From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 17 Feb 2019 13:46:51 +0000 (+0000)
Subject: unbound: Drop certificates for local control connection
X-Git-Tag: v2.21-core128~18
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=9bc17600521eabca8238fc9116d1fae47800a6af;ds=sidebyside

unbound: Drop certificates for local control connection

These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.

There is no strong reason to use self-signed certificates for extra
security here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/rootfiles/core/128/filelists/files b/config/rootfiles/core/128/filelists/files
index 1998a08c01..9a34f756b6 100644
--- a/config/rootfiles/core/128/filelists/files
+++ b/config/rootfiles/core/128/filelists/files
@@ -5,8 +5,10 @@ var/ipfire/langs
 etc/rc.d/helper/aws-setup
 etc/rc.d/init.d/aws
 etc/rc.d/init.d/firewall
+etc/rc.d/init.d/unbound
 etc/ssl/openssl.cnf
 etc/sysctl.conf
+etc/unbound/unbound.conf
 srv/web/ipfire/cgi-bin/proxy.cgi
 usr/local/bin/xt_geoip_update
 var/ipfire/ovpn/openssl/ovpn.cnf
diff --git a/config/rootfiles/core/128/update.sh b/config/rootfiles/core/128/update.sh
index dc185ed705..99c036d600 100644
--- a/config/rootfiles/core/128/update.sh
+++ b/config/rootfiles/core/128/update.sh
@@ -62,6 +62,7 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
 fi
 /etc/init.d/sshd restart
 /etc/init.d/apache restart
+/etc/init.d/unbound restart
 
 # This update needs a reboot...
 touch /var/run/need_reboot
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 2cc5bab8a2..e20c3330d7 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -83,12 +83,8 @@ server:
 
 remote-control:
 	control-enable: yes
-	control-use-cert: yes
+	control-use-cert: no
 	control-interface: 127.0.0.1
-	server-key-file: "/etc/unbound/unbound_server.key"
-	server-cert-file: "/etc/unbound/unbound_server.pem"
-	control-key-file: "/etc/unbound/unbound_control.key"
-	control-cert-file: "/etc/unbound/unbound_control.pem"
 
 # Import any local configurations
 include: "/etc/unbound/local.d/*.conf"
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 08007f50a3..2ef994e963 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -507,11 +507,6 @@ case "$1" in
 
 		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-		# Create control keys at first run
-		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
-			unbound-control-setup -d /etc/unbound &>/dev/null
-		fi
-
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf