Bug #3438
Avoid certificate generation on Let's Encrypt renewal
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-letsencrypt | |||
Target version: | v6.8 | |||
Security class: | Resolution: | |||
Affected version: | v6.8 | NEEDINFO: | No |
Description
Every time the system executes the certificate-update
event and nethserver-letstencrypt is installed, the self-signed certificate is regenerated.
This implementation has some drawbacks:
- every time Let's Encrypt script regenerates its own certificates, and consequently signals the certificate-update event, also the built-in certificate changes
Change current implementation:
- Remove call to nethserver-generate-certificate
inside the certificate-update event
Related issues
History
#1 Updated by Giacomo Sanchietti over 4 years ago
- Copied from Enhancement #3435: Avoid certificate generation in certificate-update event added
#2 Updated by Giacomo Sanchietti over 4 years ago
- Tracker changed from Enhancement to Bug
- Status changed from NEW to TRIAGED
- Assignee set to Adam P
- % Done changed from 0 to 20
#3 Updated by Giacomo Sanchietti over 4 years ago
- Assignee changed from Adam P to Giacomo Sanchietti
#4 Updated by Giacomo Sanchietti over 4 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 4 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Removed link to nethserver-generate-certificate
from certificate-update
event.
#6 Updated by Giacomo Sanchietti over 4 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- Affected version set to v6.8
In nethserver-testing:
- nethserver-letsencrypt-1.0.3-1.1.ge31f4f1.ns6.noarch.rpm
Test case
- Install nethserver-letsencrypt and request a certificate
- Forece Let's Ecnrypt renewal and check the certificate-update event is called
- Check the self-signed certificate has not been modified
#7 Updated by Filippo Carletti over 4 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
[root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not Not Before: Mar 2 03:27:21 2017 GMT Not After : Feb 28 03:27:21 2027 GMT Mar 29 10:03:54 mail esmith::event[25781]: Event: certificate-update Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Mar 29 07:04:00 2017 GMT Not After : Jun 27 07:04:00 2017 GMT [root@mail ~]# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not Not Before: Mar 2 03:27:21 2017 GMT Not After : Feb 28 03:27:21 2027 GMT
#8 Updated by Giacomo Sanchietti over 4 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- nethserver-letsencrypt-1.0.4-1.ns6.noarch.rpm