Enhancement #3435

Avoid certificate generation in certificate-update event

Added by Giacomo Sanchietti over 4 years ago. Updated over 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-base
Target version:v6.8
Resolution: NEEDINFO:No

Description

Every time the system executes the certificate-update event, the self-signed certificate is regenerated.

This implementation has some drawbacks:
- every time Let's Encrypt script regenerates its own certificates, and consequently signals the certificate-update event, also the built-in certificate changes
- every time the built-in certificate changes, all released OpenVPN certificates become invalid as soon as openvpn daemon is restarted
- when the built-in certificate is expired, /etc/cron.daily/nethserver-check-certificate regenerates the certificate twice

Change current implementation:
- the certificate-update event must be used only to notify certificate changes
- avoid regeneration of built-in certificate on certificate-update event
- refactor the "Server certificate" page to directly call the generation script: /etc/e-smith/events/actions/nethserver-generate-certificate


Related issues

Copied to NethServer 6 - Bug #3438: Avoid certificate generation on Let's Encrypt renewal CLOSED

Associated revisions

Revision 6f1d652b
Added by Giacomo Sanchietti over 4 years ago

certificate-update: do not execute nethserver-generate-certificate Refs #3435

Revision 548ae62a
Added by Giacomo Sanchietti over 4 years ago

Web UI: use nethserver-generate-certificate. Refs #3435

History

#1 Updated by Giacomo Sanchietti over 4 years ago

  • Category set to nethserver-base
  • Status changed from NEW to TRIAGED
  • Target version set to v6.8
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

PR has been merged.

#5 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

In nethserver-testing:
- nethserver-base-2.11.2-1.3.g04c27b3.ns6.noarch.rpm

Test case 1
- Open the "Server certificate" page and make a change
- Verify /etc/pki/tls/certs/NSRV.crt has been updated:

stat /etc/pki/tls/certs/NSRV.crt
openssl x509 -noout -dates -in /etc/pki/tls/certs/NSRV.crt

Test case 2
- After test case 1, execute the certificate-update event: signal-event certificate-update
- Verify /etc/pki/tls/certs/NSRV.crt hasn't been changed

Test case 3
- Move the date of the server forward by 11 years
- Execute the cron job: /etc/cron.daily/nethserver-check-certificate
- Verify /etc/pki/tls/certs/NSRV.crt has been updated:

stat /etc/pki/tls/certs/NSRV.crt
openssl x509 -noout -dates -in /etc/pki/tls/certs/NSRV.crt

#6 Updated by Davide Marini over 4 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

I made all the requested test and they performed as expected.

#7 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released:
- nethserver-base-2.11.3-1.ns6.noarch.rpm

#8 Updated by Giacomo Sanchietti over 4 years ago

  • Copied to Bug #3438: Avoid certificate generation on Let's Encrypt renewal added

Also available in: Atom PDF