Enhancement #3435
Avoid certificate generation in certificate-update event
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-base | |||
| Target version: | v6.8 | |||
| Resolution: | NEEDINFO: | No |
Description
Every time the system executes the certificate-update event, the self-signed certificate is regenerated.
This implementation has some drawbacks:
- every time Let's Encrypt script regenerates its own certificates, and consequently signals the certificate-update event, also the built-in certificate changes
- every time the built-in certificate changes, all released OpenVPN certificates become invalid as soon as openvpn daemon is restarted
- when the built-in certificate is expired, /etc/cron.daily/nethserver-check-certificate regenerates the certificate twice
Change current implementation:
- the certificate-update event must be used only to notify certificate changes
- avoid regeneration of built-in certificate on certificate-update event
- refactor the "Server certificate" page to directly call the generation script: /etc/e-smith/events/actions/nethserver-generate-certificate
Related issues
Associated revisions
certificate-update: do not execute nethserver-generate-certificate Refs #3435
Web UI: use nethserver-generate-certificate. Refs #3435
History
#1
Updated by Giacomo Sanchietti over 4 years ago
- Category set to nethserver-base
- Status changed from NEW to TRIAGED
- Target version set to v6.8
- % Done changed from 0 to 20
#2
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3
Updated by Giacomo Sanchietti over 4 years ago
Pull request:
https://github.com/NethServer/nethserver-base/pull/69
See also related issue on NS 7: https://github.com/NethServer/dev/issues/5174
#4
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
PR has been merged.
#5
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
In nethserver-testing:
- nethserver-base-2.11.2-1.3.g04c27b3.ns6.noarch.rpm
Test case 1
- Open the "Server certificate" page and make a change
- Verify /etc/pki/tls/certs/NSRV.crt has been updated:
stat /etc/pki/tls/certs/NSRV.crt openssl x509 -noout -dates -in /etc/pki/tls/certs/NSRV.crt
Test case 2
- After test case 1, execute the certificate-update event: signal-event certificate-update
- Verify /etc/pki/tls/certs/NSRV.crt hasn't been changed
Test case 3
- Move the date of the server forward by 11 years
- Execute the cron job: /etc/cron.daily/nethserver-check-certificate
- Verify /etc/pki/tls/certs/NSRV.crt has been updated:
stat /etc/pki/tls/certs/NSRV.crt openssl x509 -noout -dates -in /etc/pki/tls/certs/NSRV.crt
#6
Updated by Davide Marini over 4 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
I made all the requested test and they performed as expected.
#7
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released:
- nethserver-base-2.11.3-1.ns6.noarch.rpm
#8
Updated by Giacomo Sanchietti over 4 years ago
- Copied to Bug #3438: Avoid certificate generation on Let's Encrypt renewal added