Bug #3438

Avoid certificate generation on Let's Encrypt renewal

Added by Giacomo Sanchietti 10 months ago. Updated 10 months ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-letsencrypt
Target version:v6.8
Security class: Resolution:
Affected version:v6.8 NEEDINFO:No

Description

Every time the system executes the certificate-update event and nethserver-letstencrypt is installed, the self-signed certificate is regenerated.

This implementation has some drawbacks:
- every time Let's Encrypt script regenerates its own certificates, and consequently signals the certificate-update event, also the built-in certificate changes

Change current implementation:
- Remove call to nethserver-generate-certificate inside the certificate-update event


Related issues

Copied from NethServer 6 - Enhancement #3435: Avoid certificate generation in certificate-update event CLOSED

History

#1 Updated by Giacomo Sanchietti 10 months ago

  • Copied from Enhancement #3435: Avoid certificate generation in certificate-update event added

#2 Updated by Giacomo Sanchietti 10 months ago

  • Tracker changed from Enhancement to Bug
  • Status changed from NEW to TRIAGED
  • Assignee set to Adam P
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti 10 months ago

  • Assignee changed from Adam P to Giacomo Sanchietti

#4 Updated by Giacomo Sanchietti 10 months ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti 10 months ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Removed link to nethserver-generate-certificate from certificate-update event.

#6 Updated by Giacomo Sanchietti 10 months ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
  • Affected version set to v6.8

In nethserver-testing:

  • nethserver-letsencrypt-1.0.3-1.1.ge31f4f1.ns6.noarch.rpm

Test case

  • Install nethserver-letsencrypt and request a certificate
  • Forece Let's Ecnrypt renewal and check the certificate-update event is called
  • Check the self-signed certificate has not been modified

#7 Updated by Filippo Carletti 10 months ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
[root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
            Not Before: Mar  2 03:27:21 2017 GMT
            Not After : Feb 28 03:27:21 2027 GMT

Mar 29 10:03:54 mail esmith::event[25781]: Event: certificate-update

        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 29 07:04:00 2017 GMT
            Not After : Jun 27 07:04:00 2017 GMT

[root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
            Not Before: Mar  2 03:27:21 2017 GMT
            Not After : Feb 28 03:27:21 2027 GMT

#8 Updated by Giacomo Sanchietti 10 months ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released in nethserver-updates:

  • nethserver-letsencrypt-1.0.4-1.ns6.noarch.rpm

Also available in: Atom PDF