Bug #2745

Certificate migration fails if "key" prop is missing

Added by Davide Principi about 7 years ago. Updated almost 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-base
Target version:v6.5
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

If the origin configuration DB is missing key prop in modSSL key, the certificate migration fails.

This is an unsupported NethService case where the certificate has been re-generated with custom values, but the private key remains the same.

The key prop value, if missing, must be calculated from crt.

[rif Nethesis 2014050810000333, 2014052710000271]

# rpm -q nethserver-base
nethserver-base-2.2.1-1.ns6.noarch

Associated revisions

Revision 8ea791dd
Added by Giacomo Sanchietti about 7 years ago

nethserver-base-migrate: fix modSSL migration of self-signed certs. Refs #2745

Applied patch from http://dev.nethserver.org/issues/2745#note-3

History

#1 Updated by Davide Principi about 7 years ago

  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

The $key is empty on line 85 of nethserver-base-migrate.

This is a log of nethserver-base-migrate action:

Jul  2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile|
Jul  2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile|/etc/pki/tls/private/./
Jul  2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile||EmailAddress||KeyFile|/etc/pki/tls/private/./
Jul  2 12:24:45 srvng /etc/e-smith/events/migration-import/S20nethserver-base-migrate[61067]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CrtFile|/etc/pki/tls/certs/srvmail.sistematica.net.crt|EmailAddress||KeyFile|/etc/pki/tls/private/./

#2 Updated by Giacomo Sanchietti about 7 years ago

The workaround is to set the key prop before starting the migration:

config setprop modSSL /home/e-smith/ssl.key/<fqdn>.key

#3 Updated by Giacomo Sanchietti about 7 years ago

Please, try this fix to migration script:

[... patch applied ...]

#4 Updated by Davide Principi about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

Tested the patch on a real environment. It works!

#5 Updated by Davide Principi about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#6 Updated by Davide Principi about 7 years ago

  • Description updated (diff)
  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-base-2.2.1-66.0git8ea791dd.ns6.noarch.rpm

#7 Updated by Davide Principi about 7 years ago

  • Related to Feature #2719: Web UI: advanced network configuration added

#8 Updated by Davide Principi about 7 years ago

  • Related to Enhancement #2734: Remove obsolete console and bootstrap-console commands added

#9 Updated by Davide Principi about 7 years ago

  • Related to Bug #2772: Base: remove rsyslog.conf template added

#10 Updated by Davide Principi about 7 years ago

  • Related to deleted (Feature #2719: Web UI: advanced network configuration )

#11 Updated by Davide Principi about 7 years ago

  • Related to deleted (Enhancement #2734: Remove obsolete console and bootstrap-console commands)

#12 Updated by Davide Principi about 7 years ago

  • Related to deleted (Bug #2772: Base: remove rsyslog.conf template)

#13 Updated by Davide Principi about 7 years ago

  • Assignee set to Davide Principi

#14 Updated by Davide Principi about 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#15 Updated by Davide Principi almost 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-base-2.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF