From 828bb956c44e81628bbb7b41da115511051743e4 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 26 Feb 2024 17:24:02 +0100 Subject: [SS*S] lighttpd: Don't try to use ssl.ca-file for certificate chain --- satellit_installer/static_files/lighttpd/opt/openslx/slx-cert | 10 +++------- .../static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh | 8 -------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert index 3409244..b2dd5cb 100755 --- a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert +++ b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert @@ -249,13 +249,12 @@ done # with our generated stuff for whatever reason. if [ -n "$have_srv" ] || [ -z "$makenew" ]; then if [ -s "${LIGHTDIR}/ca-chain.pem" ]; then - unt_list=( "-untrusted" "${LIGHTDIR}/ca-chain.pem" ) - else - unt_list=() + # Don't need this anymore, it never worked as separate file anyways, so make new + rm -f -- "${LIGHTDIR}/ca-chain.pem" fi valid= for ca in "${ca_list[@]}"; do - openssl verify -CAfile "$ca" "${unt_list[@]}" \ + openssl verify -CAfile "$ca" \ "${LIGHTDIR}/server.pem" &> /dev/null || continue valid=1 break @@ -316,9 +315,6 @@ if [ -z "$have_srv" ] || [ -n "$makenew" ]; then cat "${CERTDIR}/srv-${srv_new_ts}.crt" "${PRIVDIR}/srv-${srv_new_ts}.key" > "${LIGHTDIR}/server.pem" || exit 10 chmod 0600 "${LIGHTDIR}/server.pem" - # Don't need this anymore - rm -f -- "${LIGHTDIR}/ca-chain.pem" - if [ "$1" = "--restart" ] || [ -t 0 ]; then echo "Restarting lighttpd..." systemctl restart lighttpd.service diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh index 7cc1dfc..b522596 100755 --- a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -1,11 +1,9 @@ #!/bin/bash declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" -declare -rg CHAIN="/etc/lighttpd/chain.pem" declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" -declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" if ! [ -s "$DHPARAM" ]; then curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM" @@ -25,9 +23,6 @@ if ! openssl dhparam -noout -in "$DHPARAM" >&2; then rm -f -- "$DHPARAM" fi -[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= -readonly INTERNAL_CHAIN - if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then echo 'server.modules += ( "mod_openssl" )' fi @@ -71,10 +66,8 @@ echo " # pemfile is cert+privkey, ca-file is the intermediate chain in one file" if [ -s "$PUBLIC_BOTH" ]; then echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" - [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" elif [ -s "$INTERNAL_BOTH" ]; then echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" - echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" fi [ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" @@ -84,7 +77,6 @@ if [ -s "${INTERNAL_BOTH}" ]; then cat <