mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
Make sure to validate/upgrade that we don't have any active weak certificate used by nginx at the beginning of the buster migration, otherwise nginx will later miserably fail to start
This commit is contained in:
parent
ac9182d69f
commit
d435889776
3 changed files with 42 additions and 3 deletions
|
@ -69,12 +69,11 @@ do_init_regen() {
|
|||
-out "${ssl_dir}/certs/yunohost_crt.pem" \
|
||||
-batch >>$LOGFILE 2>&1
|
||||
|
||||
last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
|
||||
chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
|
||||
chmod 640 "$last_cert"
|
||||
chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"
|
||||
|
||||
cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
|
||||
cp "$last_cert" "$ynh_crt"
|
||||
cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
|
||||
ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
|
||||
ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
|
||||
fi
|
||||
|
|
|
@ -479,6 +479,7 @@
|
|||
"migration_0015_modified_files": "Please note that the following files were found to be manually modified and might be overwritten following the upgrade: {manually_modified_files}",
|
||||
"migration_0015_specific_upgrade": "Starting upgrade of system packages that needs to be upgrade independently…",
|
||||
"migration_0015_cleaning_up": "Cleaning up cache and packages not useful anymore…",
|
||||
"migration_0015_weak_certs": "The following certificates were found to still use weak signature algorithms and have to be upgraded to be compatible with the next version of nginx: {certs}",
|
||||
"migrations_already_ran": "Those migrations are already done: {ids}",
|
||||
"migrations_cant_reach_migration_file": "Could not access migrations files at the path '%s'",
|
||||
"migrations_dependencies_not_satisfied": "Run these migrations: '{dependencies_id}', before migration {id}.",
|
||||
|
|
|
@ -16,6 +16,7 @@ from yunohost.utils.packages import get_ynh_package_version, _list_upgradable_ap
|
|||
|
||||
logger = getActionLogger('yunohost.migration')
|
||||
|
||||
|
||||
class MyMigration(Migration):
|
||||
|
||||
"Upgrade the system to Debian Buster and Yunohost 4.x"
|
||||
|
@ -28,6 +29,13 @@ class MyMigration(Migration):
|
|||
|
||||
logger.info(m18n.n("migration_0015_start"))
|
||||
|
||||
#
|
||||
# Make sure certificates do not use weak signature hash algorithms (md5, sha1)
|
||||
# otherwise nginx will later refuse to start which result in
|
||||
# catastrophic situation
|
||||
#
|
||||
self.validate_and_upgrade_cert_if_necessary()
|
||||
|
||||
#
|
||||
# Patch sources.list
|
||||
#
|
||||
|
@ -203,3 +211,34 @@ class MyMigration(Migration):
|
|||
logger.debug("Running: %s" % cmd)
|
||||
|
||||
call_async_output(cmd, callbacks, shell=True)
|
||||
|
||||
def validate_and_upgrade_cert_if_necessary(self):
|
||||
|
||||
active_certs = set(check_output("grep -roh '/.*crt.pem' /etc/nginx/").strip().split("\n"))
|
||||
|
||||
cmd = "LC_ALL=C openssl x509 -in %s -text -noout | grep -i 'Signature Algorithm:' | awk '{print $3}' | uniq"
|
||||
|
||||
default_crt = '/etc/yunohost/certs/yunohost.org/crt.pem'
|
||||
default_key = '/etc/yunohost/certs/yunohost.org/key.pem'
|
||||
default_signature = check_output(cmd % default_crt).strip() if default_crt in active_certs else None
|
||||
if default_signature is not None and (default_signature.startswith("md5") or default_signature.startswith("sha1")):
|
||||
logger.warning("%s is using a pretty old certificate incompatible with newer versions of nginx ... attempting to regenerate a fresh one" % default_crt)
|
||||
|
||||
os.system("mv %s %s.old" % (default_crt, default_crt))
|
||||
os.system("mv %s %s.old" % (default_key, default_key))
|
||||
ret = os.system("/usr/share/yunohost/hooks/conf_regen/02-ssl init")
|
||||
|
||||
if ret != 0 or not os.path.exists(default_crt):
|
||||
logger.error("Upgrading the certificate failed ... reverting")
|
||||
os.system("mv %s.old %s" % (default_crt, default_crt))
|
||||
os.system("mv %s.old %s" % (default_key, default_key))
|
||||
|
||||
signatures = {cert: check_output(cmd % cert).strip() for cert in active_certs}
|
||||
|
||||
def cert_is_weak(cert):
|
||||
sig = signatures[cert]
|
||||
return sig.startswith("md5") or sig.startswith("sha1")
|
||||
|
||||
weak_certs = [cert for cert in signatures.keys() if cert_is_weak(cert)]
|
||||
if weak_certs:
|
||||
raise YunohostError("migration_0015_weak_certs", certs=", ".join(weak_certs))
|
||||
|
|
Loading…
Add table
Reference in a new issue