vpnmain.cgi: Add option to regenerate the host certificate
This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. A caveat of this patch is that we do not rollover the key. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
parent
aa07e1bb3e
commit
9f01011570
|
@ -23,6 +23,7 @@ default_md = sha256
|
|||
preserve = no
|
||||
policy = policy_match
|
||||
email_in_dn = no
|
||||
copy_extensions = copyall
|
||||
|
||||
[ policy_match ]
|
||||
countryName = optional
|
||||
|
|
|
@ -939,6 +939,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae
|
|||
WARNING: untranslated string: no entries = No entries at the moment.
|
||||
WARNING: untranslated string: optional = Optional
|
||||
WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: required = Required
|
||||
|
|
|
@ -1582,6 +1582,7 @@ WARNING: untranslated string: red1 = RED
|
|||
WARNING: untranslated string: references = References
|
||||
WARNING: untranslated string: refresh = Refresh
|
||||
WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: release = Release
|
||||
|
|
|
@ -1001,6 +1001,7 @@ WARNING: untranslated string: no data = unknown string
|
|||
WARNING: untranslated string: openvpn cert expires soon = Expires Soon
|
||||
WARNING: untranslated string: openvpn cert has expired = Expired
|
||||
WARNING: untranslated string: pakfire ago = ago.
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: route config changed = unknown string
|
||||
|
|
|
@ -954,6 +954,7 @@ WARNING: untranslated string: hostile networks total = Total Hostile Networks
|
|||
WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
|
||||
WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
|
||||
WARNING: untranslated string: pakfire ago = ago.
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: route config changed = unknown string
|
||||
|
|
|
@ -1219,6 +1219,7 @@ WARNING: untranslated string: rdns = rDNS
|
|||
WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
|
||||
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
|
||||
WARNING: untranslated string: received = Received
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: release = Release
|
||||
|
|
|
@ -1241,6 +1241,7 @@ WARNING: untranslated string: ptr = PTR
|
|||
WARNING: untranslated string: rdns = rDNS
|
||||
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
|
||||
WARNING: untranslated string: received = Received
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: required = Required
|
||||
|
|
|
@ -1422,6 +1422,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
|
|||
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
|
||||
WARNING: untranslated string: received = Received
|
||||
WARNING: untranslated string: red1 = RED
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: release = Release
|
||||
|
|
|
@ -1417,6 +1417,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
|
|||
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
|
||||
WARNING: untranslated string: received = Received
|
||||
WARNING: untranslated string: red1 = RED
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: release = Release
|
||||
|
|
|
@ -1129,6 +1129,7 @@ WARNING: untranslated string: ptr = PTR
|
|||
WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’
|
||||
WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
|
||||
WARNING: untranslated string: received = Received
|
||||
WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
|
||||
WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
|
||||
WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
|
||||
WARNING: untranslated string: release = Release
|
||||
|
|
|
@ -78,6 +78,7 @@
|
|||
< optional
|
||||
< quick control
|
||||
< random number generator daemon
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< required
|
||||
|
@ -127,6 +128,7 @@
|
|||
< log drop hostile out
|
||||
< openvpn cert expires soon
|
||||
< openvpn cert has expired
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< service boot setting unavailable
|
||||
|
@ -153,6 +155,7 @@
|
|||
< hostile networks total
|
||||
< log drop hostile in
|
||||
< log drop hostile out
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< spec rstack overflow
|
||||
|
@ -542,6 +545,7 @@
|
|||
< reboot fsck
|
||||
< rebooting ipfire fsck
|
||||
< received
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< release
|
||||
|
@ -1086,6 +1090,7 @@
|
|||
< rdns
|
||||
< rebooting ipfire fsck
|
||||
< received
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< required
|
||||
|
@ -1970,6 +1975,7 @@
|
|||
< rebooting ipfire fsck
|
||||
< received
|
||||
< red1
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< release
|
||||
|
@ -2965,6 +2971,7 @@
|
|||
< rebooting ipfire fsck
|
||||
< received
|
||||
< red1
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< release
|
||||
|
@ -3440,6 +3447,7 @@
|
|||
< reboot fsck
|
||||
< rebooting ipfire fsck
|
||||
< received
|
||||
< regenerate host certificate
|
||||
< reiserfs warning1
|
||||
< reiserfs warning2
|
||||
< release
|
||||
|
|
|
@ -866,6 +866,12 @@ END
|
|||
exit(0);
|
||||
}
|
||||
###
|
||||
### Regenerate the host certificate
|
||||
###
|
||||
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) {
|
||||
$errormessage = ®enerate_host_certificate();
|
||||
|
||||
###
|
||||
### Form for generating/importing the caroot+host certificate
|
||||
###
|
||||
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
|
||||
|
@ -3612,7 +3618,12 @@ END
|
|||
<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
|
||||
</form>
|
||||
</td>
|
||||
<td width='4%' $col2> </td></tr>
|
||||
<td width='4%' align='center' $col2>
|
||||
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
|
||||
<input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' />
|
||||
<input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' />
|
||||
</form>
|
||||
</td></tr>
|
||||
END
|
||||
;
|
||||
} else {
|
||||
|
@ -3782,3 +3793,44 @@ sub make_subnets($$) {
|
|||
|
||||
return join(",", @cidr_nets);
|
||||
}
|
||||
|
||||
sub regenerate_host_certificate() {
|
||||
my $errormessage = "";
|
||||
|
||||
&General::log("ipsec", "Regenerating host certificate...");
|
||||
|
||||
# Create a CSR based on the existing certificate
|
||||
my $opt = " x509 -x509toreq -copy_extensions copyall";
|
||||
$opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
|
||||
$opt .= " -in ${General::swroot}/certs/hostcert.pem";
|
||||
$opt .= " -out ${General::swroot}/certs/hostreq.pem";
|
||||
$errormessage = &callssl($opt);
|
||||
|
||||
# Revoke the old certificate
|
||||
if (!$errormessage) {
|
||||
&General::log("ipsec", "Revoking the old host cert...");
|
||||
|
||||
my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
|
||||
$errormessage = &callssl($opt);
|
||||
}
|
||||
|
||||
# Sign the host certificate request
|
||||
if (!$errormessage) {
|
||||
&General::log("ipsec", "Self signing host cert...");
|
||||
|
||||
my $opt = " ca -md sha256 -days 825";
|
||||
$opt .= " -batch -notext";
|
||||
$opt .= " -in ${General::swroot}/certs/hostreq.pem";
|
||||
$opt .= " -out ${General::swroot}/certs/hostcert.pem";
|
||||
$errormessage = &callssl ($opt);
|
||||
|
||||
unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
|
||||
}
|
||||
|
||||
# Reload the new certificate
|
||||
if (!$errormessage) {
|
||||
&General::system('/usr/local/bin/ipsecctrl', 'R');
|
||||
}
|
||||
|
||||
return $errormessage;
|
||||
}
|
||||
|
|
|
@ -2212,6 +2212,7 @@
|
|||
'refresh' => 'Refresh',
|
||||
'refresh index page while connected' => 'Refresh index.cgi page while connected',
|
||||
'refresh update list' => 'Refresh update list',
|
||||
'regenerate host certificate' => 'Renew Host Certificate',
|
||||
'registered user rules' => 'Talos VRT rules for registered users',
|
||||
'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
|
||||
'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
|
||||
|
|
Loading…
Reference in New Issue