unbound: Drop certificates for local control connection
authorMichael Tremer <michael.tremer@ipfire.org>
Sun, 17 Feb 2019 13:46:51 +0000 (13:46 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Sun, 17 Feb 2019 13:46:51 +0000 (13:46 +0000)
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.

There is no strong reason to use self-signed certificates for extra
security here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/rootfiles/core/128/filelists/files
config/rootfiles/core/128/update.sh
config/unbound/unbound.conf
src/initscripts/system/unbound

index 1998a08..9a34f75 100644 (file)
@@ -5,8 +5,10 @@ var/ipfire/langs
 etc/rc.d/helper/aws-setup
 etc/rc.d/init.d/aws
 etc/rc.d/init.d/firewall
+etc/rc.d/init.d/unbound
 etc/ssl/openssl.cnf
 etc/sysctl.conf
+etc/unbound/unbound.conf
 srv/web/ipfire/cgi-bin/proxy.cgi
 usr/local/bin/xt_geoip_update
 var/ipfire/ovpn/openssl/ovpn.cnf
index dc185ed..99c036d 100644 (file)
@@ -62,6 +62,7 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
 fi
 /etc/init.d/sshd restart
 /etc/init.d/apache restart
+/etc/init.d/unbound restart
 
 # This update needs a reboot...
 touch /var/run/need_reboot
index 2cc5bab..e20c333 100644 (file)
@@ -83,12 +83,8 @@ server:
 
 remote-control:
        control-enable: yes
-       control-use-cert: yes
+       control-use-cert: no
        control-interface: 127.0.0.1
-       server-key-file: "/etc/unbound/unbound_server.key"
-       server-cert-file: "/etc/unbound/unbound_server.pem"
-       control-key-file: "/etc/unbound/unbound_control.key"
-       control-cert-file: "/etc/unbound/unbound_control.pem"
 
 # Import any local configurations
 include: "/etc/unbound/local.d/*.conf"
index 08007f5..2ef994e 100644 (file)
@@ -507,11 +507,6 @@ case "$1" in
 
                eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-               # Create control keys at first run
-               if [ ! -r "/etc/unbound/unbound_control.key" ]; then
-                       unbound-control-setup -d /etc/unbound &>/dev/null
-               fi
-
                # Update configuration files
                write_tuning_conf
                write_forward_conf