From b5afd0abc42768eeee7e9ee11f6c723f79b304b4 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 18 Nov 2018 17:55:30 +0100 Subject: [PATCH] We do need to use the serial file and to generate it ourselves --- data/hooks/conf_regen/02-ssl | 2 +- data/templates/ssl/openssl.cnf | 2 +- src/yunohost/tools.py | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/02-ssl b/data/hooks/conf_regen/02-ssl index 555ef3cf..ab4280af 100755 --- a/data/hooks/conf_regen/02-ssl +++ b/data/hooks/conf_regen/02-ssl @@ -24,7 +24,7 @@ do_init_regen() { # initialize some files [[ -f "${ssl_dir}/serial" ]] \ - || echo "00" > "${ssl_dir}/serial" + || openssl rand -hex 19 > "${ssl_dir}/serial" [[ -f "${ssl_dir}/index.txt" ]] \ || touch "${ssl_dir}/index.txt" diff --git a/data/templates/ssl/openssl.cnf b/data/templates/ssl/openssl.cnf index ac8c422e..fa5d19fa 100644 --- a/data/templates/ssl/openssl.cnf +++ b/data/templates/ssl/openssl.cnf @@ -43,7 +43,7 @@ unique_subject = no # Set to 'no' to allow creation of new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca/cacert.pem # The CA certificate -#serial = $dir/serial # The current serial number +serial = $dir/serial # The current serial number #crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 2817a305..271947b3 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -383,6 +383,8 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, # Create SSL CA service_regen_conf(['ssl'], force=True) ssl_dir = '/usr/share/yunohost/yunohost-config/ssl/yunoCA' + # (Update the serial so that it's specific to this very instance) + os.system("openssl rand -hex 19 > %s/serial" % ssl_dir) commands = [ 'rm %s/index.txt' % ssl_dir, 'touch %s/index.txt' % ssl_dir,