - *) - /bin/echo "Usage: $0 {read|new}" - exit 1 - ;; -esac -- 2.39.5