We do need to use the serial file and to generate it ourselves

2024-09-03 20:06:10 +02:00 · 2018-11-18 17:55:30 +01:00 · 2018-11-18 17:55:30 +01:00 · b5afd0abc4
commit b5afd0abc4
parent 047947d820
3 changed files with 4 additions and 2 deletions
--- a/data/hooks/conf_regen/02-ssl
+++ b/data/hooks/conf_regen/02-ssl
@ -24,7 +24,7 @@ do_init_regen() {

  # initialize some files
  [[ -f "${ssl_dir}/serial" ]] \
-    || echo "00" > "${ssl_dir}/serial"
+    || openssl rand -hex 19 > "${ssl_dir}/serial"
  [[ -f "${ssl_dir}/index.txt" ]] \
    || touch "${ssl_dir}/index.txt"

--- a/data/templates/ssl/openssl.cnf
+++ b/data/templates/ssl/openssl.cnf
@ -43,7 +43,7 @@ unique_subject	= no			# Set to 'no' to allow creation of
 new_certs_dir	= $dir/newcerts		# default place for new certs.

 certificate	= $dir/ca/cacert.pem 	# The CA certificate
-#serial		= $dir/serial 		# The current serial number
+serial		= $dir/serial 		# The current serial number
 #crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
--- a/src/yunohost/tools.py
+++ b/src/yunohost/tools.py
@ -383,6 +383,8 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False,
    # Create SSL CA
    service_regen_conf(['ssl'], force=True)
    ssl_dir = '/usr/share/yunohost/yunohost-config/ssl/yunoCA'
+    # (Update the serial so that it's specific to this very instance)
+    os.system("openssl rand -hex 19 > %s/serial" % ssl_dir)
    commands = [
        'rm %s/index.txt' % ssl_dir,
        'touch %s/index.txt' % ssl_dir,