Bug #3438
Avoid certificate generation on Let's Encrypt renewal
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-letsencrypt | |||
| Target version: | v6.8 | |||
| Security class: | Resolution: | |||
| Affected version: | v6.8 | NEEDINFO: | No |
Description
Every time the system executes the certificate-update event and nethserver-letstencrypt is installed, the self-signed certificate is regenerated.
This implementation has some drawbacks:
- every time Let's Encrypt script regenerates its own certificates, and consequently signals the certificate-update event, also the built-in certificate changes
Change current implementation:
- Remove call to nethserver-generate-certificate inside the certificate-update event
Related issues
History
#1
Updated by Giacomo Sanchietti over 4 years ago
- Copied from Enhancement #3435: Avoid certificate generation in certificate-update event added
#2
Updated by Giacomo Sanchietti over 4 years ago
- Tracker changed from Enhancement to Bug
- Status changed from NEW to TRIAGED
- Assignee set to Adam P
- % Done changed from 0 to 20
#3
Updated by Giacomo Sanchietti over 4 years ago
- Assignee changed from Adam P to Giacomo Sanchietti
#4
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#5
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Removed link to nethserver-generate-certificate from certificate-update event.
#6
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- Affected version set to v6.8
In nethserver-testing:
- nethserver-letsencrypt-1.0.3-1.1.ge31f4f1.ns6.noarch.rpm
Test case
- Install nethserver-letsencrypt and request a certificate
- Forece Let's Ecnrypt renewal and check the certificate-update event is called
- Check the self-signed certificate has not been modified
#7
Updated by Filippo Carletti over 4 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
[root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
Not Before: Mar 2 03:27:21 2017 GMT
Not After : Feb 28 03:27:21 2027 GMT
Mar 29 10:03:54 mail esmith::event[25781]: Event: certificate-update
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Mar 29 07:04:00 2017 GMT
Not After : Jun 27 07:04:00 2017 GMT
[root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
Not Before: Mar 2 03:27:21 2017 GMT
Not After : Feb 28 03:27:21 2027 GMT
#8
Updated by Giacomo Sanchietti over 4 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- nethserver-letsencrypt-1.0.4-1.ns6.noarch.rpm