diff options
| author | Simon Rettberg | 2024-02-26 17:24:02 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2024-02-26 17:24:02 +0100 |
| commit | 828bb956c44e81628bbb7b41da115511051743e4 (patch) | |
| tree | b97ccfa418016c351a1ad6d928ce98dfec5e50bb | |
| parent | [grub] Forgot more debug code (diff) | |
| download | setup-scripts-master.tar.gz setup-scripts-master.tar.xz setup-scripts-master.zip | |
| -rwxr-xr-x | satellit_installer/static_files/lighttpd/opt/openslx/slx-cert | 10 | ||||
| -rwxr-xr-x | satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh | 8 |
2 files changed, 3 insertions, 15 deletions
diff --git a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert index 3409244..b2dd5cb 100755 --- a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert +++ b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert @@ -249,13 +249,12 @@ done # with our generated stuff for whatever reason. if [ -n "$have_srv" ] || [ -z "$makenew" ]; then if [ -s "${LIGHTDIR}/ca-chain.pem" ]; then - unt_list=( "-untrusted" "${LIGHTDIR}/ca-chain.pem" ) - else - unt_list=() + # Don't need this anymore, it never worked as separate file anyways, so make new + rm -f -- "${LIGHTDIR}/ca-chain.pem" fi valid= for ca in "${ca_list[@]}"; do - openssl verify -CAfile "$ca" "${unt_list[@]}" \ + openssl verify -CAfile "$ca" \ "${LIGHTDIR}/server.pem" &> /dev/null || continue valid=1 break @@ -316,9 +315,6 @@ if [ -z "$have_srv" ] || [ -n "$makenew" ]; then cat "${CERTDIR}/srv-${srv_new_ts}.crt" "${PRIVDIR}/srv-${srv_new_ts}.key" > "${LIGHTDIR}/server.pem" || exit 10 chmod 0600 "${LIGHTDIR}/server.pem" - # Don't need this anymore - rm -f -- "${LIGHTDIR}/ca-chain.pem" - if [ "$1" = "--restart" ] || [ -t 0 ]; then echo "Restarting lighttpd..." systemctl restart lighttpd.service diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh index 7cc1dfc..b522596 100755 --- a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -1,11 +1,9 @@ #!/bin/bash declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" -declare -rg CHAIN="/etc/lighttpd/chain.pem" declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" -declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" if ! [ -s "$DHPARAM" ]; then curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM" @@ -25,9 +23,6 @@ if ! openssl dhparam -noout -in "$DHPARAM" >&2; then rm -f -- "$DHPARAM" fi -[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= -readonly INTERNAL_CHAIN - if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then echo 'server.modules += ( "mod_openssl" )' fi @@ -71,10 +66,8 @@ echo " # pemfile is cert+privkey, ca-file is the intermediate chain in one file" if [ -s "$PUBLIC_BOTH" ]; then echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" - [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" elif [ -s "$INTERNAL_BOTH" ]; then echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" - echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" fi [ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" @@ -84,7 +77,6 @@ if [ -s "${INTERNAL_BOTH}" ]; then cat <<HEREDOC \$HTTP["host"] == "satellite.bwlehrpool" { ssl.pemfile = "${INTERNAL_BOTH}" - ssl.ca-file = "${INTERNAL_CHAIN}" } HEREDOC # |