0001797: recreating SSL-cert (https) uses same serial-number

Please see now our new Bugtracker system: JIRA

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Tags

needs testing

Attached Files

httpd.txt [^] (6,314 bytes) 2009-04-18 16:15 [Show Content] [Hide Content]

#! /bin/bash
#
# httpd
#

# Source function library.
. /etc/init.d/functions

RETVAL=0

# See how we were called.

prog="httpd"
progdir="/usr/sbin"
pidfile="/var/run/$prog.pid"
option=""

. /etc/rc.d/efw_lib.sh
loadconf ${CONFIG_ROOT}/main/settings
loadconf ${CONFIG_ROOT}/ethernet/settings

# fifo exists ?
if [ ! -p /var/log/fifo/httpd_access ];then
    mkdir -p /var/log/fifo 2> /dev/null
    mkfifo /var/log/fifo/httpd_access
fi
chown nobody /var/log/fifo/httpd_access


prepare_cert() {
    if ( test -s /etc/httpd/server.key && test -s /etc/httpd/server.csr && test -s /etc/httpd/server.crt ); then
        return
    fi
    local HOSTNAME=$(hostname -f)
    # set temporary random file
    export RANDFILE=/root/.rnd
    echo "Generating https server key."
    openssl  genrsa -out \
        /etc/httpd/server.key 4096 >/dev/null 2>&1
    echo "Generating CSR"
    cat /etc/certparams | sed "s/HOSTNAME/${HOSTNAME}/" | openssl \
        req  -new -key /etc/httpd/server.key -out /etc/httpd/server.csr >/dev/null 2>&1
    echo "Signing certificate"
    openssl x509 -req -days 1826 -in \
        /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
        /etc/httpd/server.crt -sha1  >/dev/null 2>&1
    # unset and remove random file
    export -n RANDFILE
    rm -f /root/.rnd
}

cat >/etc/httpd/conf.d/hostname.conf <<EOF
ServerName ${HOSTNAME}
EOF

prepare_cert
cat >/etc/httpd/conf.d/green.conf <<EOF
Listen 80
EOF


new_cert() {
	echo -e "\033[1m\E[34;47m\nCreating new certificate and selfsigning it:\n" ; tput sgr0

	cur_time=`date -u "+%Y%m%d%k%M%S"`
	echo -e "\tcurrent UTC-time as in YYYYMMDDHHMMSS\t$cur_time"
	cur_time_local=`date`
	echo -e "\tcurrent LOCAL-time:\t\t\t$cur_time_local" 

        if ( test ! -d /etc/httpd/certs ); then
		FIRSTRUN=1

                echo -e	"\033[1m\E[34;47m\n\tthis is our first run" ; tput sgr0
                echo -e "\tcreating certs directory" \
                        && mkdir /etc/httpd/certs \
                        && echo -e "\tOK"
		echo -e "\nbacking up current:"
		mv /etc/httpd/server.key /etc/httpd/certs/server_$cur_time.key.BAK \
		&& echo -e "\tcreated backup of server.key to /etc/httpd/certs/server_$cur_time.key"

                mv /etc/httpd/server.csr /etc/httpd/certs/server_$cur_time.csr.BAK \
                && echo -e "\tcreated backup of server.key to /etc/httpd/certs/server_$cur_time.key.BAK"

                mv /etc/httpd/server.crt /etc/httpd/certs/server_$cur_time.crt.BAK \
                && echo -e "\tcreated backup of server.crt to /etc/httpd/certs/server_$cur_time.crt.BAK"

        fi

	new_key="/etc/httpd/certs/server_$cur_time.key"
	new_csr="/etc/httpd/certs/server_$cur_time.csr"
	new_cert="/etc/httpd/certs/server_$cur_time.crt"

	if ( test ! -f /etc/httpd/certs/serial.txt ); then
		echo "we have no serial-file"
		echo "creating a new one with serial # 1"
		echo "1" > /etc/httpd/certs/serial.txt
	else
                echo "we have a serial-file"
        fi
	        last_ser=$( grep -o "[0-9]\+"  /etc/httpd/certs/serial.txt)
                echo -e "\tlast serial was:\t" $last_ser
                new_ser=$(($last_ser + 1))
                echo -e "\tnew serial will have:\t\033[1m\E[34;47m" $new_ser ; tput sgr0

	local HOSTNAME=$(hostname -f)
	# set temporary random file
	export RANDFILE=/root/.rnd
	echo "Generating NEW https server key."
	# we use a keysize of 4096
	openssl  genrsa -out $new_key 4096 >/dev/null 2>&1

	echo "Generating NEW CSR"
	cat /etc/certparams | sed "s/HOSTNAME/${HOSTNAME}/" | openssl \
        req  -new -key $new_key -out $new_csr >/dev/null 2>&1

	echo "Signing NEW certificate"
	# we want the new cert to be valid for 5 years
	openssl x509 -req -days 1826 -in \
        $new_csr  -signkey $new_key -out \
        $new_cert -sha1  -set_serial $new_ser >/dev/null 2>&1

