Bug #2745
Certificate migration fails if "key" prop is missing
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-base | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
If the origin configuration
DB is missing key
prop in modSSL
key, the certificate migration fails.
This is an unsupported NethService case where the certificate has been re-generated with custom values, but the private key remains the same.
The key
prop value, if missing, must be calculated from crt
.
[rif Nethesis 2014050810000333, 2014052710000271]
# rpm -q nethserver-base nethserver-base-2.2.1-1.ns6.noarch
Associated revisions
nethserver-base-migrate: fix modSSL migration of self-signed certs. Refs #2745
Applied patch from http://dev.nethserver.org/issues/2745#note-3
History
#1 Updated by Davide Principi about 7 years ago
- Description updated (diff)
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
The $key
is empty on line 85 of nethserver-base-migrate.
This is a log of nethserver-base-migrate
action:
Jul 2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile| Jul 2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile|/etc/pki/tls/private/./ Jul 2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile|/etc/pki/tls/private/./ Jul 2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile|/etc/pki/tls/certs/srvmail.sistematica.net.crt|EmailAddress||KeyFile|/etc/pki/tls/private/./
#2 Updated by Giacomo Sanchietti about 7 years ago
The workaround is to set the key prop before starting the migration:
config setprop modSSL /home/e-smith/ssl.key/<fqdn>.key
#3 Updated by Giacomo Sanchietti about 7 years ago
Please, try this fix to migration script:
[... patch applied ...]
#4 Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
Tested the patch on a real environment. It works!
#5 Updated by Davide Principi about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
#6 Updated by Davide Principi about 7 years ago
- Description updated (diff)
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-base-2.2.1-66.0git8ea791dd.ns6.noarch.rpm
#7 Updated by Davide Principi about 7 years ago
- Related to Feature #2719: Web UI: advanced network configuration added
#8 Updated by Davide Principi about 7 years ago
- Related to Enhancement #2734: Remove obsolete console and bootstrap-console commands added
#9 Updated by Davide Principi about 7 years ago
- Related to Bug #2772: Base: remove rsyslog.conf template added
#10 Updated by Davide Principi about 7 years ago
- Related to deleted (Feature #2719: Web UI: advanced network configuration )
#11 Updated by Davide Principi about 7 years ago
- Related to deleted (Enhancement #2734: Remove obsolete console and bootstrap-console commands)
#12 Updated by Davide Principi about 7 years ago
- Related to deleted (Bug #2772: Base: remove rsyslog.conf template)
#13 Updated by Davide Principi about 7 years ago
- Assignee set to Davide Principi
#14 Updated by Davide Principi about 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
#15 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-base-2.3.0-1.ns6.noarch.rpm