* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme

- fix self-signed cert renewd when not necessary [SME: 12606]
This commit is contained in:
Jean-Philippe Pialasse 2024-04-17 16:42:12 -04:00
parent dbc88b9a2c
commit 2a87d8e1ba
2 changed files with 18 additions and 9 deletions

View File

@ -4,6 +4,8 @@
use Date::Parse; use Date::Parse;
use Cwd; use Cwd;
use Net::IP qw(ip_is_ipv4 ip_is_ipv6); use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
use esmith::Logger;
tie *FH, 'esmith::Logger';
my $here = getcwd; my $here = getcwd;
my $Country = $modSSL{Country} || "--"; my $Country = $modSSL{Country} || "--";
@ -52,16 +54,16 @@
my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) { if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
my $expected_issuer = '/C='.$Country . my $expected_issuer = 'C = '.$Country .
'/ST='.$State; ', ST = '.$State;
$expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City'); $expected_issuer .= ', L = ' . ($defaultCity ? $defaultCity : 'Default City');
$expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd'); $expected_issuer .= ', O = ' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
$expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment; $expected_issuer .= ", OU = $defaultDepartment" if $defaultDepartment;
$expected_issuer .= "/CN=$commonName" . $expected_issuer .= ", CN = $commonName" .
"/emailAddress=$email"; ", emailAddress = $email";
my $issuer = `openssl x509 -issuer -noout -in $crt`; my $issuer = `openssl x509 -issuer -noout -in $crt`;
chomp $issuer; chomp $issuer;
$issuer =~ s/^issuer= //; $issuer =~ s/^issuer=//;
my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`; my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
chomp $signatureAlg; chomp $signatureAlg;
$signatureAlg =~ s/^ *Signature Algorithm: //; $signatureAlg =~ s/^ *Signature Algorithm: //;
@ -70,6 +72,9 @@
# openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
$expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
chomp $expected_subjectAltName; chomp $expected_subjectAltName;
print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer);
print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption");
print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName);
if ( if (
($issuer eq $expected_issuer) ($issuer eq $expected_issuer)
&& ($signatureAlg ne "sha1WithRSAEncryption") && ($signatureAlg ne "sha1WithRSAEncryption")
@ -117,4 +122,5 @@
} }
close(SSL) or die "Closing openssl pipe reported: $!"; close(SSL) or die "Closing openssl pipe reported: $!";
chdir $here; chdir $here;
close FH;
} }

View File

@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
%define name smeserver-base %define name smeserver-base
Name: %{name} Name: %{name}
%define version 11.0.0 %define version 11.0.0
%define release 8 %define release 9
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@ -184,6 +184,9 @@ fi
%changelog %changelog
* Wed Apr 17 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
- fix self-signed cert renewd when not necessary [SME: 12606]
* Tue Apr 16 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme * Tue Apr 16 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
- add requirement for ppp [SME: 12622] - add requirement for ppp [SME: 12622]
- add requirement for rp-pppoe [SME: 12628] - add requirement for rp-pppoe [SME: 12628]