	# unset and remove random file
	export -n RANDFILE
	rm -f /root/.rnd

	echo "linking to new cert"
	# we need to do some cleanup:
	# the new files will be hard-linked so we unlink the current
	unlink /etc/httpd/server.crt >/dev/null 2>&1
	mv /etc/httpd/server.crt /etc/httpd/server_old.crt >/dev/null 2>&1
	ln  $new_cert /etc/httpd/server.crt 
	unlink /etc/httpd/server.key >/dev/null 2>&1
	mv /etc/httpd/server.key /etc/httpd/server_old.key >/dev/null 2>&1
	ln  $new_key /etc/httpd/server.key
	unlink /etc/httpd/server.csr >/dev/null 2>&1
	mv /etc/httpd/server.csr /etc/httpd/server_old.csr >/dev/null 2>&1
	ln  $new_csr /etc/httpd/server.csr 

	echo -e "\ninstalled the following new files"
	echo -e "\tprivate-key:\t $new_key"
	echo -e "\tsigning-req:\t $new_csr"
	echo -e "\tcert:\t\t $new_cert"

	# set the current serial
	echo $new_ser > /etc/httpd/certs/serial.txt

	echo -e "\nHere are our fingerprints:"
	openssl x509 -fingerprint -in /etc/httpd/server.crt -sha1 -noout
	openssl x509 -fingerprint -in /etc/httpd/server.crt -md5 -noout
	echo -e "\033[1m\E[34;47m\nTime-period:" ; tput sgr0
	openssl x509 -in /etc/httpd/server.crt -noout -dates
	echo -e "\n"
cat >/etc/httpd/conf.d/hostname.conf <<EOF
ServerName ${HOSTNAME}
EOF

}


start() {
        echo -n $"Starting $prog: "
        daemon $progdir/$prog $option
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        return $RETVAL
}

stop() {
        echo -n $"Stopping $prog: "
        # Would be better to send QUIT first, then killproc if that fails
        killproc $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        return $RETVAL
}

rhstatus() {
        status $prog
}

restart() {
        stop
        start
}

reload() {
        echo -n $"Reloading $prog daemon configuration: "
        killproc $prog -HUP
        retval=$?
        echo
        return $RETVAL
}


case "$1" in
  new_cert)
	new_cert
	restart
	;;
  start)
	prepare_cert
        start
        ;;
  stop)
        stop
        ;;
  restart)
	prepare_cert
        restart
        ;;
  reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart)
        status $prog && restart || :
        ;;
  condstop)
        status $prog && stop || :
        ;;
  condstart)
	status $prog 2>&1 >/dev/null|| start
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|reload|restart|condstart|condrestart|condstop}"
        exit 1
esac

exit $?

Relationships

Notes
(0002159) mike-f (updater) 2009-04-18 16:17	we made some configurations to the default /etc/init.d/httpd new certificates can be issued by running /etc/init.d/httpd new_cert

(0002160) mike-f (updater) 2009-04-18 16:43	if you need a different serial number assigned to the certificate run mkdir /etc/httpd/certs then a echo XXX > /etc/httpd/certs/serial.txt with XXX beeing the current ("bad") serial number and to create the new clean cert /etc/init.d/httpd new_cert

(0002359) luca-endian (developer) 2009-05-19 07:36	I can confirm this issue, it happened some times in the past, probably after a factory default, if I remember correctly

Issue History
Date Modified	Username	Field	Change
2009-04-18 10:25	mike-f	New Issue
2009-04-18 16:15	mike-f	File Added: httpd.txt
2009-04-18 16:17	mike-f	Note Added: 0002159
2009-04-18 16:43	mike-f	Note Added: 0002160
2009-04-18 16:46	mike-f	Tag Attached: needs testing
2009-05-19 07:36	luca-endian	Note Added: 0002359
2010-09-21 10:57	peter-endian	Status	new => confirmed
2010-09-21 10:57	peter-endian	Target Version	=> future
2011-02-02 11:19	lorenzo-endian	Customer Occurencies	=> 0
2011-02-02 11:19	lorenzo-endian	Assigned To	=> peter-endian
2011-02-18 16:28	ra-endian	Severity	major => minor